CN116962080A - Alarm filtering method, system and medium based on network node risk assessment - Google Patents
Alarm filtering method, system and medium based on network node risk assessment Download PDFInfo
- Publication number
- CN116962080A CN116962080A CN202311206887.5A CN202311206887A CN116962080A CN 116962080 A CN116962080 A CN 116962080A CN 202311206887 A CN202311206887 A CN 202311206887A CN 116962080 A CN116962080 A CN 116962080A
- Authority
- CN
- China
- Prior art keywords
- network
- event
- network node
- node
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000001914 filtration Methods 0.000 title claims abstract description 35
- 238000012502 risk assessment Methods 0.000 title claims abstract description 24
- 238000013016 damping Methods 0.000 claims description 52
- 230000004913 activation Effects 0.000 claims description 33
- 239000011159 matrix material Substances 0.000 claims description 25
- 238000012546 transfer Methods 0.000 claims description 24
- 238000004364 calculation method Methods 0.000 claims description 20
- 230000004931 aggregating effect Effects 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 239000000463 material Substances 0.000 abstract description 4
- 238000012549 training Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000003058 natural language processing Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000005295 random walk Methods 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an alarm filtering method, system and medium based on network node risk assessment, which mainly relate to the technical field of alarm filtering and are used for solving the problems that the existing method needs a large amount of manpower and material resources, has high false alarm rate, has larger requirement on data quantity, and has long training and updating period. Comprising the following steps: generating an event document according to the network node IP, and further determining a network event risk value; obtaining the topology importance of the network node; obtaining the influence degree of network nodes; determining a network node risk value; obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events; based on the network node alarm list and the network event alarm list, a deduplication set is generated, the arrangement sequence of the network events is used as a first reference, and the arrangement sequence of the network nodes is used as a second reference, so that a final alarm ordering result is formed.
Description
Technical Field
The present application relates to the field of alarm filtering technologies, and in particular, to an alarm filtering method, system, and medium based on risk assessment of network nodes.
Background
Alarm filtering plays a key role in a network security monitoring system, helps to identify and filter noise and repeated alarms, and reduces workload of operation and maintenance personnel and improves operation and maintenance efficiency. But there is currently a very common phenomenon: "false alarms flood", while "true" alarms are easily overwhelmed. Studies have found that only 3.05% of alarms are "true" alarms. Meanwhile, the misuse of false alarms is found to be the root that effective alarm rules are difficult to be configured by the capability of the existing alarm products.
Currently, alarm filtering can be categorized into the following categories: 1. rule-based filtering. 2. Machine learning methods automatically identify and filter out alarms of relatively low risk. 3. Anomaly detection and behavioral analysis: events inconsistent with the expected behavior are detected by building a baseline behavior model or statistical model. 4. Self-adaptive alarm filtering: this optimizes alarm filtering based on current threat intelligence, attack trends, network topology, and other factors. 5. Automation and intelligence: the alarms are automatically identified and interpreted using techniques such as artificial intelligence.
However, the alert filtering method 1 above, rule-based method: a lot of manpower and material resources are required, and in addition, the establishment of new rules has serious hysteresis. 2. The machine learning method comprises the following steps: the historical data needs to be marked manually, and a large amount of manpower and material resources are needed. 3. Anomaly detection and behavioral analysis: the real abnormality only occupies a small part, and has high false alarm rate. 4. Self-adaptive alarm filtering: there is a large error in the judgment of the change of the abnormal trend. 5. Automation and intelligence: the requirement on the data volume is relatively large, and the training and updating period is long.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides an alarm filtering method, an alarm filtering system and an alarm filtering medium based on network node risk assessment, which are used for solving the problems that the existing method needs a large amount of manpower and material resources, has high false alarm rate, has larger requirement on data quantity, and has long training and updating period.
In a first aspect, the present application provides an alarm filtering method based on risk assessment of a network node, the method comprising: based on the network node IP, aggregating the network events within a preset time interval; generating an event document according to the network node IP; determining a network event risk value according to the event document, the network event in the event document and the IDF formula; acquiring a basic transfer matrix and a first damping coefficient of a directed graph corresponding to a network node, and further acquiring the topology importance of the network node; acquiring the number of access users corresponding to the network nodes in a preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, a second damping coefficient and the total number of network nodes so as to acquire the influence of the network nodes; obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value; obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events; based on the network node alarm list and the network event alarm list, generating a node-event deduplication set, and forming a final alarm sequencing result by taking the arrangement sequence of network events as a first reference and the arrangement sequence of network nodes as a second reference.
Further, determining a network event risk value according to the event document, the network event in the event document and the IDF formula, specifically including: according to the IDF formula:,/>calculating an IDF value corresponding to the network event; wherein (1)>An IDF value corresponding to an ith network event, a is any event document, A is a set of all event documents, the A is the number of all event documents, N is the set of network events, N is the number of network events in the event document,/A is the number of network events in the event document>The method comprises the steps of carrying out a first treatment on the surface of the According to the event diffuseness formula: />,Calculating the diffuseness of the network event; wherein (1)>For the diffuseness of the ith network event,for a preset time interval +.>Average value of (2); according to a preset risk value calculation formula:determining a network event risk value; wherein (1)>Is the ith network event risk value.
Further, obtaining a basic transfer matrix and a first damping coefficient of a directed graph corresponding to a network node, thereby obtaining the topology importance of the network node, specifically including: acquiring a connection mode between network nodes to generate a directed graph corresponding to the network nodes, and further acquiring a basic transfer matrix based on the directed graph corresponding to the network nodes; acquiring a first damping coefficient through a preset parameter editing interface; through a preset topological importance calculation formula:calculating the topology importance of the network node; wherein d is a first damping coefficient; m is a basic transfer matrix; />Is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
Further, the preset time interval is acquiredThe number of access users corresponding to the network nodes, the accessed frequency of each network node, the total accessed frequency of all network nodes, the second damping coefficient and the total number of network nodes to obtain the influence degree of the network nodes specifically comprises: obtaining a second damping coefficient through a preset parameter editing interface; obtaining a network log generated by the network nodes in a preset time interval through a preset statistics tool, and counting the number of access users, the accessed frequency of each network node, the total accessed frequency of all network nodes and the total number of network nodes corresponding to the network nodes in the preset time interval through the network log; through a preset influence formula:obtaining the influence degree of the network node; wherein IF is the network node influence, +.>And as for the second damping coefficient, UV is the number of access users corresponding to the network nodes in a preset time interval, each network node of UF is accessed frequently, all network nodes of TF are accessed frequently, and n is the total number of network nodes.
Further, obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value specifically includes: acquiring a third damping coefficient through a preset parameter editing interface; acquiring a weblog generated by a network node in a preset time interval through a preset statistics tool, so as to count the occurrence frequency of each network event in the preset time interval through the weblog; through a preset risk value formula:determining a network node risk value; wherein NR is a network node risk value, +.>For the third damping coefficient, PR is the network node topology importance, IF is the network node influence, ++>For the ith network event risk value, +.>And N is the network event set, wherein the occurrence frequency of the ith network event is the occurrence frequency of the ith network event.
Further, according to the occurrence frequency of the network event, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the type of the network event, a network node alarm list and a network event alarm list are obtained, which specifically comprises: obtaining a network log generated by a network node in a preset time interval through a preset statistics tool, so as to count the total number of network events, the total number of network nodes and the types of network events in the preset time interval through the network log; calculating a formula through a network node average risk value:obtaining an average risk value of a network node; wherein N is a network event set, N is the total number of network nodes, m is the network event type,/->For the ith network event risk value, +.>Is the occurrence frequency of the ith network event; alarming activation function through preset network node: />Obtaining a node alarm activation value, so as to add the network node and the node alarm activation value to a network node alarm list when the node alarm activation value is greater than a preset node activation threshold; wherein θ is a preset adjustment parameter, NR is a network node risk value, ++>An alarm activation value; calculating a formula by using a network event average risk value: />Obtaining an average risk value of a network event; alarm activation function by preset network event: />And obtaining an event alarm activation value so as to add the network node and the event alarm activation value to the network node alarm list when the event alarm activation value is greater than a preset event activation threshold.
In a second aspect, the present application provides an alarm filtering system based on risk assessment of a network node, the system comprising: the determining module is used for aggregating the network events within a preset time interval based on the network node IP; generating an event document according to the network node IP; determining a network event risk value according to the event document, the network event in the event document and the IDF formula; the acquisition module is used for acquiring a basic transfer matrix and a first damping coefficient of the directed graph corresponding to the network node, so as to acquire the topology importance of the network node; acquiring the number of access users corresponding to the network nodes in a preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, a second damping coefficient and the total number of network nodes so as to acquire the influence of the network nodes; obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value; obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events; the forming module is used for generating a node-event deduplication set based on the network node alarm list and the network event alarm list, taking the arrangement sequence of the network events as a first reference, and taking the arrangement sequence of the network nodes as a second reference, so as to form a final alarm ordering result.
Further, the determining module includes an event calculating unit configured to, according to the IDF formula:,/>calculating an IDF value corresponding to the network event; wherein a is any event document, A is all event document sets, |A| is the number N of all event documents is the network event set, |N| is the number of network events in the event documents; according to the event diffuseness formula: />,/>Calculating the diffuseness of the network event; wherein (1)>For the diffuseness of the ith network event, +.>For a preset time intervalAverage value of (2); according to a preset risk value calculation formula: />Determining a network event risk value; wherein (1)>Is the ith network event risk value.
Further, the obtaining module comprises a topology calculating unit, a first processing unit and a second processing unit, wherein the topology calculating unit is used for obtaining a connection mode between the network nodes to generate a directed graph corresponding to the network nodes, and further obtaining a basic transfer matrix based on the directed graph corresponding to the network nodes; acquiring a first damping coefficient through a preset parameter editing interface; through a preset topological importance calculation formula:calculating the topology importance of the network node; wherein d is a first damping coefficient; m is a basic transfer matrix; />Is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
In a third aspect, the present application provides a non-volatile computer storage medium having stored thereon computer instructions which, when executed, implement a network node risk assessment based alarm filtering method as in any of the above.
As will be appreciated by those skilled in the art, the present application has at least the following beneficial effects:
1. the application has high calculation speed, does not have a calculation formula with high complexity, and can be rapidly adapted to the migration or change of the service. 2. The application is unsupervised and does not require much labor cost. 3. The application innovatively applies the TF-IDF method in nlp (Natural Language Processing natural language processing) to event risk assessment, and effectively assesses event risk. 4. The application combines the risk of the network node and the risk of the event, and effectively sorts the importance of the event alarm. 5. The application can effectively filter the alarm.
Drawings
Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of an alarm filtering method based on risk assessment of a network node according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of an alarm filtering system based on risk assessment of network nodes according to an embodiment of the present application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not represent that the present disclosure can be realized only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure, not for limiting the scope of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments that may be obtained by one of ordinary skill in the art without inventive effort shall still fall within the scope of the present disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The following describes the technical scheme provided by the embodiment of the application in detail through the attached drawings.
The embodiment of the application provides an alarm filtering method based on network node risk assessment, as shown in fig. 1, which mainly comprises the following steps:
step 110, based on the network node IP, aggregating the network events within a preset time interval; generating an event document according to the network node IP; and determining a network event risk value according to the event document, the network event in the event document and the IDF formula.
It should be noted that, the network node is a network device in the internet, and may be a network device such as a computer, a server, a router, a switch, and the like. The network node IP is the network equipment with unique IP number. The preset time interval may be any feasible time interval. The network event is a network security event generated by the network device, and when the network node does not generate the network event, the event document is an empty document. In addition, the network event includes at least a network event name. The content of the event document may be a network event name or code number, separated by spaces.
In this step, IDF (Inverse Document Frequency) is an inverse document frequency technique, "determining a network event risk value according to an event document, a network event in the event document, and an IDF formula", which may specifically be:
according to the IDF formula:,/>calculating an IDF value corresponding to the network event; wherein (1)>An IDF value corresponding to an ith network event, a is any event document, A is a set of all event documents, the A is the number of all event documents, N is the set of network events, N is the number of network events in the event document,/A is the number of network events in the event document>The method comprises the steps of carrying out a first treatment on the surface of the According to the event diffuseness formula: />,/>Calculating the diffuseness of the network event; wherein (1)>For the diffuseness of the ith network event, +.>For a preset time intervalAverage value of (2); according to a preset risk value calculation formula: />Determining a network event risk value; wherein (1)>Is the ith network event risk value.
Step 120, obtaining a basic transfer matrix and a first damping coefficient of a directed graph corresponding to the network node, thereby obtaining the topology importance of the network node.
It should be noted that the specific content of the first damping coefficient may be determined by those skilled in the art according to practical situations, and the value is generally 0.85. The directed graph is a graph consisting of network nodes and transition probabilities of hyperlinks among the network nodes. The directed graph for random walk consists of two parts: (1) A basic transition matrix with equal transition probability from one node to all nodes connected with the node; (2) a totally random transfer matrix.
According to the application, the network node and the connection mode between the network nodes are obtained to generate the directed graph corresponding to the network node, and the basic transfer matrix is obtained based on the directed graph corresponding to the network node. It should be noted that, the method for generating the directed graph and obtaining the basic transfer matrix may be implemented by the prior art, which is not limited in the present application.
As an example, this step may be specifically: acquiring a connection mode between network nodes to generate a directed graph corresponding to the network nodes, and further acquiring a basic transfer matrix based on the directed graph corresponding to the network nodes; acquiring a first damping coefficient through a preset parameter editing interface; through a preset topological importance calculation formula:calculating the topology importance of the network node; wherein d is a first damping coefficient; m is a basic transfer matrix; />Is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
Step 130, obtaining the number of access users corresponding to the network nodes in the preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, the second damping coefficient and the total number of network nodes, so as to obtain the influence degree of the network nodes.
It should be noted that the specific content of the second damping coefficient may be determined by those skilled in the art according to the actual situation. The method for acquiring the number of access users corresponding to the network nodes, the accessed frequency of each network node, the total accessed frequency of all network nodes and the total number of network nodes in a preset time interval is counted by a preset counting tool. It should be noted that, the preset statistical tool is an existing tool, and any more intelligent system can be implemented.
As an example, this step may be specifically: obtaining a second damping coefficient through a preset parameter editing interface; obtaining a network log generated by the network nodes in a preset time interval through a preset statistics tool, and counting the number of access users, the accessed frequency of each network node, the total accessed frequency of all network nodes and the total number of network nodes corresponding to the network nodes in the preset time interval through the network log; through a preset influence formula:obtaining the influence degree of the network node; wherein IF is the network node influence, +.>And as for the second damping coefficient, UV is the number of access users corresponding to the network nodes in a preset time interval, each network node of UF is accessed frequently, all network nodes of TF are accessed frequently, and n is the total number of network nodes.
Step 140, obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value.
It should be noted that the specific content of the third damping coefficient may be determined by those skilled in the art according to the actual situation. The method for obtaining the total number of network events corresponding to the network nodes and the occurrence frequency of the network events is counted by a preset counting tool.
As an example, this step may be specifically: acquiring a third damping coefficient through a preset parameter editing interface; acquiring a weblog generated by a network node in a preset time interval through a preset statistics tool, so as to count the occurrence frequency of each network event in the preset time interval through the weblog; through a preset risk value formula:determining a network node risk value; wherein NR is a network node risk value,for the third damping coefficient, PR is the network node topology importance, IF is the network node influence, ++>For the ith network event risk value, +.>And N is the network event set, wherein the occurrence frequency of the ith network event is the occurrence frequency of the ith network event.
Step 150, obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network event, the network event risk value, the network node risk value, the total number of the network event, the total number of the network nodes and the type of the network event.
It should be noted that, the method for obtaining the total number of network events, the total number of network nodes and the type of network events in the preset time interval is self-counted by the preset counting tool.
As an example, this step may be specifically:
(1) Obtaining a network node alarm list: obtaining a network log generated by a network node in a preset time interval through a preset statistics tool, so as to count the total number of network events, the total number of network nodes and the types of network events in the preset time interval through the network log; calculating a formula through a network node average risk value:obtaining an average risk value of a network node; wherein the method comprises the steps ofN is a network event set, N is the total number of network nodes, m is the network event type, ++>For the ith network event risk value, +.>Is the occurrence frequency of the ith network event; alarming activation function through preset network node:obtaining a node alarm activation value, so as to add the network node and the node alarm activation value to a network node alarm list when the node alarm activation value is greater than a preset node activation threshold; wherein θ is a preset adjustment parameter, NR is a network node risk value, ++>Is an alarm activation value.
(2) Obtaining a network event alarm list: calculating a formula by using a network event average risk value:obtaining an average risk value of a network event; alarm activation function by preset network event:and obtaining an event alarm activation value so as to add the network node and the event alarm activation value to the network node alarm list when the event alarm activation value is greater than a preset event activation threshold.
Step 160, generating a node-event deduplication set based on the network node alarm list and the network event alarm list, and forming a final alarm sequencing result by taking the arrangement sequence of the network events as a first reference and the arrangement sequence of the network nodes as a second reference.
It should be noted that, the method for generating the node-event deduplication set may be an existing LinkedHashSet deduplication method. A node-event deduplication set is a set that contains network nodes and network events and removes coincidence data.
In addition, fig. 2 is a diagram of an alarm filtering system based on risk assessment of network nodes according to an embodiment of the present application. As shown in fig. 2, the system provided by the embodiment of the present application mainly includes:
aggregating network events within a preset time interval based on the network node IP through a determination module 210 in the system; generating an event document according to the network node IP; and determining a network event risk value according to the event document, the network event in the event document and the IDF formula.
It should be noted that, the determining module 210 may be any feasible device or apparatus capable of determining a risk value of a network event through data calculation.
The system for determining the network event risk value according to the event document, the network event in the event document and the IDF formula can specifically be as follows: by determining the event calculation unit 211 in the module 210,
according to the IDF formula:,/>calculating an IDF value corresponding to the network event; wherein a is any event document, A is all event document sets, |A| is the number N of all event documents is the network event set, |N| is the number of network events in the event documents; according to the event diffuseness formula:,/>calculating the diffuseness of the network event; wherein (1)>For the diffuseness of the ith network event, +.>For a preset time interval +.>Average value of (2); according to a preset risk value calculation formula: />Determining a network event risk value; wherein (1)>Is the ith network event risk value.
It should be noted that, the event calculation unit 211 may be any feasible device or apparatus capable of calculating a risk value of a network event.
Acquiring a basic transfer matrix and a first damping coefficient of a directed graph corresponding to a network node through an acquisition module 220 in the system, thereby acquiring the topology importance of the network node; acquiring the number of access users corresponding to the network nodes in a preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, a second damping coefficient and the total number of network nodes so as to acquire the influence of the network nodes; obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value; and obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events.
It should be noted that, the obtaining module 220 may be any feasible device or apparatus capable of obtaining the network node alarm list and the network event alarm list through data processing.
The obtaining a basic transfer matrix and a first damping coefficient of a directed graph corresponding to a network node, so as to obtain the topology importance of the network node may be specifically: the topology calculation unit 221 in the obtaining module 220 is used for obtaining a connection mode between the network nodes to generate a directed graph corresponding to the network nodes, and further obtaining a basic transfer matrix based on the directed graph corresponding to the network nodes; by presettingThe parameter editing interface acquires a first damping coefficient; through a preset topological importance calculation formula:calculating the topology importance of the network node; wherein d is a first damping coefficient; m is a basic transfer matrix; />Is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
The topology calculating unit 221 is any possible device or apparatus capable of performing calculation of a preset topology importance.
The forming module 230 in the system generates a node-event deduplication set based on the network node alarm list and the network event alarm list, and forms a final alarm sequencing result by taking the arrangement sequence of the network events as a first reference and the arrangement sequence of the network nodes as a second reference.
It should be noted that, the forming module 230 may be any feasible device or apparatus capable of performing data deduplication, and data ordering.
In addition, the embodiment of the application also provides a non-volatile computer storage medium, on which executable instructions are stored, and when the executable instructions are executed, the alarm filtering method based on the network node risk assessment is realized.
Thus far, the technical solution of the present disclosure has been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the protective scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments may be split and combined by those skilled in the art without departing from the technical principles of the present disclosure, and equivalent modifications or substitutions may be made to related technical features, which all fall within the scope of the present disclosure.
Claims (10)
1. An alarm filtering method based on network node risk assessment, the method comprising:
based on the network node IP, aggregating the network events within a preset time interval; generating an event document according to the network node IP; determining a network event risk value according to the event document, the network event in the event document and the IDF formula;
acquiring a basic transfer matrix and a first damping coefficient of a directed graph corresponding to a network node, and further acquiring the topology importance of the network node;
acquiring the number of access users corresponding to the network nodes in a preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, a second damping coefficient and the total number of network nodes so as to acquire the influence of the network nodes;
obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value;
obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events;
based on the network node alarm list and the network event alarm list, generating a node-event deduplication set, and forming a final alarm sequencing result by taking the arrangement sequence of network events as a first reference and the arrangement sequence of network nodes as a second reference.
2. The method for filtering alarms based on network node risk assessment according to claim 1, wherein determining the network event risk value according to the event document, the network event in the event document and the IDF formula specifically comprises:
according to the IDF formula:,/>calculating an IDF value corresponding to the network event;
wherein ,an IDF value corresponding to an ith network event, a is any event document, A is a set of all event documents, A is the number of all event documents, N is a set of network events, N is the number of network events in the event documents,;
according to the event diffuseness formula:,/>calculating the diffuseness of the network event;
wherein ,for the diffuseness of the ith network event, +.>For a preset time interval +.>Average value of (2);
according to a preset risk value calculation formula:determining a network event risk value; wherein (1)>Is the ith network event risk value.
3. The method for filtering alarms based on risk assessment of network nodes according to claim 1, wherein the method for filtering alarms is characterized by obtaining a basic transfer matrix and a first damping coefficient of a directed graph corresponding to the network nodes, and further obtaining topology importance of the network nodes, and specifically comprises:
acquiring a connection mode between network nodes to generate a directed graph corresponding to the network nodes, and further acquiring a basic transfer matrix based on the directed graph corresponding to the network nodes; acquiring a first damping coefficient through a preset parameter editing interface;
through a preset topological importance calculation formula:calculating the topology importance of the network node;
wherein d is a first damping coefficient; m is a basic transfer matrix;is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
4. The method for filtering alarms based on network node risk assessment according to claim 1, wherein obtaining the number of access users corresponding to the network nodes, the frequency of each network node being accessed, the total frequency of all network nodes being accessed, the second damping coefficient and the total number of network nodes within a preset time interval to obtain the influence of the network nodes specifically comprises:
obtaining a second damping coefficient through a preset parameter editing interface; obtaining a network log generated by the network nodes in a preset time interval through a preset statistics tool, and counting the number of access users, the accessed frequency of each network node, the total accessed frequency of all network nodes and the total number of network nodes corresponding to the network nodes in the preset time interval through the network log;
through a preset influence formula:obtaining the influence degree of the network node;
wherein the IF is the influence of the network node,and as for the second damping coefficient, UV is the number of access users corresponding to the network nodes in a preset time interval, each network node of UF is accessed frequently, all network nodes of TF are accessed frequently, and n is the total number of network nodes.
5. The alarm filtering method based on network node risk assessment according to claim 1, wherein obtaining the total number of network events corresponding to the network node, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value specifically comprises:
acquiring a third damping coefficient through a preset parameter editing interface; acquiring a weblog generated by a network node in a preset time interval through a preset statistics tool, so as to count the occurrence frequency of each network event in the preset time interval through the weblog;
through a preset risk value formula:determining a network node risk value;
wherein NR is a network node risk value,for the third damping coefficient, PR is the network node topology importance, IF is the network node influence, ++>For the ith netCollateral event risk value, ->And N is the network event set, wherein the occurrence frequency of the ith network event is the occurrence frequency of the ith network event.
6. The method for filtering alarms based on network node risk assessment according to claim 1, wherein the obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of network events, the network event risk value, the network node risk value, the total number of network events, the total number of network nodes and the type of network events specifically comprises:
obtaining a network log generated by a network node in a preset time interval through a preset statistics tool, so as to count the total number of network events, the total number of network nodes and the types of network events in the preset time interval through the network log;
calculating a formula through a network node average risk value:obtaining an average risk value of a network node;
wherein N is a network event set, N is the total number of network nodes, m is the type of network event,for the ith network event risk value, +.>Is the occurrence frequency of the ith network event;
alarming activation function through preset network node:obtaining a node alarm activation value, so as to add the network node and the node alarm activation value to a network node alarm list when the node alarm activation value is greater than a preset node activation threshold;
wherein θ is a preset adjustment parameter, and NR is a risk of the network nodeThe value of the sum of the values,an alarm activation value;
calculating a formula by using a network event average risk value:obtaining an average risk value of a network event;
alarm activation function by preset network event:and obtaining an event alarm activation value so as to add the network node and the event alarm activation value to the network node alarm list when the event alarm activation value is greater than a preset event activation threshold.
7. An alarm filtering system based on network node risk assessment, the system comprising:
the determining module is used for aggregating the network events within a preset time interval based on the network node IP; generating an event document according to the network node IP; determining a network event risk value according to the event document, the network event in the event document and the IDF formula;
the acquisition module is used for acquiring a basic transfer matrix and a first damping coefficient of the directed graph corresponding to the network node, so as to acquire the topology importance of the network node; acquiring the number of access users corresponding to the network nodes in a preset time interval, the accessed frequency of each network node, the total accessed frequency of all network nodes, a second damping coefficient and the total number of network nodes so as to acquire the influence of the network nodes; obtaining the total number of network events corresponding to the network nodes, the occurrence frequency of the network events, the third damping coefficient, the network event risk value, the network node topology importance and the network node influence degree, and determining the network node risk value; obtaining a network node alarm list and a network event alarm list according to the occurrence frequency of the network events, the network event risk value, the network node risk value, the total number of the network events, the total number of the network nodes and the types of the network events;
the forming module is used for generating a node-event deduplication set based on the network node alarm list and the network event alarm list, taking the arrangement sequence of the network events as a first reference, and taking the arrangement sequence of the network nodes as a second reference, so as to form a final alarm ordering result.
8. The network node risk assessment based alarm filtering system of claim 7, wherein the determination module comprises an event calculation unit,
for use in accordance with the IDF formula:,/>calculating an IDF value corresponding to the network event;
wherein a is any event document, A is all event document sets, |A| is the number of all event documents, N is the network event set, |N| is the number of network events in the event documents;
according to the event diffuseness formula:,/>calculating the diffuseness of the network event;
wherein ,for the diffuseness of the ith network event, +.>For a preset time interval +.>Average value of (2);
according to a preset risk value calculation formula:Determining a network event risk value; wherein (1)>Is the ith network event risk value.
9. The network node risk assessment based alarm filtering system of claim 7, wherein the obtaining module comprises a topology computation unit,
the method comprises the steps of obtaining a connection mode between network nodes to generate a directed graph corresponding to the network nodes, and obtaining a basic transfer matrix based on the directed graph corresponding to the network nodes; acquiring a first damping coefficient through a preset parameter editing interface;
through a preset topological importance calculation formula:calculating the topology importance of the network node;
wherein d is a first damping coefficient; m is a basic transfer matrix;is the PR value of the last iteration, and +.>An initial value of 1; n is the total number of network nodes; e is an n-dimensional vector with all components of 1.
10. A non-transitory computer storage medium having stored thereon computer instructions which, when executed, implement an alarm filtering method based on network node risk assessment according to any of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311206887.5A CN116962080B (en) | 2023-09-19 | 2023-09-19 | Alarm filtering method, system and medium based on network node risk assessment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311206887.5A CN116962080B (en) | 2023-09-19 | 2023-09-19 | Alarm filtering method, system and medium based on network node risk assessment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116962080A true CN116962080A (en) | 2023-10-27 |
CN116962080B CN116962080B (en) | 2023-12-15 |
Family
ID=88458686
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311206887.5A Active CN116962080B (en) | 2023-09-19 | 2023-09-19 | Alarm filtering method, system and medium based on network node risk assessment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116962080B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101162993A (en) * | 2007-11-29 | 2008-04-16 | 哈尔滨工程大学 | Network risk analysis method |
CN103248630A (en) * | 2013-05-20 | 2013-08-14 | 上海交通大学 | Network safety situation analyzing methods based on data excavating |
US20180191761A1 (en) * | 2017-01-04 | 2018-07-05 | Electronics And Telecommunications Research Institute | Method and apparatus for detecting cyberthreats through correlation analysis |
CN114978770A (en) * | 2022-07-25 | 2022-08-30 | 睿至科技集团有限公司 | Internet of things security risk early warning management and control method and system based on big data |
CN115115159A (en) * | 2021-09-03 | 2022-09-27 | 电子科技大学 | TF-IDF and fuzzy Bayesian network-based risk prediction method |
CN115883163A (en) * | 2022-11-25 | 2023-03-31 | 中国农业银行股份有限公司安徽省分行 | Network safety alarm monitoring method |
CN116070382A (en) * | 2022-12-30 | 2023-05-05 | 中国电信股份有限公司 | Risk prediction method and device for network, processor and electronic equipment |
WO2023138058A1 (en) * | 2022-01-21 | 2023-07-27 | 苏州浪潮智能科技有限公司 | Alarm event processing method and apparatus, and computer-readable storage medium |
CN116723090A (en) * | 2023-07-25 | 2023-09-08 | 亚信科技(中国)有限公司 | Alarm root cause positioning method and device, electronic equipment and readable storage medium |
-
2023
- 2023-09-19 CN CN202311206887.5A patent/CN116962080B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101162993A (en) * | 2007-11-29 | 2008-04-16 | 哈尔滨工程大学 | Network risk analysis method |
CN103248630A (en) * | 2013-05-20 | 2013-08-14 | 上海交通大学 | Network safety situation analyzing methods based on data excavating |
US20180191761A1 (en) * | 2017-01-04 | 2018-07-05 | Electronics And Telecommunications Research Institute | Method and apparatus for detecting cyberthreats through correlation analysis |
CN115115159A (en) * | 2021-09-03 | 2022-09-27 | 电子科技大学 | TF-IDF and fuzzy Bayesian network-based risk prediction method |
WO2023138058A1 (en) * | 2022-01-21 | 2023-07-27 | 苏州浪潮智能科技有限公司 | Alarm event processing method and apparatus, and computer-readable storage medium |
CN114978770A (en) * | 2022-07-25 | 2022-08-30 | 睿至科技集团有限公司 | Internet of things security risk early warning management and control method and system based on big data |
CN115883163A (en) * | 2022-11-25 | 2023-03-31 | 中国农业银行股份有限公司安徽省分行 | Network safety alarm monitoring method |
CN116070382A (en) * | 2022-12-30 | 2023-05-05 | 中国电信股份有限公司 | Risk prediction method and device for network, processor and electronic equipment |
CN116723090A (en) * | 2023-07-25 | 2023-09-08 | 亚信科技(中国)有限公司 | Alarm root cause positioning method and device, electronic equipment and readable storage medium |
Non-Patent Citations (4)
Title |
---|
HANIYEH SEYED ALINEZHAD ET AL: "Open Set Online Classification of Industrial Alarm Floods With Alarm Ranking", 《 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT》 * |
余贵水;李秀峰;蒋志归;魏钟记;: "一种实时告警分析的网络安全风险评估方法", 海军工程大学学报, no. 04 * |
毛继志;吴欣蓬;吴磊;汤新民;郭鸿滨;: "基于文本挖掘的空管不正常事件风险预测研究", 航空计算技术, no. 01 * |
秦丹一: "基于机器学习的误告警检测与告警关联分析研究", 《中国优秀硕士学位论文全文数据库》 * |
Also Published As
Publication number | Publication date |
---|---|
CN116962080B (en) | 2023-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gu et al. | Detecting anomalies in network traffic using maximum entropy estimation | |
CN109889538B (en) | User abnormal behavior detection method and system | |
CN108494747B (en) | Digital substation flow abnormity detection method, electronic equipment and computer storage medium | |
CN105208040A (en) | Network attack detection method and device | |
US20150205856A1 (en) | Dynamic brownian motion with density superposition for abnormality detection | |
CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
CN110933115A (en) | Analysis object behavior abnormity detection method and device based on dynamic session | |
Al-mamory et al. | Evaluation of different data mining algorithms with kdd cup 99 data set | |
CN111935064A (en) | Industrial control network threat automatic isolation method and system | |
CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
CN109784403B (en) | Method for identifying risk equipment and related equipment | |
Price-Williams et al. | Nonparametric self-exciting models for computer network traffic | |
CN116962080B (en) | Alarm filtering method, system and medium based on network node risk assessment | |
CN117596119A (en) | Equipment data acquisition and monitoring method and system based on SNMP (simple network management protocol) | |
CN117176482A (en) | Big data network safety protection method and system | |
CN115514581B (en) | Data analysis method and equipment for industrial internet data security platform | |
CN115277178A (en) | Method, device and storage medium for monitoring abnormity based on enterprise network traffic | |
CN113542037A (en) | Alarm multidimensional association method and device based on root cause analysis in Internet of things environment | |
Muliukha et al. | Anomaly Detection Approach in Cyber Security for User and Entity Behavior Analytics System. | |
CN115604040B (en) | Abnormal access behavior identification method based on IP access sequence | |
CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium | |
CN118264473A (en) | Method and system for detecting network attack of telecommunication network signaling system | |
CN113132301B (en) | Abnormal data collection detection method and device and computer storage medium | |
CN112671791B (en) | Method, device, computer equipment and readable storage medium for detecting entity abnormity | |
Guan et al. | A summary of research on the false alarm judgment methods |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |