CN117034210B - Event image generation method and device, storage medium and electronic equipment - Google Patents
Event image generation method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN117034210B CN117034210B CN202311290890.XA CN202311290890A CN117034210B CN 117034210 B CN117034210 B CN 117034210B CN 202311290890 A CN202311290890 A CN 202311290890A CN 117034210 B CN117034210 B CN 117034210B
- Authority
- CN
- China
- Prior art keywords
- rule
- judging
- information
- judgment
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012545 processing Methods 0.000 claims abstract description 17
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 238000012790 confirmation Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 238000003491 array Methods 0.000 claims description 6
- 230000000153 supplemental effect Effects 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 claims 2
- 230000002159 abnormal effect Effects 0.000 abstract description 11
- 230000008569 process Effects 0.000 description 6
- 238000009434 installation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/28—Determining representative reference patterns, e.g. by averaging or distorting; Generating dictionaries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/285—Selection of pattern recognition techniques, e.g. of classifiers in a multi-classifier system
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention relates to the field of data processing, and in particular, to a method and apparatus for generating an event portrait, a storage medium, and an electronic device. Comprising the following steps: acquiring a judging rule set and a judging value set corresponding to a target event; matching the judgment values in the judgment value set with the judgment information of the judgment rule; if the judging value accords with the limiting condition of judging information in any judging rule, determining that the judging value hits the judging rule; acquiring the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information; taking a preset event portrait tag in portrait information as portrait information of a target event; the portrait judgment information in the portrait information is used as portrait judgment information of the target event. By the portrait information generating method, more description information of the event can be generated, and subsequent processing of the abnormal situation can be more targeted.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a method and apparatus for generating an event portrait, a storage medium, and an electronic device.
Background
Due to the attribute and behavior characteristics of various event information in the current terminal equipment, the method is multiple in variety and quick in change iteration, and a scene of feature change of mutual conversion between a security state and a threat state exists. In order to enable security analysts to globally observe the current tag states of various event information and the distribution states of threat tags of terminals in the network at the first time, the security situation in the network is mastered so as to respond and treat, and various events are generally portrayed.
However, in the related art, in the image description information outputted to the target event, the corresponding portrait tag is generally determined based on only the feature of the target event, and is labeled with the corresponding tag. Thus, only the portrait tag is included in the portrait information of the event which is finally output. However, this method of labeling an image tag only has a problem that the output label information is single, and cannot provide more effective information.
Disclosure of Invention
Aiming at the technical problem that the output mark information is single and more effective information can not be provided only by the way of marking the portrait label, the invention adopts the following technical scheme:
according to one aspect of the present invention, there is provided a method of generating an event portrait, the method comprising the steps of:
acquiring a judging rule set and a judging value set corresponding to a target event; the judging rule set comprises a plurality of judging rules, and each judging rule is provided with corresponding judging information and a unique corresponding rule hit path; the set of decision values includes a plurality of parameter values representing at least a portion of a characteristic of the target event;
matching the judgment values in the judgment value set with the judgment information of the judgment rule;
if the judging value accords with the limiting condition of judging information in any judging rule, determining that the judging value hits the judging rule;
acquiring the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information; the portrait information comprises a preset event portrait tag and preset portrait judging information;
taking a preset event portrait tag in portrait information of the hit judgment rule as portrait tag information of the target event;
the portrait judgment information in the portrait information of the hit judgment rule is used as portrait judgment information of the target event.
Further, obtaining a decision rule set corresponding to the target event includes:
acquiring json logs of the target events;
generating an event type identifier of the target event according to the value of the event type field in the json log;
and selecting a judging rule with an event type identifier from a plurality of preset judging rules, and generating a judging rule set corresponding to the target event.
Further, after generating the decision rule set corresponding to the target event, the method further includes:
taking a rule hit path in each judgment rule in the judgment rule set as a corresponding value index;
and acquiring corresponding judgment values from the json log of the target event according to each value index to generate a judgment value set corresponding to the target event.
Further, the matching processing of the judgment values in the judgment value set and the judgment information of the judgment rule includes:
obtaining a target judgment value corresponding to each judgment rule according to a rule hit path in each judgment rule in the judgment rule set; the value index of the target judgment value is the same as the rule hit path of the corresponding judgment rule;
and carrying out matching processing on the target judgment value corresponding to each judgment rule by using the judgment information in each judgment rule.
Further, the portrait judgment information comprises a plurality of auxiliary confirmation information, and each auxiliary confirmation information is provided with a unique corresponding user category identifier;
after obtaining the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information, the method further comprises:
and checking the user category identification corresponding to the user according to the portrait information of the hit judgment rule, and determining auxiliary confirmation information with the same user category identification as target display information.
Further, the rule hit path is composed of a field file storage path and a hit field name; the hit field name corresponds to at least one field file storage path; the field file storage path is the storage position of the hit field name in the json log;
obtaining a corresponding judgment value from the json log of the target event according to each value index, wherein the judgment value comprises the following steps:
performing unified value processing on all value indexes corresponding to each hit field name to generate a three-dimensional judgment array corresponding to each hit field name;
the unified value processing comprises the following steps:
according to the data form of each value index in the json log, determining the quantity F1, F2, …, fp, … and Fr of array nodes in each value index; fp is the number of array nodes of the p-th value index corresponding to the same hit field name, and the array nodes are nodes in an array form in json; r is the total number of valued indexes corresponding to the same hit field name, and p=1, 2, … and r;
acquiring at least one corresponding judgment value from the json log of the target event according to each value index;
generating a primary value array and a supplementary array corresponding to each value index according to the number of array nodes in each value index; array dimension W of primary value array C =max (F1, F2, …, fp, …, fr); array dimension W of supplemental array b =Hp-W C The method comprises the steps of carrying out a first treatment on the surface of the Hp is a group dimension threshold, hp=2 or hp=3;
all the primary value arrays are added into the supplementary array to generate an initial three-dimensional array corresponding to the hit field name;
and respectively placing the judging values corresponding to each value index into the corresponding primary value array to generate a three-dimensional judging array corresponding to the hit field name.
Further, hp satisfies the following condition:
when the hit field name only corresponds to one value index, hp is 2;
when the hit field name corresponds to a plurality of valued indexes, hp is 3.
According to a second aspect of the present invention, there is provided an event portrait generating apparatus, comprising:
the acquisition module is used for acquiring a judging rule set and a judging value set corresponding to the target event; the judging rule set comprises a plurality of judging rules, and each judging rule is provided with corresponding judging information and a unique corresponding rule hit path; the set of decision values includes a plurality of parameter values representing at least a portion of a characteristic of the target event;
the matching module is used for matching the judgment values in the judgment value set with the judgment information of the judgment rule;
the hit module is used for determining that the judging value hits the judging rule if the judging value accords with the limiting condition of the judging information in any judging rule;
the portrait information acquisition module is used for acquiring portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information; the portrait information comprises a preset event portrait tag and preset portrait judging information;
the generation module is used for taking a preset event portrait tag in portrait information of the hit judgment rule as portrait tag information of the target event;
the generation module is also used for taking the portrait judgment information in the portrait information of the hit judgment rule as the portrait judgment information of the target event.
According to a third aspect of the present invention, there is provided a non-transitory computer-readable storage medium storing a computer program which, when executed by a processor, implements a method of generating a detection rule as described above.
According to a fourth aspect of the present invention, there is provided an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a method of generating a detection rule as described above when executing the computer program.
The invention has at least the following beneficial effects:
typically, the occurrence of an abnormal event may be caused by a number of different circumstances. Such as: the confidential files in the target file are modified, or the confidential files in the target file are checked in abnormal time periods or the read-write permission in the target file is modified, and the actions are aimed at the same type of abnormality of file resources, and finally the corresponding event portrait labels are the same. Therefore, in the event portrait marking process, the situation that a plurality of judging rules finally hit the same abnormal label can occur. If only the event image tag is output, it is not possible to determine which specific behavior causes the abnormality more accurately. When any judgment rule is hit, the image information of the hit judgment rule is obtained according to the mapping relation between the judgment rule and the preset image information. Whereby each hit decision rule corresponds to a predetermined event portrayal tag and predetermined portrayal decision information. When different image judgment information is set, the image judgment information closer to the judgment rule may be arranged to provide more effective information. If the rule for judging that the confidential document in the target document is modified, the configured portrait judgment information can be two hash values before and after the modification of the confidential document. For the rule for judging that the confidential document in the target document is checked in the abnormal period, the configured portrait judgment information may be the checking time and the time corresponding to the normal period.
By the portrait information generating method, more description information of the event can be generated, and subsequent processing of the abnormal situation can be more targeted.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for generating event portraits according to an embodiment of the present invention;
fig. 2 is a block diagram of an event portrait generating device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
As a possible embodiment of the present invention, as shown in fig. 1, there is provided a method for generating an event portrait, the method comprising the steps of:
s100: and acquiring a judging rule set and a judging value set corresponding to the target event. The set of decision rules includes a plurality of decision rules, each decision rule having corresponding decision information and a unique corresponding rule hit path. The set of decision values includes a plurality of parameter values representing at least a portion of a characteristic of the target event.
Further, the step of obtaining the decision rule set corresponding to the target event in S100 includes the following steps:
s101: and acquiring a json log of the target event.
S102: and generating an event type identifier of the target event according to the value of the event type field in the json log.
It is often determined in advance what type of event requires rule decisions based on the actual usage scenario. And configuring a value of a corresponding event type field for the log of each event. If the value of the event type field corresponding to the process event log is process_behavior. The value of the event type field corresponding to the file event log is file_behavior.
S103: and selecting a judging rule with an event type identifier from a plurality of preset judging rules, and generating a judging rule set corresponding to the target event.
In the invention, a plurality of corresponding judgment rules are configured in advance according to the positions where the same type of event usually needs to be detected abnormally. Later stage can select the decision rule corresponding to json logs of different types of events through event type identification.
In addition, the step of obtaining the decision value set corresponding to the target event in S100 includes the following steps:
after generating the decision rule set corresponding to the target event, S104: and taking the rule hit path in each judgment rule in the judgment rule set as a corresponding value index.
S105: and acquiring corresponding judgment values from the json log of the target event according to each value index to generate a judgment value set corresponding to the target event.
Specifically, the following examples are described: the rule hit path corresponding to the decision rule is process_info_parent. The decision rule is illustrated for deciding the md5 value under the path process_info_parent. Therefore, the process_info_parent.file_info.md5 is used as a value index, and the corresponding judgment value is obtained from the json log of the target event.
S200: and matching the judgment values in the judgment value set with the judgment information of the judgment rule.
Specifically, S200 includes:
s201: and obtaining a target judgment value corresponding to each judgment rule according to the rule hit path in each judgment rule in the judgment rule set. The value index of the target judgment value is the same as the rule hit path of the corresponding judgment rule.
S202: and carrying out matching processing on the target judgment value corresponding to each judgment rule by using the judgment information in each judgment rule.
S300: if the judging value accords with the limiting condition of judging information in any judging rule, determining that the judging value hits the judging rule.
The limiting conditions are configured in advance according to the actual conditions to be met for each determination value.
S400: and obtaining the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information. The portrait information includes a preset event portrait tag and preset portrait decision information.
The mapping relation can be configured according to the situation in the actual use scene, and is specifically used for determining which preset portrait information is or is what type of information is correspondingly output after each judgment rule is hit.
Further, the portrait determination information includes a plurality of auxiliary confirmation information, each of which has a unique corresponding user category identification. Specifically, according to preset user categories, setting user category identifiers corresponding to each user category. And according to different specific user types, the contents of different parts in the corresponding portrait judgment information are used as different auxiliary confirmation information so as to meet the focus of attention of users in different types.
If the portrait judgment information is the installation position information of the abnormal executable file, the executable file name and the hash value of the corresponding executable file.
For security analysts, the installation location information of the abnormal executable file and the hash value of the executable file are more of concern.
For the common users, the specific use value of the hash value is not clear, so that the installation position information and the executable file name of the more popular abnormal executable file are more focused.
At S400: according to the mapping relation between the judging rule and the preset portrait information, after obtaining the portrait information of the hit judging rule, the method further comprises the following steps:
s700: and checking the user category identification corresponding to the user according to the portrait information of the hit judgment rule, and determining auxiliary confirmation information with the same user category identification as target display information.
The image information that is usually output faces different user groups, such as security analysts, developers or general users. The portrait determination information specifically required by different user groups is different. In the step, corresponding user category identifiers are set for different information checking users and can be used as matched identifiers, and auxiliary confirmation information which is more suitable for each type of user group is selected from all auxiliary confirmation information in portrait judgment information. Thus, the validity of the finally output information for different types of user groups can be improved.
S500: taking a preset event portrait tag in portrait information of the hit judgment rule as portrait tag information of the target event;
s600: the portrait judgment information in the portrait information of the hit judgment rule is used as portrait judgment information of the target event.
When any judgment rule is hit, the image information of the hit judgment rule is obtained according to the mapping relation between the judgment rule and the preset image information. Whereby each hit decision rule corresponds to a predetermined event portrayal tag and predetermined portrayal decision information. When different image judgment information is provided, the image judgment information closer to the judgment rule may be arranged. If the rule for judging that the confidential document in the target document is modified, the configured portrait judgment information can be two hash values before and after the modification of the confidential document. For the rule for judging that the confidential document in the target document is checked in the abnormal period, the configured portrait judgment information may be the checking time and the time corresponding to the normal period. By the portrait information generating method, more description information of the event can be generated, and subsequent processing of the abnormal situation can be more targeted.
As another embodiment of the present invention, the regular hit path is composed of a field file deposit path and a hit field name. The hit field name corresponds to at least one field file deposit path. The field file deposit path is the location where the hit field name is deposited in the json log.
Because the method and the device can be used for taking the value of the log data in various business scenes. Different types of event logs may come from different traffic scenarios, and thus, the same hit field may have different corresponding value paths in different event logs, i.e., different corresponding rule hit paths. Therefore, each decision rule includes a unique corresponding hit field name and at least one corresponding rule hit path. And by combining the hit field name with at least one corresponding regular hit path, a plurality of value indexes may be generated, each value index being used to value a hit field in an event log of a corresponding type.
S105: obtaining a corresponding judgment value from the json log of the target event according to each value index, wherein the judgment value comprises the following steps:
s115: and carrying out unified value processing on all value indexes corresponding to each hit field name, and generating a three-dimensional judgment array corresponding to each hit field name.
The unified value processing comprises the following steps:
s125: and determining the number F1, F2, …, fp, … and Fr of array nodes in each value index according to the data form of each value index in the json log. Fp is the number of array nodes of the p-th value index corresponding to the same hit field name, and the array nodes are nodes of the corresponding value index in an array form in json. r is the total number of valued indexes corresponding to the same hit field name, and p=1, 2, … and r.
The following examples are specific:
the nodes in the valued index process_info_parent.file_info.md5 are process_info_parent and file_info respectively, and when the corresponding data content of the nodes in the Json log exists in the form of an array, a part of array identifier "[" appears after the nodes. The data content corresponding to the node in the Json log is as follows: "Process_info_parent: [ ", thus, the data content of the command line where each node in the corresponding Json log is located is traversed, and each time" [ "" is found, the node is determined to be a group of nodes. Typically, the array nodes in a valued index are less than or equal to 2.
S135: and acquiring at least one corresponding judgment value from the json log of the target event according to each value index.
The two valued indexes corresponding to the same hit field name are respectively: process_info_parent.file_info.md5 and process_info_self.file_info.md5. The process_info_parent.file_info.md5 acquires a determination value of 995 and 55664. The process_info_self.file_info.md5 acquires a determination value of 325, 55354,6665.
S145: and generating a primary value array and a supplementary array corresponding to each value index according to the number of array nodes in each value index. Initially, the method comprisesArray dimension W of a level value array C =max (F1, F2, …, fp, …, fr). Array dimension W of supplemental array b =Hp-W C . Hp is a group dimension threshold, hp=2 or hp=3.
Further, hp satisfies the following condition:
when the hit field name corresponds to only one value index, hp is 2.
When the hit field name corresponds to a plurality of valued indexes, hp is 3.
S155: and adding all the primary value arrays into the supplementary array to generate an initial three-dimensional array corresponding to the hit field name.
S165: and respectively placing the judging values corresponding to each value index into the corresponding primary value array to generate a three-dimensional judging array corresponding to the hit field name.
If process_info_parent.file_info.md5, process_info_self.file_info.md5. The number of array nodes in process_info_parent.file_info.md5 is 1 and 2, respectively. The corresponding primary value array is [ [ ]; the supplementary array is [ ]. The initial three-dimensional array generated by combination is [ [ ] ] ] and [ ([ ] ] ] ] ], and finally, the judging value corresponding to each value index is respectively put into the corresponding primary value array to generate the three-dimensional judging array corresponding to hit field name as [ [ [995, 55664] ], [ [325, 55354,6665] ].
Therefore, after unified value processing in the embodiment, the data to be extracted in different forms in different service scenes can be finally generated into a standard three-dimensional array format, and the purpose of unified data forms is further achieved. Specifically, the generated standard three-dimensional array format has the following forms: [ [ xxx, xxx, xx ] ], [ [ [ xxx, xxx ], [ [ xx ], [ ] ] ] and [ [ [ xx, xx ] ], [ [ xxx, xx ] ] ]. Therefore, the data structure forms of the acquired target data can be unified, and the plurality of judgment values can be conveniently processed by using the same data analysis method later. The applicability of the acquired data to be detected is improved, and the convenience of later data processing is improved.
According to a second aspect of the present invention, as shown in fig. 2, there is provided an event portrait generating apparatus, the apparatus comprising:
the acquisition module is used for acquiring a judging rule set and a judging value set corresponding to the target event. The judging rule set comprises a plurality of preset judging rules, and each judging rule is provided with corresponding judging information and a unique corresponding rule hit path. The set of decision values includes a plurality of parameter values representing at least a portion of a characteristic of the target event.
And the matching module is used for matching the judgment values in the judgment value set with the judgment information of the judgment rule.
And the hit module is used for determining that the judging value hits the judging rule if the judging value accords with the limiting condition of the judging information in any judging rule.
And the portrait information acquisition module is used for acquiring portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information. The portrait information includes a preset event portrait tag and preset portrait decision information.
The generation module is used for taking a preset event portrait label in portrait information as portrait information of a target event.
The generation module is also used for taking the portrait judgment information in the portrait information as portrait judgment information of the target event.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present invention described in the above section of the exemplary method of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (m/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. The network adapter communicates with other modules of the electronic device via a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAmD systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary method" section of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (8)
1. A method of generating an event profile, the method comprising the steps of:
acquiring a judging rule set and a judging value set corresponding to a target event; the judging rule set comprises a plurality of judging rules, and each judging rule is provided with corresponding judging information and a unique corresponding rule hit path; the set of decision values includes a plurality of parameter values representing at least a partial characteristic of the target event;
matching the judgment values in the judgment value set with the judgment information of the judgment rule;
if the judging value accords with the limiting condition of judging information in any judging rule, determining that the judging value hits the judging rule;
acquiring the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information; the portrait information comprises a preset event portrait tag and preset portrait judging information;
taking the event portrait tag in the portrait information of the hit judgment rule as portrait tag information of the target event;
taking the portrait judgment information in the portrait information of the hit judgment rule as portrait judgment information of the target event;
obtaining a decision rule set corresponding to a target event, including:
acquiring json logs of the target events;
generating an event type identifier of the target event according to the value of the event type field in the json log;
selecting a judging rule with the event type identifier from a plurality of preset judging rules, and generating a judging rule set corresponding to the target event;
after generating the decision rule set corresponding to the target event, the method further includes:
taking a rule hit path in each judgment rule in the judgment rule set as a corresponding value index;
acquiring corresponding judging values from json logs of the target events according to each value index to generate a judging value set corresponding to the target events;
the rule hit path is composed of a field file storage path and a hit field name; the hit field name corresponds to at least one field file storage path; and the field file storage path is the storage position of the hit field name in the json log.
2. The method according to claim 1, wherein matching the determination values in the set of determination values with the determination information of the determination rule includes:
obtaining a target judgment value corresponding to each judgment rule according to a rule hit path in each judgment rule in the judgment rule set; the value index of the target judgment value is the same as the rule hit path of the corresponding judgment rule;
and carrying out matching processing on the target judgment value corresponding to each judgment rule by using the judgment information in each judgment rule.
3. The method of claim 1, wherein the representation determination information comprises a plurality of auxiliary validation information, each of the auxiliary validation information having a unique corresponding user category identification;
after obtaining the portrait information of the hit judgment rule according to the mapping relation between the judgment rule and the preset portrait information, the method further comprises:
and checking the user category identification corresponding to the user according to the portrait information of the hit judgment rule, and determining auxiliary confirmation information with the same user category identification as target display information.
4. The method of claim 1, wherein obtaining a corresponding decision value from the json log of the target event based on each value index comprises:
performing unified value processing on all value indexes corresponding to each hit field name to generate a three-dimensional judgment array corresponding to each hit field name;
the unified value processing comprises the following steps:
determining the number F1, F2, …, fp, … and Fr of the group nodes in each value index according to the data form of each value index in the json log; fp is the number of array nodes of the p-th value index corresponding to the same hit field name, and the array nodes are nodes in an array form in the json log; r is the total number of valued indexes corresponding to the same hit field name, and p=1, 2, … and r;
acquiring at least one corresponding judgment value from the json log of the target event according to each value index;
generating a primary value array and a supplementary array corresponding to each value index according to the number of the array nodes in each value index; array dimension W of the primary value array C =max (F1, F2, …, fp, …, fr); array dimension W of the supplemental array b =Hp-W C The method comprises the steps of carrying out a first treatment on the surface of the Hp is a group dimension threshold, hp=2 or hp=3;
all primary value arrays are added into the supplementary array, and an initial three-dimensional array corresponding to the hit field name is generated;
and respectively placing the judging values corresponding to each value index into corresponding primary value arrays to generate the three-dimensional judging arrays corresponding to the hit field names.
5. The method of claim 4, wherein Hp satisfies the following condition:
when the hit field name only corresponds to one value index, hp is 2;
when the hit field name corresponds to a plurality of valued indexes, hp is 3.
6. An apparatus for generating an event profile, the apparatus comprising:
the acquisition module is used for acquiring a judging rule set and a judging value set corresponding to the target event; the judging rule set comprises a plurality of judging rules, and each judging rule is provided with corresponding judging information and a unique corresponding rule hit path; the set of decision values includes a plurality of parameter values representing at least a partial characteristic of the target event;
the matching module is used for matching the judgment values in the judgment value set with the judgment information of the judgment rule;
the hit module is used for determining that the judging value hits the judging rule if the judging value accords with the limiting condition of judging information in any judging rule;
the portrait information acquisition module is used for acquiring portrait information of the hit judgment rule according to the mapping relation between the judgment rule and preset portrait information; the portrait information comprises a preset event portrait tag and preset portrait judging information;
the generation module is used for taking the event portrait tag in the portrait information of the hit judgment rule as portrait tag information of the target event;
the generation module is also used for taking the portrait judgment information in the portrait information of the hit judgment rule as portrait judgment information of the target event;
the acquisition module is used for acquiring a judging rule set corresponding to the target event; comprising the following steps:
acquiring json logs of the target events;
generating an event type identifier of the target event according to the value of the event type field in the json log;
selecting a judging rule with the event type identifier from a plurality of preset judging rules, and generating a judging rule set corresponding to the target event;
after generating the decision rule set corresponding to the target event, the obtaining module is further configured to:
taking a rule hit path in each judgment rule in the judgment rule set as a corresponding value index;
acquiring corresponding judging values from json logs of the target events according to each value index to generate a judging value set corresponding to the target events;
the rule hit path is composed of a field file storage path and a hit field name; the hit field name corresponds to at least one field file storage path; and the field file storage path is the storage position of the hit field name in the json log.
7. A non-transitory computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a method of generating an event representation according to any of claims 1 to 5.
8. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements a method of generating an event representation according to any of claims 1 to 5 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311290890.XA CN117034210B (en) | 2023-10-08 | 2023-10-08 | Event image generation method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311290890.XA CN117034210B (en) | 2023-10-08 | 2023-10-08 | Event image generation method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117034210A CN117034210A (en) | 2023-11-10 |
| CN117034210B true CN117034210B (en) | 2024-01-26 |
Family
ID=88630374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311290890.XA Active CN117034210B (en) | 2023-10-08 | 2023-10-08 | Event image generation method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117034210B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111339293A (en) * | 2020-02-11 | 2020-06-26 | 支付宝(杭州)信息技术有限公司 | Data processing method and device of alarm event and classification method of alarm event |
| CN111967807A (en) * | 2020-10-23 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | Method and device for generating risk event judgment rule executed by computer |
| CN115001774A (en) * | 2022-05-26 | 2022-09-02 | 奇安信科技集团股份有限公司 | Method, device and equipment for analyzing association of alarm event |
| CN116668054A (en) * | 2023-02-13 | 2023-08-29 | 中能融合智慧科技有限公司 | Security event collaborative monitoring and early warning method, system, equipment and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9141942B2 (en) * | 2012-09-05 | 2015-09-22 | International Business Machines Corporation | Event scheduler based on real-time analytics and business rules |
| RU2016103154A (en) * | 2016-02-01 | 2017-08-04 | Делл Софтвэар Инк. | SYSTEMS AND METHODS FOR REGISTRATION AND CATEGORIZATION OF PRODUCT EVENTS |
| US10771486B2 (en) * | 2017-09-25 | 2020-09-08 | Splunk Inc. | Systems and methods for detecting network security threat event patterns |
-
2023
- 2023-10-08 CN CN202311290890.XA patent/CN117034210B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111339293A (en) * | 2020-02-11 | 2020-06-26 | 支付宝(杭州)信息技术有限公司 | Data processing method and device of alarm event and classification method of alarm event |
| CN111967807A (en) * | 2020-10-23 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | Method and device for generating risk event judgment rule executed by computer |
| CN115001774A (en) * | 2022-05-26 | 2022-09-02 | 奇安信科技集团股份有限公司 | Method, device and equipment for analyzing association of alarm event |
| CN116668054A (en) * | 2023-02-13 | 2023-08-29 | 中能融合智慧科技有限公司 | Security event collaborative monitoring and early warning method, system, equipment and medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于互联网大数据的事件智能抓取和画像;李方方 等;无线互联科技(01);第26-27页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117034210A (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109800258B (en) | Data file deployment method, device, computer equipment and storage medium | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN110661658A (en) | Node management method and device of block chain network and computer storage medium | |
| CN111160749A (en) | Method and device for evaluating information quality and fusing information | |
| CN110070360B (en) | Transaction request processing method, device, equipment and storage medium | |
| JP6282217B2 (en) | Anti-malware system and anti-malware method | |
| CN115378713B (en) | Block chain application early warning defense method, storage medium and electronic equipment | |
| CN114065196A (en) | Java memory horse detection method and device, electronic equipment and storage medium | |
| CN113111005A (en) | Application program testing method and device | |
| CN110543756B (en) | Device identification method and device, storage medium and electronic device | |
| CN117009911B (en) | Abnormality determination method and device for target event, medium and electronic equipment | |
| CN113282606A (en) | Data processing method, data processing device, storage medium and computing equipment | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN113824748B (en) | Asset characteristic active detection countermeasure method, device, electronic equipment and medium | |
| CN114679295B (en) | Firewall security configuration method and device | |
| CN113434217B (en) | Vulnerability scanning method, vulnerability scanning device, computer equipment and medium | |
| CN111309311B (en) | Vulnerability detection tool generation method, device, equipment and readable storage medium | |
| CN113992371A (en) | Method and device for generating threat tag of flow log and electronic equipment | |
| CN117009962B (en) | Anomaly detection method, device, medium and equipment based on effective label | |
| CN114844691B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN117034260B (en) | Event judgment information generation method and device, medium and electronic equipment | |
| CN115022002B (en) | Verification mode determining method and device, storage medium and electronic equipment | |
| CN117034261B (en) | Exception detection method and device based on identifier, medium and electronic equipment | |
| CN117171800B (en) | Sensitive data identification method and device based on zero trust protection system | |
| CN113098847B (en) | Supply chain management method, system, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |