CN116702133A - Alarm information noise reduction strategy determination method and device and storage medium - Google Patents
Alarm information noise reduction strategy determination method and device and storage medium Download PDFInfo
- Publication number
- CN116702133A CN116702133A CN202310665449.9A CN202310665449A CN116702133A CN 116702133 A CN116702133 A CN 116702133A CN 202310665449 A CN202310665449 A CN 202310665449A CN 116702133 A CN116702133 A CN 116702133A
- Authority
- CN
- China
- Prior art keywords
- alarm information
- noise
- information
- attack
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000009467 reduction Effects 0.000 title claims abstract description 187
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000001514 detection method Methods 0.000 claims abstract description 60
- 238000004891 communication Methods 0.000 claims abstract description 26
- 230000006399 behavior Effects 0.000 claims description 54
- 238000012545 processing Methods 0.000 claims description 36
- 230000006870 function Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 24
- 241000700605 Viruses Species 0.000 claims description 22
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 13
- 238000004659 sterilization and disinfection Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012216 screening Methods 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a method, a device and a storage medium for determining a noise reduction strategy of alarm information, relates to the technical field of communication, and solves the technical problem that the noise reduction strategy cannot be determined efficiently and accurately in the related art. The method comprises the following steps: determining first alert information from at least one security device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; a noise reduction policy of at least one security device is determined based on the noise alert information. The method and the device are used in the scene of alarm information noise reduction.
Description
Technical Field
The disclosure relates to the technical field of communication, and in particular relates to a method, a device and a storage medium for determining a noise reduction strategy of alarm information.
Background
At present, various security devices are deployed in internet enterprises, the security devices monitor enterprise networks in real time to ensure the security of the enterprise networks, block network attacks and record attack alarm logs. However, since the occurrence of false alarm frequency of attack alarm brings a certain influence to normal use of the security device, how to accurately reduce the noise of the security device alarm log becomes a technical problem to be solved at present.
The current common noise reduction method mainly comprises the steps of manually logging in each safety device, checking alarm information, manually analyzing to determine whether the alarm information is false alarm, and manually modifying a monitoring strategy and a disposal strategy. The workload of denoising the security equipment alarm by the method is overlarge and more people are involved, and the noise alarm information cannot be reduced by efficiently determining the denoising strategy.
Disclosure of Invention
The disclosure provides a method, a device and a storage medium for determining a noise reduction strategy of alarm information. The technical problem that noise alarm information cannot be reduced by efficiently determining a noise reduction strategy in the related art is solved.
In order to achieve the above purpose, the present disclosure adopts the following technical scheme:
in a first aspect, a method for determining a noise reduction policy of alarm information is provided, including: determining first alert information from at least one security device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; a noise reduction policy of at least one security device is determined based on the noise alert information.
With reference to the first aspect, in one possible implementation manner, the method specifically includes: determining target data of each piece of second alarm information; wherein the second alarm information is alarm information obtained from at least one security device; the target data includes: attack Internet protocol IP address, attack behavior type, attack mode, attacked IP address; acquiring attribution information of each piece of second alarm information; the attribution information is attribution information of an attack IP address in the target data; determining that the first alarm information comprises target data of each piece of second alarm information and attribution information.
With reference to the first aspect, in a possible implementation manner, the method further includes: receiving third alarm information from at least one security device; and deleting the alarm information of the determined noise reduction strategy in the third alarm information, and determining the second alarm information.
With reference to the first aspect, in one possible implementation manner, the noise alarm information detection model is configured to determine, according to target data and/or attribution information in the target first alarm information, whether the target data of the target first alarm information is target data to be alarmed; and determining the target first alarm information as noise alarm information under the condition that the target data of the target first alarm information is not the target data needing to be alarmed.
With reference to the first aspect, in one possible implementation manner, the at least one first noise alarm information determining rule includes at least one of the following: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules. The virus noise alarm judgment rule comprises: determining whether the attack IP address has the disinfection and protection functions or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging the first alarm information as noise alarm information under the condition that the attack IP address has the disinfection and protection functions; the website attack mode noise-like warning judgment rule comprises: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is noise alarm information under the condition that the attack mode is the preset attack mode; the network attack behavior noise-like alarm judgment rule comprises: based on the attack behavior type in the first alarm information, determining whether the attack behavior type is a preset non-attack behavior, and judging that the first alarm information is noise alarm information under the condition that the attack behavior type is the preset non-attack behavior; the abnormal behavior noise-like warning judgment rule includes: based on the attack IP address and the attacked IP address in the first alarm information, determining whether the data transmission in the first alarm information is the traffic data transmission between the safety devices, and judging that the first alarm information is noise alarm information under the condition that the data transmission in the first alarm information is the traffic data transmission between the safety devices.
With reference to the first aspect, in a possible implementation manner, the method further includes: determining noise alarm information and non-noise alarm information in the first alarm information; generating a second noise alarm information judgment rule for judging the noise data based on the target data and/or the attribution information of the noise alarm information; generating a third noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the non-noise alarm information; and updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
With reference to the first aspect, in a possible implementation manner, the method further includes: and sending a noise reduction strategy to any one of the at least one safety device, so that the any one safety device determines noise alarm information in the alarm information of the any one safety device based on the noise reduction strategy.
In a second aspect, an alarm information noise reduction policy determining device is provided, including: a processing unit; a processing unit for determining first alert information from at least one security device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; the processing unit is also used for inputting the first alarm information into the noise alarm information detection model and determining the noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; and the processing unit is also used for determining the noise reduction strategy of at least one safety device based on the noise alarm information.
With reference to the second aspect, in one possible implementation manner, the alarm information noise reduction policy determining device further includes: a communication unit; the processing unit is specifically used for: determining target data of each piece of second alarm information; wherein the second alarm information is alarm information obtained from at least one security device; the target data includes: attack Internet protocol IP address, attack behavior type, attack mode, attacked IP address; instructing the communication unit to acquire the attribution information of each piece of second alarm information; the attribution information is attribution information of an attack IP address in the target data; and determining target data and attribution information of each piece of second alarm information in the first alarm information.
With reference to the second aspect, in a possible implementation manner, the communication unit is further configured to receive third alarm information from at least one security device; the processing unit is specifically configured to delete the alarm information of the determined noise reduction policy in the third alarm information, and determine the second alarm information.
With reference to the second aspect, in one possible implementation manner, the noise alarm information detection model is configured to determine, according to target data and/or attribution information in the target first alarm information, whether the target data of the target first alarm information is target data to be alarmed; and the processing unit determines the target first alarm information to be noise alarm information under the condition that the target data of the target first alarm information is not the target data needing to be alarmed.
With reference to the second aspect, in one possible implementation manner, the at least one first noise alarm information judgment rule includes at least one of the following: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules; the virus noise alarm judgment rule comprises: determining whether the attack IP address has the disinfection and protection functions or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging the first alarm information as noise alarm information under the condition that the attack IP address has the disinfection and protection functions; the website attack mode noise-like warning judgment rule comprises: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is noise alarm information under the condition that the attack mode is the preset attack mode; the network attack behavior noise-like alarm judgment rule comprises: based on the attack behavior type in the first alarm information, determining whether the attack behavior type is a preset non-attack behavior, and judging that the first alarm information is noise alarm information under the condition that the attack behavior type is the preset non-attack behavior; the abnormal behavior noise-like warning judgment rule includes: based on the attack IP address and the attacked IP address in the first alarm information, determining whether the data transmission in the first alarm information is the traffic data transmission between the safety devices, and judging that the first alarm information is noise alarm information under the condition that the data transmission in the first alarm information is the traffic data transmission between the safety devices.
With reference to the second aspect, in one possible implementation manner, the processing unit is further configured to: determining noise alarm information and non-noise alarm information in the first alarm information; generating a second noise alarm information judgment rule for judging the noise data based on the target data and/or the attribution information of the noise alarm information; generating a third noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the non-noise alarm information; and updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
With reference to the second aspect, in one possible implementation manner, the communication unit is further configured to: and sending a noise reduction strategy to any one of the at least one safety device, so that the any one safety device determines noise alarm information in the alarm information of the any one safety device based on the noise reduction strategy.
In a third aspect, an alarm information noise reduction policy determining device is provided, including: a processor and a memory; the memory is configured to store computer-executable instructions, and when the alarm information noise reduction policy determining device is operated, the processor executes the computer-executable instructions stored in the memory, so that the alarm information noise reduction policy determining device performs the alarm information noise reduction policy determining method as described in the first aspect and any possible implementation manner thereof.
In a fourth aspect, there is provided a computer readable storage medium having instructions stored therein, which when executed by a processor of an alarm information noise reduction policy determination device, cause the alarm information noise reduction policy determination device to perform the alarm information noise reduction policy determination method as set forth in the first aspect and any one of the possible implementations thereof.
In a fifth aspect, a chip is provided, the chip including a processor and a communication interface, the communication interface and the processor being coupled, the processor being configured to execute a computer program or instructions to implement the alarm information noise reduction policy determination method as described in the first aspect and any one of the possible implementations thereof.
In the present disclosure, the names of the above-mentioned alarm information noise reduction policy determining apparatuses do not constitute limitations on the devices or function modules themselves, and in actual implementations, these devices or function modules may appear under other names. Insofar as the function of each device or functional module is similar to the present disclosure, it is within the scope of the present disclosure and the equivalents thereof.
These and other aspects of the disclosure will be more readily apparent from the following description.
The technical scheme provided by the disclosure at least brings the following beneficial effects: the alarm information noise reduction strategy determining device in the present disclosure obtains first alarm information from at least one safety device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; in this way, the alarm information noise reduction strategy determining device can screen through the detection model to determine noise alarm information in the first alarm information from the safety equipment; a noise reduction policy of at least one security device is determined based on the noise alert information. Therefore, the alarm information noise reduction strategy determining device provided by the application can directly identify the noise alarm information in the alarm information by using the model and generate the corresponding noise reduction strategy, and solves the problems that the workload is excessive and more people are involved in the manual noise reduction in the prior art, and the noise alarm information cannot be reduced by the noise reduction strategy can not be determined efficiently.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the prior art, the drawings that are used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a schematic structural diagram of an alarm information noise reduction policy determining system according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of another alarm information noise reduction policy determining system according to an embodiment of the present disclosure;
fig. 3 is a schematic hardware structure of an alarm information noise reduction policy determining device according to an embodiment of the present disclosure;
fig. 4 is a flowchart of a method for determining a noise reduction policy of alarm information according to an embodiment of the present disclosure;
FIG. 5 is a flowchart illustrating another method for determining a noise reduction policy of alarm information according to an embodiment of the present disclosure;
FIG. 6 is a flowchart illustrating another method for determining a noise reduction strategy for alarm information according to an embodiment of the present disclosure;
fig. 7 is a flowchart of another method for determining a noise reduction policy of alarm information according to an embodiment of the disclosure;
FIG. 8 is a flowchart illustrating another method for determining a noise reduction policy of alarm information according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of another device for determining a noise reduction policy of alarm information according to an embodiment of the disclosure.
Detailed Description
The following describes in detail a method, an apparatus, and a storage medium for determining a noise reduction policy of alarm information provided by an embodiment of the present disclosure with reference to the accompanying drawings.
The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone.
The terms "first" and "second" and the like in the description and in the drawings of the present disclosure are used for distinguishing between different objects or for distinguishing between different processes of the same object and not for describing a particular sequential order of objects.
Furthermore, references in the description of this disclosure to the terms "comprise" and "have," and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus. It should be noted that in the embodiments of the present disclosure, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in the examples of this disclosure should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the present disclosure, unless otherwise indicated, the meaning of "a plurality" means two or more.
Currently, in order to protect network information security of a company, various security devices are deployed for protecting network information security of a company by internet companies, and exemplary security devices include: network application protection systems (web application firewall, WAF), intrusion detection systems (intrusion detection system, IDS), intrusion protection systems (intrusion prevention system, IPS), terminal protection centers (endpoint detection and response, EDR), situational awareness platforms, dynamic network application firewalls, and the like. The security device monitors network security in real time, and when network attack behaviors such as vulnerability scanning, system command injection, password blasting and the like are found, the network attack is blocked and an attack alarm log is recorded.
However, the types of security devices are many, and the functions, detection means, monitoring methods, and monitoring policy configurations of the various security devices are different. In the use process of the security device, when the network environment, the network application deployment, the network session protocol and the network data packet content change, alarm information false alarm often occurs and normal use of the security device is affected because the monitoring strategy configuration of the security device is not updated in time, and the false alarm information is noise alarm information.
The noise alarm information can prevent the judgment of the network security monitoring personnel, and the network security monitoring personnel can spend a great deal of time and effort to judge the alarm information so as to determine whether the alarm information is the noise alarm information. The security device needs to store the alarm information, and the noise alarm information will seriously waste the calculation and storage resources of the security device. Therefore, how to efficiently determine the noise reduction strategy to reduce the noise alarm information is a technical problem to be solved.
The common noise reduction strategy at present is to analyze each piece of alarm information in an alarm log of each safety device one by a technician, determine noise alarm information in the alarm log, and arrange the noise reduction strategy on each safety device according to the noise alarm information after determining the noise alarm information. The workload is huge, more technicians are involved, and the noise alarm information cannot be reduced by efficiently determining the noise reduction strategy.
In order to solve the technical problems existing in the related art, the present disclosure provides a method for determining a noise reduction policy of alarm information: the alarm information noise reduction strategy determining device obtains first alarm information from at least one safety device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; in this way, the alarm information noise reduction strategy determining device can screen through the detection model to determine noise alarm information in the first alarm information from the safety equipment; a noise reduction policy of at least one security device is determined based on the noise alert information. Therefore, the alarm information noise reduction strategy determining device provided by the application can directly identify the noise alarm information in the alarm information by using the model and generate the corresponding noise reduction strategy, and solves the problems that the workload is excessive and more people are involved in the manual noise reduction in the prior art, and the noise alarm information cannot be reduced by the noise reduction strategy can not be determined efficiently.
The alarm information noise reduction policy determination method may be applied to the alarm information noise reduction policy determination system 100. In the following, a detailed description is given of an alarm information noise reduction policy determining system 100 according to an embodiment of the present application with reference to fig. 1. As shown in fig. 1, fig. 1 is a system 100 for determining a noise reduction policy of alarm information according to an embodiment of the present disclosure, where the system includes: an alarm information noise reduction policy determining device 101, at least one security device 102 and an internet device 103.
The alarm information noise reduction policy determining device 101 is configured to screen noise alarm information from all alarm information of at least one security device 102 and determine a noise reduction policy of the noise alarm information. After the noise reduction strategy is determined, the noise reduction strategy is sent to at least one safety device, so that the safety device determines noise alarm information in the alarm information of the safety device based on the noise reduction strategy. Therefore, the purpose of efficiently determining the noise reduction strategy and reducing the noise alarm information is achieved.
Optionally, the alarm information noise reduction policy determining apparatus 101 includes a storage module 101a, a noise alarm information detecting module 101b, and a policy generating module 101c, where the storage module 101a uses and stores home information of an internet protocol (internet protocol, IP) address of an attack Internet Protocol (IP) from target data for collecting alarm information from at least one security device 102 and for acquiring alarm information from the internet device 103 based on alarm information target data in the storage module 101 a. The noise alarm information detection module 101b is configured to obtain the target data and the attribution information from the sub-storage module 101a, and determine noise alarm information through a noise alarm information detection model in the noise alarm information detection module; after the noise alarm information is determined, sending the noise alarm information, the target data and the attribution information of the target data to the strategy generation module 101c; the policy generation module 101c determines a noise reduction policy of at least one security device based on the noise alert information, the target data, and the attribution information of the target data.
In a possible implementation manner, referring to fig. 1, as shown in fig. 2, the alarm information noise reduction policy determining device 101 in the alarm information noise reduction policy determining system 100 may specifically include: an alarm data acquisition module 201, a data preprocessing module 202, a storage module 203, a processing module 204, a policy generation module 205 and a policy deployment module 206.
The security device 102 may specifically include: a network application protection system 207, a situation awareness system 208, a dynamic security defense system 209, a network firewall 210, and a terminal protection center 211.
The alarm data acquisition module 201 is configured to acquire alarm information of the plurality of security devices, and transmit the alarm information to the data preprocessing module 202.
The data preprocessing module 202 preprocesses the alarm information from the alarm data collector, determines target data, acquires the attribution information of the address of the attack I P in the target data from the internet equipment 212 according to the target data, and sends the target data and the attribution information of the target data to the storage module 203 for storage.
The processing module 204 is divided into a model layer, an algorithm layer, a platform framework layer and a base layer, wherein the base layer comprises a central processing unit (central processing unit, CPU), a graphic processor (graphics processing unit, GPU) and a field programmable gate array (field programmable gate array, FPGA) for performing calculation processing on data; the platform frame layer comprises an engine frame for forming a platform; the algorithm layer comprises machine learning, deep learning, neural network management and other algorithms; the model layer comprises model arrangement and model training, and is used for determining noise alarm information based on the target data stored in the storage module 203, the attribution information of the target data and the noise alarm information detection model; model training is carried out according to the target data and the attribution information of the alarm information in a preset time period, and a noise alarm information detection model is updated; after determining the noise alert information, it is sent to the policy generation module 205.
The policy generation module 205 processes and composes the noise alarm information, determines the noise reduction policies of the network application protection system 207, the situation awareness system 208, the dynamic security protection system 209, the network firewall 210, and the terminal protection center 211, and sends the noise reduction policies to the policy deployment module 206.
The policy deployment module 206 deploys the noise reduction policy into the network application protection system 207, the situation awareness system 208, the dynamic security defense system 209, the network firewall 210, and the terminal protection center 211, so that the security device determines noise alarm information in the alarm information of the security device based on the noise reduction policy.
Illustratively, a statistical table of the number of different alarm messages obtained from the security device is shown in table 1.
TABLE 1
Wherein, the proportion of different alarm information is: 13% of botnet, 6% of system command injection, 17% of Socks flow exception, 16% of Trojan virus, 19% of infectious virus, 5% of information stealing program, 15% of SNMP weak password, 2% of remote control behavior, 1% of rogue software, 5% of mining virus and 1% of other. The attack types of the alarm information mainly comprise Trojan horse virus, network attack, abnormal behavior and SNMP weak password. In one possible implementation manner, different noise alarm information judgment rules can be preset for alarm information belonging to different attack types according to the four attack types.
The basic hardware structure of the alarm information noise reduction policy determining device 101 in the alarm information noise reduction policy determining system includes the elements included in the alarm information noise reduction policy determining device 300 shown in fig. 3, and the hardware structure of the alarm information noise reduction policy determining device 101 is described below by taking the alarm information noise reduction policy determining device 300 shown in fig. 3 as an example. As shown in fig. 3, the alarm information noise reduction policy determination device 300 includes at least one processor 301, a communication line 302, and at least one communication interface 304, and may further include a memory 303. The processor 301, the memory 303, and the communication interface 304 may be connected through a communication line 302.
Processor 301 may be a central processing unit (central processing unit, CPU), may be an integrated circuit (application specific integrated circuit, ASIC), or may be one or more integrated circuits configured to implement embodiments of the present disclosure, such as: one or more digital signal processors (digital signal processor, DSP), or one or more field programmable gate arrays (field programmable gate array, FPGA).
Communication line 302 may include a path for communicating information between the above-described components.
The communication interface 304 is used to communicate with other devices or communication networks, and any transceiver-like device may be used, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc.
The memory 303 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disc storage, a compact disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to include or store the desired program code in the form of instructions or data structures and that can be accessed by a computer.
In one possible design, the memory 303 may exist independent of the processor 301, that is, the memory 303 may be a memory external to the processor 301, where the memory 303 may be connected to the processor 301 through a communication line 302, for storing execution instructions or application program codes, and the execution is controlled by the processor 301, to implement the alarm information noise reduction policy determination method provided in the embodiments of the disclosure below. In yet another possible design, the memory 303 may be integrated with the processor 301, i.e., the memory 303 may be an internal memory of the processor 301, e.g., the memory 303 may be a cache, and may be used to temporarily store some data and instruction information, etc.
As one implementation, processor 301 may include one or more CPUs, such as CPU0 and CPU1 in fig. 3. As another implementation, the alarm information noise reduction policy determination device 300 may include a plurality of processors, such as the processor 301 and the processor 307 in fig. 3. As yet another implementation manner, the alarm information noise reduction policy determination apparatus 300 may further include an output device 305 and an input device 306.
The method for determining the alarm information noise reduction strategy provided by the embodiment of the present disclosure is described in detail below.
As shown in fig. 4, fig. 4 is a diagram illustrating a method for determining an alarm noise reduction policy provided in the present disclosure, where the method includes the following steps S401 to S403, which are described in detail below.
S401, an alarm information noise reduction strategy determining device determines first alarm information from at least one safety device.
Wherein, the first alarm information at least comprises one of the following: noise alert information, non-noise alert information.
It can be understood that the noise alarm information is alarm information which is misreported by the security device because the monitoring policy configuration of the security device is not updated in time when the network environment, the network application deployment, the network session protocol and the network data packet content are changed in the use process of the security device.
S402, the alarm information noise reduction strategy determining device inputs the first alarm information into the noise alarm information detection model, and determines noise alarm information in the first alarm information.
The detection model comprises at least one first noise alarm information judgment rule.
In one possible implementation manner, the noise alarm information detection model includes at least one first noise alarm information judgment rule, and the alarm information noise reduction policy determining device may determine noise alarm information in the first noise alarm information according to the first noise alarm information judgment rule.
Illustratively, the first alert information from the security device is: including the attack IP address being a virus IP address.
The alarm information noise reduction strategy determining device inputs the first alarm information into a noise alarm information detection model, determines that the virus IP address is the IP address with virus protection function, and the first alarm information belongs to false alarm information. At this time, the alarm information noise reduction policy determining device determines that the first alarm information is noise alarm information.
S403, the alarm information noise reduction strategy determining device determines the noise reduction strategy of at least one safety device based on the noise alarm information.
In combination with the example in S402, the alarm information noise reduction policy determining device generates a noise reduction policy for the IP address with the virus protection function, and sends the noise reduction policy to at least one security device, so that the security device can filter the alarm information identifying the IP address with the virus protection function as the virus IP address according to the noise reduction policy.
The technical scheme provided by the embodiment at least has the following beneficial effects: the alarm information noise reduction strategy determining device obtains first alarm information from at least one safety device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; the detection model is used for screening, so that noise alarm information in the first alarm information from the safety equipment is determined; determining a noise reduction policy of at least one security device based on the noise alert information; the first alarm information from the safety equipment is uniformly screened through the detection model, and the noise alarm information and the noise reduction strategy corresponding to the noise alarm information are determined efficiently, so that the purpose of reducing the noise alarm information by determining the noise reduction strategy efficiently is achieved.
In a possible implementation manner, as shown in fig. 5 in conjunction with fig. 4, the above-mentioned process of determining the first alarm information from the at least one security device by using the alarm information noise reduction policy determining device in S401 may be specifically implemented in the following S501-S503, which will be described in detail below.
S501, the alarm information noise reduction strategy determining device determines target data of each piece of second alarm information.
Wherein the second alarm information is alarm information obtained from at least one security device; the target data includes: attack internet protocol IP address, attack behavior type, attack mode, attacked IP address.
It should be understood that the target data includes all the data of the attacking end, all the data of the attacked end, the occurrence time of the attack, and the like, not only is the attack internet protocol IP address, the attack behavior type, the attack mode, and the attacked IP address information, but also at least one of the following in one possible implementation manner: the method comprises the steps of an attacked port number, an attacked request protocol, an attacked request method, host header information, uniform resource location (uniform resource locator, URL), attacked parameters, a state code returned by the attacked, a bytes of the attacked request, bytes returned by the attacked, and attack date and time.
S502, the alarm information noise reduction strategy determining device obtains the attribution information of each piece of second alarm information.
The attribution information is attribution information of an attack IP address in the target data.
In one possible implementation manner, the alarm information noise reduction policy determining device may obtain the attribution information of the attack IP address from the internet device.
Illustratively, the home information includes at least one of: the method comprises the steps of the area of the attack IP address, the network service provider of the attack IP address, the autonomous domain (autonomous system, AS) of the attack IP address and the recent attack activity information of the attack IP address.
S503, the alarm information noise reduction strategy determining device determines that the first alarm information comprises target data of each piece of second alarm information and attribution information.
It can be understood that the alarm information noise reduction policy determining device may acquire the attribution information of the attack IP address based on the attack IP address in the target data of each piece of second alarm information, and the attribution information of the attack IP address may be used to improve the accuracy of the alarm information noise reduction policy determining device in determining the noise alarm information and update the noise alarm information detection model.
It should be noted that the alarm information noise reduction policy determining device may not necessarily obtain the attribution information of all the attack IP addresses. For the target data for which the attribution information is not acquired, the alarm information noise reduction strategy determining device can also determine whether the first alarm information is noise alarm information according to the related information in the target data.
The technical scheme provided by the embodiment at least has the following beneficial effects: the alarm information noise reduction strategy determining device determines target data of each piece of second alarm information. The second alarm information is alarm information obtained from at least one safety device; the target data includes: attack internet protocol IP address, attack behavior type, attack mode, attacked IP address. And acquiring the attribution information of the attack IP address based on the attack IP address in the target data. That is, the second alarm information from the at least one security device is preprocessed, thereby determining target data for the noise alarm information and attribution information of the target data for the noise alarm information in the first alarm information, which are input into the noise alarm information detection model.
In a possible implementation manner, as shown in fig. 6 in conjunction with fig. 5, before the determining device of the alarm information noise reduction policy determines the target data of each piece of second alarm information in S501, the method further includes the following S601-S602, which are described in detail below.
S601, the alarm information noise reduction strategy determining device receives third alarm information from at least one safety device.
It can be understood that the third alarm information is all alarm information which is directly obtained from at least one security device and is not subjected to screening processing, and the third alarm information comprises alarm information with determined noise reduction strategies and alarm information without determined noise reduction strategies.
S602, the alarm information noise reduction strategy determining device deletes the alarm information of the determined noise reduction strategy in the third alarm information to determine the second alarm information.
In a possible implementation manner, the alarm information noise reduction policy determining device performs screening processing on the third alarm information after receiving all the third alarm information from at least one security device, and determines, based on the alarm information of the determined noise reduction policy, that the alarm information of which the noise reduction policy is not determined in the three alarm information is the second alarm information.
The technical scheme provided by the embodiment at least has the following beneficial effects: the alarm information noise reduction strategy determining device determines that the third alarm information is screened after receiving the third alarm information from at least one safety device, and determines that the alarm information which does not determine the noise reduction strategy in the three alarm information is the second alarm information based on the alarm information which determines the noise reduction strategy. Therefore, the purpose of screening out the alarm information of which the noise reduction strategy is not determined from all the third alarm information from at least one safety device is achieved.
In a possible implementation manner, the noise alarm information detection model is used for judging whether the target data of the target first alarm information is the target data to be alarmed according to the target data and/or the attribution information in the target first alarm information; and determining the target first alarm information as noise alarm information under the condition that the target data of the target first alarm information is not the target data needing to be alarmed.
In one possible implementation manner, the first noise alarm information determining rule includes at least one of the following: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules.
The virus noise alarm judgment rule comprises the following steps: determining whether the attack IP address has the disinfection and protection functions or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging the first alarm information as noise alarm information under the condition that the attack IP address has the disinfection and protection functions;
the website attack mode noise-like warning judgment rule comprises the following steps: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is noise alarm information under the condition that the attack mode is the preset attack mode;
the network attack behavior noise-like alarm judging rule comprises: determining whether the attack behavior type is a preset non-attack behavior based on the attack behavior type in the first alarm information, and judging the first alarm information as the noise alarm information under the condition that the attack behavior type is the preset non-attack behavior;
The abnormal behavior noise-like warning judgment rule comprises: based on the attack IP address and the attacked IP address in the first alarm information, determining whether the data transmission in the first alarm information is the traffic data transmission between the safety devices, and judging that the first alarm information is noise alarm information under the condition that the data transmission in the first alarm information is the traffic data transmission between the safety devices.
In a possible implementation manner, the noise alarm information detection device determines that the first alarm information belongs to one of the four attack types according to the target data and/or the attribution information in the target first alarm information, and judges whether the first alarm information is the noise alarm information according to the noise alarm judgment rule of the corresponding type.
The noise alarm information detection device determines, according to target data and/or attribution information in the target first alarm information, that the first alarm information belongs to a network management protocol SNMP weak password in a network attack behavior type, further determines whether the SNMP weak password is a network printer or a computer network peripheral, and determines that the first alarm information is the noise alarm information when the attack behavior type is a network printer or a computer network peripheral.
It is to be understood that the above-described first noise alarm information determination rule is merely an example, and the first noise alarm information determination rule in the present disclosure is not limited to the above-described determination rule. The alarm information noise reduction policy determining device may generate a new noise alarm information judgment rule for judging noise data based on the target data and the attribution information of the alarm information, and update the first noise alarm information judgment rule in the noise alarm information detection model.
In a possible implementation manner, as shown in fig. 7 in conjunction with fig. 4, after the foregoing S402 alert information noise reduction policy determining device inputs the first alert information into the noise alert information detection model to determine the noise alert information in the first alert information, the method further includes the following S701-S704, which are described in detail below.
S701, an alarm information noise reduction strategy determining device determines noise alarm information and non-noise alarm information in first alarm information.
In one possible implementation manner, after the alarm information noise reduction policy determining device inputs the first alarm information into the noise alarm information detection model, the noise alarm information and the non-noise alarm information in the first alarm information may be determined according to the first noise alarm information judgment rule in the noise alarm information detection model.
S702, the alarm information noise reduction strategy determining device generates a second noise alarm information judging rule for judging noise data based on the target data and/or the attribution information of the noise alarm information.
For example, if the target data of the noise alarm information includes an attack IP address as a contaminated IP address, the alarm information noise reduction policy determining device determines, based on the noise alarm information, a second noise alarm information judgment rule including: if the first alarm information received by the alarm information noise reduction strategy determining device comprises an attack IP address which is an affected IP address, determining the first alarm information as noise alarm information.
S703, the alarm information noise reduction strategy determining device generates a third noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the non-noise alarm information.
For example, the target data of the non-noise alarm information includes an attack type that is an information stealing program, and the attack IP address belongs to the area a, and the alarm information noise reduction policy determining device determines, based on the non-noise alarm information, a third noise alarm information judging rule including: if the first alarm information received by the alarm information noise reduction strategy determining device comprises an attack type which is an information stealing program and the attack IP address belongs to the area A, determining that the first alarm information is non-noise alarm information.
S704, the alarm information noise reduction strategy determining device updates the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
In a possible implementation manner, after each time of noise alarm information judgment, the alarm information noise reduction policy determining device stores target data, attribution information and corresponding judgment results into a storage module of the alarm information noise reduction policy determining device, and in a preset period of time, the alarm information noise reduction policy determining device determines a plurality of second noise alarm information judgment rules and a plurality of third noise alarm information judgment rules according to data in the storage module, and when the noise alarm information detection model does not include the plurality of second noise alarm information judgment rules and the plurality of third noise alarm information judgment rules, updates the plurality of second noise alarm information judgment rules and the plurality of third noise alarm information judgment rules to the noise alarm information detection model.
The technical scheme provided by the embodiment at least has the following beneficial effects: and after the alarm information noise reduction strategy determining device determines the noise alarm information and the non-noise alarm information in the first alarm information, generating a second noise alarm information judging rule for judging the noise data based on the target data and/or the attribution information of the noise alarm information. And generating a third noise alarm information judgment rule for judging the noise data based on the target data and/or the attribution information of the non-noise alarm information. And updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule. Therefore, the alarm information noise reduction strategy determining device can update the noise alarm information detection model based on the data of each noise alarm information judgment and the judgment result.
In a possible implementation manner, as shown in fig. 8 in connection with fig. 4, after the foregoing determining device for the alarm information noise reduction policy determines the noise reduction policy of at least one security device based on the noise alarm information in S403, the method further includes S801, which is described in detail below.
S801, an alarm information noise reduction strategy determining device sends a noise reduction strategy to any one of at least one safety device, so that the any one safety device determines noise alarm information in alarm information of the any one safety device based on the noise reduction strategy.
In a possible implementation manner, the alarm information noise reduction policy determining device sends the generated noise reduction policy to any one of the security devices, so that the security device adds the noise alarm information feature included in the noise reduction policy to the white list of the device, and therefore the security device can determine the noise alarm information in the alarm information based on the noise alarm information feature.
The technical scheme provided by the embodiment at least has the following beneficial effects: the alarm information noise reduction policy determining device sends a noise reduction policy to any one of the at least one security device, so that the any one security device determines noise alarm information in alarm information of the any one security device based on the noise reduction policy. Thereby achieving the purpose of reducing noise alarm information of the safety equipment.
The method for determining the alarm information noise reduction strategy according to the embodiment of the present disclosure is described in detail above.
It can be seen that the foregoing description has mainly been presented with respect to a method of providing a technical solution according to an embodiment of the present disclosure. To achieve the above functions, it includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The embodiment of the disclosure may divide the function modules of the alarm information noise reduction policy determining device according to the above method example, for example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated modules may be implemented in hardware or in software functional modules. Optionally, the division of the modules in the embodiments of the present disclosure is schematic, which is merely a logic function division, and other division manners may be actually implemented.
As shown in fig. 9, fig. 9 is a schematic structural diagram of an alarm information noise reduction policy determining apparatus 900 according to an embodiment of the present disclosure.
The alarm information noise reduction policy determining device 900 includes: a processing unit 902; a processing unit 902 for determining first alert information from at least one security device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information; the processing unit 902 is further configured to input the first alarm information into the noise alarm information detection model, and determine noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule; the processing unit 902 is further configured to determine a noise reduction policy of the at least one security device based on the noise alarm information.
In a possible implementation manner, the alarm information noise reduction policy determining apparatus 900 further includes: a communication unit 901; a processing unit 902, configured to determine target data of each piece of second alarm information; wherein the second alarm information is alarm information obtained from at least one security device; the target data includes: attack Internet protocol IP address, attack behavior type, attack mode, attacked IP address; an instruction communication unit 901 for acquiring the attribution information of each piece of second alarm information; the attribution information is attribution information of an attack IP address in the target data; the processing unit 902 is specifically configured to determine target data of each piece of second alarm information in the first alarm information, and the attribution information.
In a possible implementation manner, the communication unit 901 is further configured to receive third alarm information from at least one security device; the processing unit 902 is specifically configured to delete the alarm information of the determined noise reduction policy in the third alarm information, and determine the second alarm information.
In a possible implementation manner, the noise alarm information detection model is used for judging whether the target data of the target first alarm information is the target data to be alarmed according to the target data and/or the attribution information in the target first alarm information; the processing unit 902 determines that the target first alarm information is noise alarm information when the target data of the target first alarm information is not the target data to be alarmed.
In one possible implementation manner, the at least one first noise alarm information judgment rule includes at least one of the following: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules;
the virus noise alarm judgment rule comprises the following steps: determining whether the attack IP address has a disinfection and protection function or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging that the first alarm information is the noise alarm information under the condition that the attack IP address has the disinfection and protection function;
The website attack mode noise-like warning judgment rule comprises: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the attack mode is the preset attack mode;
the network attack behavior noise-like alarm judging rule comprises: determining whether the attack behavior type is a preset non-attack behavior based on the attack behavior type in the first alarm information, and judging the first alarm information as the noise alarm information under the condition that the attack behavior type is the preset non-attack behavior;
the abnormal behavior noise-like warning judgment rule comprises: and determining whether the data transmission in the first alarm information is traffic data transmission between safety devices based on the attack IP address and the attacked IP address in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the data transmission in the first alarm information is traffic data transmission between the safety devices.
In a possible implementation manner, the processing unit 902 is further configured to: determining noise alarm information and non-noise alarm information in the first alarm information; generating a second noise alarm information judgment rule for judging the noise data based on the target data and/or the attribution information of the noise alarm information; generating a third noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the non-noise alarm information; and updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
In a possible implementation manner, the communication unit 901 is further configured to: and sending a noise reduction strategy to any one of the at least one safety device, so that the any one safety device determines noise alarm information in the alarm information of the any one safety device based on the noise reduction strategy.
The embodiment of the disclosure also provides an alarm information noise reduction strategy determining device, which comprises a processor and a memory; the memory is used for storing computer executing instructions, and when the alarm information noise reduction strategy determining device operates, the processor executes the computer executing instructions stored in the memory, so that the alarm information noise reduction strategy determining device executes the alarm information noise reduction strategy determining method described in the embodiment of the disclosure.
Embodiments of the present disclosure provide a computer program product comprising instructions that, when executed on a computer, cause the computer to perform the alarm information noise reduction policy determination method in the above method embodiments.
Embodiments of the present disclosure provide a chip, the chip including a processor and a communication interface, the communication interface and the processor being coupled, the processor being configured to execute a computer program or instructions to implement the alarm information noise reduction policy determination method as in the method embodiments described above.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: electrical connections having one or more wires, portable computer diskette, hard disk. Random access Memory (Random Access Memory, RAM), read-Only Memory (ROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), registers, hard disk, optical fiber, portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium suitable for use by a person or persons of skill in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuit, ASIC). In the disclosed embodiments, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the apparatus, device, computer readable storage medium, and computer program product in the embodiments of the present disclosure may be applied to the above-mentioned method, the technical effects that may be obtained by the apparatus, device, computer readable storage medium, and computer program product may also refer to the above-mentioned method embodiments, and the embodiments of the present disclosure are not repeated herein.
The foregoing is merely illustrative of specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present disclosure. Therefore, the protection scope of the present disclosure should be subject to the protection scope of the claims.
Claims (16)
1. The method for determining the noise reduction strategy of the alarm information is characterized by comprising the following steps of:
determining first alert information from at least one security device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information;
inputting the first alarm information into a noise alarm information detection model, and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule;
and determining a noise reduction strategy of the at least one safety device based on the noise alarm information.
2. The method of claim 1, wherein the determining the first alert information from the at least one security device comprises:
determining target data of each piece of second alarm information; wherein the second alarm information is alarm information acquired from the at least one security device; the target data includes: attack Internet protocol IP address, attack behavior type, attack mode, attacked IP address;
acquiring the attribution information of each piece of second alarm information; the attribution information is attribution information of an attack IP address in the target data;
and determining that the first alarm information comprises target data of each piece of second alarm information and the attribution information.
3. The method of claim 2, wherein prior to said determining the target data for each piece of second alert information, the method further comprises:
receiving third alarm information from the at least one security device;
deleting the alarm information of the determined noise reduction strategy in the third alarm information, and determining the second alarm information.
4. A method according to claim 2 or 3, wherein the noise alarm information detection model is configured to determine, according to target data and/or attribution information in the target first alarm information, whether the target data of the target first alarm information is target data to be alarmed; and determining the target first alarm information as the noise alarm information under the condition that the target data of the target first alarm information is not the target data needing to be alarmed.
5. A method according to claim 2 or 3, wherein the at least one first noise alert information decision rule comprises at least one of: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules;
the virus noise alarm judgment rule comprises the following steps: determining whether the attack IP address has a disinfection and protection function or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging the first alarm information as the noise alarm information under the condition that the attack IP address has the disinfection and protection function;
the website attack mode noise-like warning judgment rule comprises: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the attack mode is the preset attack mode;
the network attack behavior noise-like alarm judging rule comprises: determining whether the attack behavior type is a preset non-attack behavior based on the attack behavior type in the first alarm information, and judging the first alarm information as the noise alarm information under the condition that the attack behavior type is the preset non-attack behavior;
The abnormal behavior noise-like warning judgment rule comprises: and determining whether the data transmission in the first alarm information is traffic data transmission between safety devices based on the attack IP address and the attacked IP address in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the data transmission in the first alarm information is traffic data transmission between the safety devices.
6. A method according to any of claims 1-3, wherein after said inputting the first alert information into a noise alert information detection model, determining noise alert information in the first alert information, the method further comprises:
determining the noise alarm information and the non-noise alarm information in the first alarm information;
generating a second noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the noise alarm information;
generating a third noise alarm information judgment rule for judging noise data based on the target data and/or attribution information of the non-noise alarm information;
and updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
7. A method according to any of claims 1-3, wherein after determining a noise reduction policy of the at least one security device based on the noise alert information, the method further comprises:
and sending the noise reduction strategy to any one of the at least one safety device, so that the any one safety device determines noise alarm information in alarm information of the any one safety device based on the noise reduction strategy.
8. The alarm information noise reduction strategy determining device is characterized by comprising a processing unit;
the processing unit is used for determining first alarm information from at least one safety device; the first alarm information at least comprises one of the following: noise alarm information, non-noise alarm information;
the processing unit is further used for inputting the first alarm information into a noise alarm information detection model and determining noise alarm information in the first alarm information; the detection model comprises at least one first noise alarm information judgment rule;
the processing unit is further configured to determine a noise reduction policy of the at least one security device based on the noise alert information.
9. The apparatus of claim 8, wherein the apparatus further comprises: a communication unit; the processing unit is specifically configured to:
determining target data of each piece of second alarm information; wherein the second alarm information is alarm information acquired from the at least one security device; the target data includes: attack Internet protocol IP address, attack behavior type, attack mode, attacked IP address;
instructing the communication unit to acquire the attribution information of each piece of second alarm information; the attribution information is attribution information of an attack IP address in the target data;
and determining target data of each piece of second alarm information in the first alarm information and the attribution information.
10. The apparatus of claim 9, wherein the communication unit is further configured to receive third alert information from the at least one security device;
the processing unit is specifically configured to delete the alarm information of the determined noise reduction policy in the third alarm information, and determine the second alarm information.
11. The apparatus according to claim 9 or 10, wherein the noise alarm information detection model is configured to determine, according to target data and/or attribution information in the target first alarm information, whether the target data of the target first alarm information is target data to be alarmed; and the processing unit determines the target first alarm information to be the noise alarm information under the condition that the target data of the target first alarm information is not the target data needing to be alarmed.
12. The apparatus according to claim 9 or 10, wherein the at least one first noise alert information judgment rule comprises at least one of: virus noise alarm judgment rules; a website attack mode noise-like warning judgment rule; network attack behavior noise alarm judgment rules; abnormal behavior noise-like warning judgment rules;
the virus noise alarm judgment rule comprises the following steps: determining whether the attack IP address has a disinfection and protection function or not based on the attack IP address in the first alarm information and the attribution information of the attack IP address, and judging that the first alarm information is the noise alarm information under the condition that the attack IP address has the disinfection and protection function;
the website attack mode noise-like warning judgment rule comprises: determining whether the attack mode is a preset attack mode or not based on the attack mode in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the attack mode is the preset attack mode;
the network attack behavior noise-like alarm judging rule comprises: determining whether the attack behavior type is a preset non-attack behavior based on the attack behavior type in the first alarm information, and judging the first alarm information as the noise alarm information under the condition that the attack behavior type is the preset non-attack behavior;
The abnormal behavior noise-like warning judgment rule comprises: and determining whether the data transmission in the first alarm information is traffic data transmission between safety devices based on the attack IP address and the attacked IP address in the first alarm information, and judging that the first alarm information is the noise alarm information under the condition that the data transmission in the first alarm information is traffic data transmission between the safety devices.
13. The apparatus according to any one of claims 8-10, wherein the processing unit is further configured to:
determining the noise alarm information and the non-noise alarm information in the first alarm information;
generating a second noise alarm information judgment rule for judging noise data based on the target data and/or the attribution information of the noise alarm information;
generating a third noise alarm information judgment rule for judging noise data based on the target data and/or attribution information of the non-noise alarm information;
and updating the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
14. The apparatus according to any of claims 8-10, wherein the communication unit is further configured to:
and sending the noise reduction strategy to any one of the at least one safety device, so that the any one safety device determines noise alarm information in alarm information of the any one safety device based on the noise reduction strategy.
15. An alarm information noise reduction strategy determining device, comprising: a processor and a memory; wherein the memory is configured to store computer-executable instructions that, when executed by the alert-information noise reduction policy determining device, cause the alert-information noise reduction policy determining device to perform the alert-information noise reduction policy determining method of any one of claims 1-7.
16. A computer-readable storage medium having instructions stored therein, which when executed by a processor of an alarm information noise reduction policy determination device, cause the alarm information noise reduction policy determination device to perform the alarm information noise reduction policy determination method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310665449.9A CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310665449.9A CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116702133A true CN116702133A (en) | 2023-09-05 |
Family
ID=87842782
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310665449.9A Pending CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116702133A (en) |
-
2023
- 2023-06-06 CN CN202310665449.9A patent/CN116702133A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
| CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
| JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
| KR100800370B1 (en) | Network attack signature generation | |
| EP1995929B1 (en) | Distributed system for the detection of eThreats | |
| US7779465B2 (en) | Distributed peer attack alerting | |
| US7228564B2 (en) | Method for configuring a network intrusion detection system | |
| Jardine et al. | Senami: Selective non-invasive active monitoring for ics intrusion detection | |
| CN109688105B (en) | Threat alarm information generation method and system | |
| US20060037077A1 (en) | Network intrusion detection system having application inspection and anomaly detection characteristics | |
| US20040250133A1 (en) | Computer security event management system | |
| WO2007124206A2 (en) | System and method for securing information in a virtual computing environment | |
| US20150074756A1 (en) | Signature rule processing method, server, and intrusion prevention system | |
| CN113079185B (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| CN106992955A (en) | APT fire walls | |
| CN114826880A (en) | Method and system for online monitoring of data safe operation | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| KR20020075319A (en) | Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same | |
| KR100607110B1 (en) | Security information management and vulnerability analysis system | |
| CN113055362A (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| CN116702133A (en) | Alarm information noise reduction strategy determination method and device and storage medium | |
| CN113037779B (en) | Intelligent self-learning white list method and system in active defense system | |
| JP2004030287A (en) | Bi-directional network intrusion detection system and bi-directional intrusion detection program | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN112422501B (en) | Forward and reverse tunnel protection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |