CN117081776A - Alarm data reporting system, alarm data reporting method and device - Google Patents

Alarm data reporting system, alarm data reporting method and device Download PDF

Info

Publication number
CN117081776A
CN117081776A CN202310620154.XA CN202310620154A CN117081776A CN 117081776 A CN117081776 A CN 117081776A CN 202310620154 A CN202310620154 A CN 202310620154A CN 117081776 A CN117081776 A CN 117081776A
Authority
CN
China
Prior art keywords
alarm data
alarm
central control
data
security rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310620154.XA
Other languages
Chinese (zh)
Inventor
骆振源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202310620154.XA priority Critical patent/CN117081776A/en
Publication of CN117081776A publication Critical patent/CN117081776A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The embodiment of the invention provides an alarm data reporting system, an alarm data reporting method and an alarm data reporting device, and relates to the technical field of computer security, wherein the system comprises: the system comprises a central control system and at least one terminal device connected with the central control system; the terminal equipment is used for matching each alarm data with the security rule under the condition that at least one alarm data is detected, and sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the central control system is used for storing at least one first alarm data into a first database. According to the invention, only the malicious alarm data determined based on the safety rule is reported to the central control system, so that false alarm of the safety alarm data is reduced, the probability of analyzing the false alarm data by safety operators is reduced, and the efficiency of analyzing the alarm data by the safety operators is improved.

Description

Alarm data reporting system, alarm data reporting method and device
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to an alarm data reporting system, and an alarm data reporting method and apparatus.
Background
When the security operator operates the security protection software, the security operator generally needs to detect the alarm data through the security protection software and report all the detected alarm data to the central control system, and the security operator acquires and analyzes each alarm data from the central control system to determine the alarm data which generates risks to the user.
However, for large enterprises, the number of alarm data generated by millions of terminal devices every day is too large, and most of the alarm data are false alarms, so that the safety operators analyze the false alarm data most of the time, and the analysis efficiency of the safety operators on the alarm data is reduced.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides an alarm data reporting system, an alarm data reporting method and an alarm data reporting device.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides an alarm data reporting system, including a central control system and at least one terminal device connected with the central control system;
the terminal equipment is used for matching each alarm data with the safety rule under the condition that at least one alarm data is detected, and sending a first alarm message to the central control system based on a matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the security rule is determined based on at least one previously acquired historical alert data;
The central control system is used for storing at least one first alarm data into a first database.
Further, the central control system is connected with at least one terminal device through the application system;
the terminal equipment is specifically configured to send the first alarm message to the application system based on the matching result;
the application system is used for screening out abnormal alarm data in at least one first alarm data to obtain at least one second alarm data, and sending a second alarm message to the central control system based on the at least one second alarm data; the second alarm message comprises at least one piece of second alarm data; the anomaly alert data includes at least one of: alarm data with a null target field and/or alarm data with a target field value not within a preset value range;
the central control system is specifically configured to store at least one second alarm data into the first database.
Further, in the case that the security rule is a white list rule, the first alarm data is alarm data which is not matched with the security rule;
And under the condition that the security rule is a blacklist rule, the first alarm data is alarm data matched with the security rule.
Further, the application system comprises a first load balancing device and at least one application server connected with the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system;
the first load balancing device is configured to receive the first alarm messages sent by each terminal device, and allocate corresponding first alarm messages to each application server based on a first load balancing policy;
the application server is configured to screen out abnormal alarm data in at least one of the first alarm data in the first alarm messages for each received first alarm message, obtain at least one second alarm data, and send the second alarm message to the central control system based on the at least one second alarm data.
Further, the central control system comprises a second load balancing device and at least one central control server connected with the second load balancing device, and each application server is connected with the second load balancing device;
The second load balancing device is configured to receive the second alarm messages sent by the application servers, and allocate corresponding second alarm messages to the central control servers based on a second load balancing policy;
the central control server is used for storing at least one second alarm data in each received second alarm message into the first database.
Further, each central control server is provided with a kafka message queue;
the second load balancing device is specifically configured to send a second alarm message allocated to each central control server to the kafka message queue of the corresponding central control server;
the central control server is specifically configured to obtain the second alarm messages from the kafka message queue based on a first preset duration, and store at least one piece of second alarm data in the second alarm messages into the first database.
Further, the central control server is specifically configured to obtain the security rule from a second database, and match each second alarm data in each received second alarm message with the security rule;
The central control server is specifically configured to store, when the security rule is a white list rule, second alarm data that is not matched with the security rule into the first database; and storing second alarm data matched with the security rule into the first database under the condition that the security rule is a blacklist rule.
Further, the central control server is further configured to determine a new security rule based on second alarm data that does not match the security rule, replace the security rule in the second database with the new security rule, and upload the new security rule to a cloud storage component.
Further, the application server is further configured to obtain a security rule from the cloud storage component based on the second preset duration, and replace the security rule in the third database with the security rule obtained from the cloud storage component when it is determined that the security rule in the third database is different from the security rule obtained from the cloud storage component.
Further, the terminal device is further configured to send a policy acquisition request to the first load balancing device based on a third preset duration;
The first load balancing device is configured to determine a target application server based on the first load balancing policy, and send the policy acquisition request to the target application server;
the target application server is configured to obtain a security rule from the third database, and send the security rule obtained from the third database to the terminal device through the first load balancing policy; the third preset duration is smaller than or equal to the second preset duration.
In a second aspect, an embodiment of the present invention further provides a method for reporting alarm data, where the method is applied to a terminal device, and the method includes:
under the condition that at least one alarm data is detected, matching each alarm data with a safety rule;
sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
In a third aspect, an embodiment of the present invention further provides an alarm data reporting device, including:
The matching unit is used for matching each alarm data with the safety rule under the condition that at least one alarm data is detected;
the sending unit is used for sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the alarm data reporting method according to the second aspect when executing the program.
In a fifth aspect, embodiments of the present invention also provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the alert data reporting method according to the second aspect.
In a sixth aspect, an embodiment of the present invention further provides a computer program product, where executable instructions are stored, where the instructions, when executed by a processor, cause the processor to implement the alarm data reporting method according to the second aspect.
The alarm data reporting system comprises a central control system and at least one terminal device, wherein the terminal device firstly matches each alarm data with a safety rule under the condition that at least one alarm data is detected, and sends a first alarm message to the central control system based on a matching result, wherein the first alarm message comprises at least one first alarm data representing malicious property; when the central control system receives first alarm messages sent by the terminal devices, at least one first alarm data in each first alarm message is stored in a first database. The invention can be known to screen the detected alarm data based on the safety rule at the terminal equipment side, and only report the alarm data which is determined based on the safety rule and represents malicious alarm data to the central control system, so as to reduce false alarm of the safety alarm data, reduce the probability of analyzing the false alarm data by safety operators, and further improve the efficiency of analyzing the alarm data by the safety operators.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an alarm data reporting system according to an embodiment of the present invention;
FIG. 2 is a second schematic diagram of an alarm data reporting system according to an embodiment of the present invention;
FIG. 3 is a third schematic diagram of an alarm data reporting system according to an embodiment of the present invention;
FIG. 4 is a flowchart of an alarm data reporting method according to an embodiment of the present invention;
FIG. 5 is one of the interactive schematic diagrams of the method for reporting alarm data according to the embodiment of the present invention;
FIG. 6 is a second interactive diagram of a method for reporting alarm data according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an alarm data reporting device according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Secure operation refers to the application of a series of policies, techniques, and procedures in an enterprise, organization, or individual to secure information and protect against malicious acts and security vulnerabilities. In the digital age today, secure operation is very important because many businesses and organizations rely on electronic systems and networks to transfer and store sensitive data and information. In general, security operators need to operate security protection software of multiple clients, the multiple clients have massive terminal devices, and the alarm data reported by the terminal devices are also massive, so that security rules are needed to manage and control the alarm data reported by the massive terminal devices.
Based on the above, the embodiment of the invention provides an alarm data reporting system, which screens the detected alarm data on the side of the terminal equipment based on the security rule, and only reports the alarm data which is determined based on the security rule and represents malicious to the central control system, so as to reduce false alarm of the security alarm data, reduce the probability of analyzing the false alarm data by security operators, and further improve the efficiency of analyzing the alarm data by the security operators.
The following describes an alarm data reporting system provided by an embodiment of the present invention with reference to fig. 1 to 3.
Fig. 1 is one of schematic structural diagrams of an alarm data reporting system provided in an embodiment of the present invention, as shown in fig. 1, the alarm data reporting system 100 includes a central control system 101 and at least one terminal device 102 connected to the central control system 101; the terminal device 102 may be an electronic device such as a computer, a mobile phone, a tablet computer, a server, or a server cluster, or a specially designed intelligent device. The central control system 101 may be an electronic device such as a computer, a server, or a server cluster, or a specially designed intelligent device.
The terminal device 102 is configured to match each alarm data with a security rule when at least one alarm data is detected, and send a first alarm message to the central control system 101 based on a matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the security rule is determined based on at least one previously acquired historical alert data.
The central control system 101 is configured to store at least one first alarm data in a first database.
Wherein, each terminal device 102 can be provided with safety protection software, and the terminal device and the stored data are protected by the safety protection software; the safety protection software can be antivirus software or firewall software and the like, the antivirus software can detect and remove viruses, malicious software, spyware and the like in the terminal equipment, and data such as the viruses, the malicious software, the spyware and the like are used as alarm data; the firewall may filter the network flow data against unauthorized access and attacks, and may take unauthorized access data or attack data as alert data.
The security rule is determined based on a plurality of previously acquired historical alert data, that is, each previously acquired historical alert data is analyzed to determine which historical alert data are security data and which historical alert data are harmful data, and then the security rule is determined based on the security historical alert data and the harmful historical alert data. For example, when the value of a certain field in the historical alarm data is within a preset value range, the historical alarm data is indicated to be safe data, and when the value of a certain field in the historical alarm data is not within the preset value range, the historical alarm data is indicated to be harmful data. Security rules are used to protect information and assets of a device to ensure confidentiality, integrity, and availability of the device.
In the case that the security rule is a white list rule, the first alarm data is alarm data which is not matched with the security rule; and under the condition that the security rule is a blacklist rule, the first alarm data is alarm data matched with the security rule. The following details are given by taking the security rule as the white list rule as an example, and the specific implementation of the security rule in the black list rule can refer to the specific implementation of the security rule in the white list rule, which is not repeated in the present invention.
Taking a security rule as a white list rule as an example, each terminal device 102 detects whether suspicious behavior data exists on the terminal device in real time through security protection software, when the suspicious behavior data is detected, the suspicious behavior data is used as alarm data, the alarm data is matched with the security rule, and if the alarm data is determined to be matched with the security rule, the alarm data is determined to be security data; if the alarm data is determined to be not matched with the safety rules, the alarm data is determined to be malicious data, namely harmful data, first alarm information is generated based on a preset number of first alarm data which are not matched with the safety rules, the first alarm information is sent to the central control system, namely the safety alarm data are intercepted based on the safety rules, only the harmful first alarm data which are not matched with the safety rules are reported to the central control system, so that the number of the alarm data reported to the central control system is reduced, when the central control system receives the first alarm information, the first alarm information is analyzed, the preset number of first alarm data which are not matched with the safety rules and carried in the first alarm information are obtained, and the preset number of first alarm data which are not matched with the safety rules are stored in the first database; the preset number may be an integer greater than or equal to 1. Therefore, since the safe alarm data is intercepted by the safety rule at the terminal equipment side, the quantity of the alarm data reported to the central control system is reduced, so that the alarm data required to be analyzed by safety operators is also reduced.
It should be noted that, the remote management software may also remotely monitor and manage the terminal device and remotely delete or lock the data in the terminal device, where when detecting that the alarm data exists on the terminal device, the remote management software sends the alarm data to the terminal device, so that the terminal device detects the alarm data.
It should be noted that, encryption software may be installed in the terminal device, and the encryption software encrypts the data in the terminal device to protect confidentiality of the data; in addition, file cleaning software can be installed in the terminal equipment, and temporary files and unnecessary files on the terminal equipment are cleaned through the file cleaning software, so that the performance of the terminal equipment is improved, and the safety risk is reduced.
In practical application, the security rules may be set for the same group of terminal devices, or may be set for only a single terminal device, or may be set for all terminal devices, which is not limited in the present invention.
It should be noted that, the security rule may be set based on the same type of alarm data, and different types of alarm data may be set to different security rules, which is not limited in this invention.
The alarm data reporting system provided by the embodiment of the invention comprises a central control system and at least one terminal device, wherein the terminal device firstly matches each alarm data with a safety rule under the condition that at least one alarm data is detected, and sends a first alarm message to the central control system based on a matching result, wherein the first alarm message comprises at least one first alarm data representing malicious property; when the central control system receives first alarm messages sent by the terminal devices, at least one first alarm data in each first alarm message is stored in a first database. The invention can be known to screen the detected alarm data based on the safety rule at the terminal equipment side, and only report the alarm data which is determined based on the safety rule and represents malicious alarm data to the central control system, so as to reduce false alarm of the safety alarm data, reduce the probability of analyzing the false alarm data by safety operators, and further improve the efficiency of analyzing the alarm data by the safety operators.
In an embodiment, fig. 2 is a second schematic structural diagram of the alarm data reporting system provided in the embodiment of the present invention, as shown in fig. 2, the alarm data reporting system 100 further includes an application system 103, and the central control system 101 is connected to at least one terminal device 102 through the application system 103.
The terminal device 102 is specifically configured to send the first alert message to the application system 103 based on the matching result.
The application system 103 is configured to screen out abnormal alarm data in at least one first alarm data to obtain at least one second alarm data, and send a second alarm message to the central control system 101 based on at least one second alarm data; the second alarm message comprises at least one piece of second alarm data; the anomaly alert data includes at least one of: alarm data with a null target field and/or alarm data with a target field value not within a preset value range.
The central control system 101 is specifically configured to store at least one of the second alarm data in the first database.
The application system 103 may be an electronic device such as a computer, a server, or a server cluster, or a specially designed intelligent device. Optionally, one application system 103 may be set in the alarm data reporting system, or two or more application systems 103 may be set, specifically, the number of the terminal devices 102 may be determined according to the need, and when two or more application systems 103 are set, each application system 103 is connected to the central control system 101 respectively.
For example, taking the security rule as the white list rule as an example, when determining at least one first alarm data that does not match the security rule, the terminal device 102 sends a first alarm message generated based on the at least one first alarm data that does not match the security rule to the application system 103, and the application system 103 performs data cleaning on the at least one first alarm data that does not match the security rule in the first alarm message, where a specific data cleaning process may be: for each first alarm data, determining whether the value of each target field in the first alarm data has a null value, determining whether the value of each target field is in a preset value range, and when the value of each target field is null or the value of each target field is not in the preset value range, determining the corresponding first alarm data as abnormal alarm data, screening out all abnormal alarm data in at least one first alarm data, determining each first alarm data which is not matched with a safety rule after screening out the abnormal alarm data as second alarm data, carrying each second alarm data in a second alarm message and sending the second alarm data to the central control system 101, so that the central control system 101 stores each second alarm data received in a first database as effective alarm data, and facilitating safety operators to analyze only the effective alarm data.
In this embodiment, the application system screens out the abnormal alarm data in the first alarm data which is not matched with the security rule and is sent by each terminal device, so as to obtain at least one second alarm data, and each second alarm data is sent to the central control system for storage, so that the security operator only analyzes the effective second alarm data, and the efficiency of the security operator in analyzing the alarm data is further improved.
In one embodiment, the application system comprises a first load balancing device and at least one application server connected with the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system.
The first load balancing device is configured to receive the first alarm messages sent by the terminal devices, and allocate corresponding first alarm messages to the application servers based on a first load balancing policy.
The application server is configured to screen out abnormal alarm data in at least one of the first alarm data in the first alarm messages for each received first alarm message, obtain at least one second alarm data, and send the second alarm message to the central control system based on the at least one second alarm data.
The first load balancing device may be a device with a certain load balancing capability, for example, may be a load balancing device, or may be a hardware device, a load balancing program installed on the hardware device, or the like. The first load balancing device may be a load balancing device such as F5, netScaler, array, or the like, or may be a device in which load balancing software such as LVS, nginx, haprox, or the like is installed. The terminal device is connected with the first load balancing device, and the terminal device can send a first alarm message to the first load balancing device connected with the terminal device. The first load balancing device is connected with each application server and distributes different first alarm messages to each application server.
For example, due to the fact that the number of the terminal devices is large, in consideration of the processing capacity of a single application server and the need to ensure normal operation of other services, a plurality of application servers are set, each terminal device sends first alarm messages to first load balancing devices connected with each application server, and the first load balancing devices adaptively distribute all received first alarm messages to each application server based on a first load balancing strategy. The first load balancing policy may be an allocation policy formulated according to factors such as processing capability of each application server or an overall architecture of an application system. By way of example, the first load balancing policy may employ round robin balancing, response speed balancing, processing power balancing, or other form of load balancing policy.
The round robin balancing is illustrated with a first load balancing policy. The first load balancing device provided with LVS load balancing software is connected with an application server a and an application server b respectively, and after the first load balancing device receives a first alarm message sent by the terminal device, the first alarm message is distributed to the application server a; after receiving a second first alarm message sent by the terminal equipment, the first load balancing equipment distributes the first alarm message to the application server b; after the first load balancing equipment receives a third first alarm message sent by the terminal equipment, distributing the first alarm message to the application server a; after the first load balancing device receives the fourth first alarm message sent by the terminal device, the first alarm message is distributed to the application server b, and the first alarm messages are distributed in a round robin and balanced mode. The corresponding first alarm message is distributed in a round robin balance mode, so that the method is suitable for the situation that all application servers in the application system have the same software and hardware configuration and average service requests are relatively balanced, and the overall processing capacity of the application system can be improved.
In this embodiment, each terminal device sends the first alarm message to the first load balancing device, and the first load balancing device adaptively distributes all the received first alarm messages to each application server based on the first load balancing policy, so that the processing progress of each application server can be balanced, the overall processing capability of the application system is improved, and normal operation of other services in the application server can be ensured.
In an embodiment, the central control system comprises a second load balancing device and at least one central control server connected with the second load balancing device, and each application server is connected with the second load balancing device.
The second load balancing device is configured to receive the second alarm messages sent by the application servers, and allocate corresponding second alarm messages to the central control servers based on a second load balancing policy.
The central control server is used for storing at least one second alarm data in each received second alarm message into the first database.
The second load balancing device may be a device with a certain load balancing capability, for example, may be a load balancing device, or may be a hardware device, a load balancing program installed on the hardware device, or the like. Similar to the first load balancing device, the second load balancing device may be a load balancing device such as F5, netScaler, array, or the like, or may be a device in which load balancing software such as LVS, nginnx, HAProxy, or the like is installed. Each application server is connected with the second load balancing device, and each application server can send a second alarm message to the second load balancing device. The second load balancing device is connected with each central control server and distributes different second alarm messages to each central control server.
For example, due to the fact that the number of the terminal devices is large, the processing capacity of a single central control server and the normal operation of other services are required to be guaranteed, a plurality of central control servers are arranged, each application server firstly sends second alarm messages to second load balancing devices connected with each central control server, and the second load balancing devices adaptively distribute all received second alarm messages to each central control server based on a second load balancing strategy; the second load balancing policy may be an allocation policy formulated according to factors such as processing capacity of each central control server or overall architecture of the central control system. Similarly, the second load balancing policy may also adopt round robin balancing, response speed balancing, processing capacity balancing or other form of load balancing policy, which is not limited in this embodiment.
For example, the number of second alarm messages sent by each application server is 100, the central control system 101 includes 3 central control servers, which are respectively the central control server 1, the central control server 2 and the central control server 3, the current processing service of the central control server 1 is determined to be more based on the second load balancing policy, the current processing service of the central control server 2 is determined to be less, and the current processing service of the central control server 3 is determined to be less, so that the second load balancing device 1011 can allocate 10 second alarm messages to the central control server 1, and allocate 45 second alarm messages to the central control server 2 and the central control server 3 respectively, so as to ensure that each central control server can operate normally. The processing of the second alarm message by each central control server can refer to the above related description, and the present invention is not repeated here.
In this embodiment, each application server sends the second alarm message to the second load balancing device, and the second load balancing device adaptively distributes all the received second alarm messages to each central control server based on the second load balancing policy, so that the processing progress of each central control server can be balanced, the overall processing capability of the central control system is improved, and normal operation of other services in the central control server can be ensured.
In order to store the second alarm data in each second alarm message in the first database timely and reliably, a kafka message queue may be installed on each central control server.
In one embodiment, each of the central servers has a kafka message queue installed thereon.
The second load balancing device is specifically configured to send a second alarm message allocated to each central control server to the kafka message queue of the corresponding central control server.
The central control server is specifically configured to obtain the second alarm messages from the kafka message queue based on a first preset duration, and store at least one piece of second alarm data in the second alarm messages into the first database.
The first preset duration can be set in a timing task of the central control server, and a specific value of the first preset duration can be set based on requirements.
For example, each central control server is provided with a kafka message queue, and the second load balancing device sends the second alarm message distributed to the central control server to the kafka message queue of the central control server for each central control server, and manages the second alarm message by using the kafka message queue. The central control server pulls the second alarm message in the kafka message queue based on the first preset duration, and stores at least one target alarm message in the second alarm message in the first database. Therefore, the second alarm message is acquired based on the first preset duration, so that the central control server can be prevented from reading the data of the kafka message queue too frequently, and the overall operation efficiency of the central control system can be improved.
The Kafka message queue is a high-throughput, distributed message queue system, and is mainly used for processing large-scale real-time data streams, such as website activity logs, sensor data, business indexes and the like. The Kafka message queue can provide an extensible, high-performance and durable message transmission system and is widely applied to the fields of big data processing, real-time data stream processing, log collection, message transmission and the like.
In this embodiment, each central control server is provided with a kafka message queue, and the second load balancing device sends each second alarm message to the kafka message queue of the corresponding central control server, manages the second alarm message received by the central control server by using the characteristics of high throughput, high reliability, high flexibility and high real-time of the kafka message queue, and stores the second alarm data in the second alarm message based on the kafka message queue, so as to achieve the purpose of efficiently acquiring and storing the second alarm data.
In an embodiment, the central control server is specifically configured to obtain the security rule from a second database, and match each second alarm data in each received second alarm message with the security rule.
The central control server is specifically configured to store, when the security rule is a white list rule, second alarm data that is not matched with the security rule into the first database; and storing second alarm data matched with the security rule into the first database under the condition that the security rule is a blacklist rule.
The second database is used for storing a set security rule, the central control server can acquire the security rule from the second database, and further match each second alarm data in the received second alarm message with the security rule, taking the security rule as a white list rule as an example, and aiming at each second alarm data, if the second alarm data is matched with the security rule, the second alarm data is the security data which is not screened by the terminal equipment, and the second alarm data is not required to be stored in the first database; if the second alarm data is not matched with the safety rule, the second alarm data is harmful data, and the second alarm data needs to be stored in the first database, so that safety operators can conveniently analyze the second alarm data in the first database.
In this embodiment, the central control server further performs secondary matching on the second alarm data reported by the application server based on the security rule, so as to screen out the security alarm data which are not screened out by the terminal device, further avoid false alarm of the alarm data, and further improve the efficiency of analyzing the alarm data by the security operator.
In an embodiment, the central control server is further configured to determine a new security rule based on the second alarm data, replace the security rule in the second database with the new security rule, and upload the new security rule to the cloud storage component.
Wherein the cloud storage component may be a set of services and tools for storing and managing data in a cloud computing environment. Cloud storage components generally provide features of high reliability, high availability, resilient extension, security, ease of use, etc., which can help users easily store, backup, share, and access data. The cloud storage component may be at least one of a cloud storage service, a file synchronization and sharing tool, a data backup and restore service, a database service, an object storage service, a data lake service, and the like.
The central control server can display the second alarm data, so that safety operators can analyze the second alarm data conveniently to obtain analysis results, the analysis results comprise real harmful data and safety data, further, new safety rules are determined based on the analysis results, the safety rules in the second database are deleted, the new safety rules are stored in the second database, real-time updating of the safety rules is achieved, and the new safety rules are backed up in the cloud storage component.
It should be noted that, the security rule may also be stored in the first database, that is, the security rule and the alarm data are stored in the first database together, so that if the second database fails, the security rule may also be obtained from the first database, so as to ensure the normal operation of the matching of the second alarm data.
In this embodiment, the central control server determines a new security rule based on the second alarm data, and stores the new security rule in the second database, so that the security rule is updated in real time, and the security operator can analyze the alarm data of the same type as the second alarm data through the security rule without manually analyzing the alarm data.
In an embodiment, the application server is further configured to obtain a security rule from the cloud storage component based on the second preset duration, and replace the security rule in the third database with the security rule obtained from the cloud storage component when it is determined that the security rule in the third database is different from the security rule obtained from the cloud storage component.
The second preset duration may be set in a timing task of the application server, and a specific value of the second preset duration may be set based on requirements.
The application server obtains the security rules from the cloud storage component based on the second preset duration, compares the security rules obtained from the cloud storage component with the security rules stored in the third database, deletes the security rules in the third database when the security rules obtained from the cloud storage component are different from the security rules stored in the third database, and stores the security rules obtained from the cloud storage component in the third database to realize updating of the security rules in the third database; when the security rule obtained from the cloud storage component is the same as the security rule stored in the third database, the central control server is not updated, and the security rule in the third database is not updated.
In this embodiment, the application server compares the security rule obtained from the cloud storage component with the security rule stored in the third database at regular time, and updates the security rule in the third database when determining that the security rule obtained from the cloud storage component is different from the security rule stored in the third database, so that when the terminal device requests the security rule from the application server, the terminal device can ensure that the requested security rule is the latest security rule, so that the terminal device can research and judge the alarm data based on the latest security rule, and the accuracy of intercepting the harmless alarm data by the terminal device is improved.
In an embodiment, the terminal device is further configured to send a policy acquisition request to the first load balancing device based on a third preset duration.
The first load balancing device is configured to determine a target application server based on the first load balancing policy, and send the policy acquisition request to the target application server.
The target application server is configured to obtain a security rule from the third database, and send the security rule obtained from the third database to the terminal device through the first load balancing policy; the third preset duration is smaller than or equal to the second preset duration.
The third preset duration may be set in a timing task of the terminal device, a specific value of the third preset duration may be set based on requirements, and the third preset duration is smaller than or equal to the second preset duration, so as to ensure that a security rule acquired by the terminal device is the latest security rule.
The terminal device sends a policy obtaining request to the first load balancing device based on a third preset duration, when the first load balancing device receives the policy obtaining request sent by the terminal device, the first load balancing device determines a relatively idle target application server based on the first load balancing policy, sends the policy obtaining request to the target application server, and the target application server sends the security rules obtained from the third database to the terminal device, so that the security rules in the terminal device are updated in real time, more harmless alarm data are intercepted through the updated security rules, and the harmless alarm data are prevented from being reported to the central control server.
Fig. 3 is a third schematic structural diagram of an alarm data reporting system provided in the embodiment of the present invention, as shown in fig. 3, each terminal device is connected to a first load balancing device LVS in an application system, the first load balancing device LVS is connected to each application server in the application system, each application server is connected to a second load balancing device LVS in a central control system, the second load balancing device LVS is connected to each central control server, each central control server is connected to a first database and a second database, each application server is connected to a third database, and each central control server is connected to a cloud storage component. The first database may be a DB cluster, the second database may be a redis cluster, and the third database may be a redis cluster.
The report flow of the alarm data is as follows:
taking the security rule as a white list rule as an example, after the security protection software installed in the terminal equipment detects the alarm data, matching each alarm data with the security rule, and sending a first alarm message to the first load balancing equipment LVS of the application system based on at least one first alarm data which is not matched with the security rule, wherein the first alarm message comprises at least one first alarm data which is not matched with the security rule. The first load balancing device LVS distributes the first alert message to each application server in the application system.
The application server receiving the first alarm message screens out abnormal alarm data in at least one first alarm data which is not matched with the safety rule to obtain at least one second alarm data, and sends a second alarm message to second load balancing equipment (LVS) in the central control system based on the at least one second alarm data; the second alarm message includes at least one piece of second alarm data, and the second load balancing device LVS distributes each second alarm message to the kafka message queue of the central control server. The central control server acquires the second alarm messages from the kafka message queue based on the first preset duration, and stores at least one second alarm data in the second alarm messages into the first database.
The security rule issuing process is as follows:
the central control server determines a new security rule based on the second alarm data which is not matched with the security rule, replaces the security rule in the second database with the new security rule, and uploads the new security rule to the cloud storage component.
The application server acquires the security rules from the cloud storage component based on the second preset duration, and replaces the security rules in the third database with the security rules acquired from the cloud storage component when the security rules in the third database are determined to be different from the security rules acquired from the cloud storage component.
The terminal equipment sends a strategy acquisition request to the first load balancing equipment based on a third preset duration; the first load balancing device determines a target application server based on a first load balancing strategy and sends a strategy acquisition request to the target application server; the target application server acquires the security rules from the third database and sends the security rules acquired from the third database to the terminal equipment through the first load balancing strategy.
It should be noted that, the initial security rule may be determined based on a plurality of historical alert data, and the determined security rule is issued to the terminal device, so that the terminal device can match each alert data detected with the security rule.
Fig. 4 is a flow chart of an alarm data reporting method provided by an embodiment of the present invention, as shown in fig. 4, applied to a terminal device, where the alarm data reporting method includes the following steps:
step 401, in the case of detecting at least one alarm data, matching each alarm data with a security rule.
Step 402, sending a first alarm message to a central control system based on a matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
According to the alarm data reporting method provided by the embodiment of the invention, under the condition that at least one alarm data is detected by a terminal device, each alarm data is firstly matched with a safety rule, and a first alarm message is sent to a central control system based on a matching result, wherein the first alarm message comprises at least one first alarm data representing malicious property; when the central control system receives first alarm messages sent by the terminal devices, at least one first alarm data in each first alarm message is stored in a first database. The invention can be known to screen the detected alarm data based on the safety rule at the terminal equipment side, and only report the alarm data which is determined based on the safety rule and represents malicious alarm data to the central control system, so as to reduce false alarm of the safety alarm data, reduce the probability of analyzing the false alarm data by safety operators, and further improve the efficiency of analyzing the alarm data by the safety operators.
The alarm data reporting method of the embodiment can realize various functions of the terminal device in the alarm data reporting system in each implementation, and its specific implementation process and technical effects are similar to those of the terminal device side embodiment in the alarm data acquisition system, and specific reference may be made to detailed description of the terminal device side embodiment in the alarm data acquisition system, which is not repeated herein.
Fig. 5 is one of the interactive schematic diagrams of the alarm data reporting method provided by the embodiment of the present invention, as shown in fig. 5, applied to a central control system, an application system and at least one terminal device, the alarm data reporting method includes the following steps:
step 501, the terminal device matches each alarm data with a security rule under the condition that at least one alarm data is detected.
Step 502, the terminal equipment sends a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the security rule is determined based on at least one previously acquired historical alert data.
Optionally, in the case that the security rule is a white list rule, the first alarm data is alarm data that does not match the security rule; and under the condition that the security rule is a blacklist rule, the first alarm data is alarm data matched with the security rule.
Step 503, the application system screens out abnormal alarm data in the at least one first alarm data to obtain at least one second alarm data, and sends a second alarm message to the central control system based on the at least one second alarm data; the second alarm message comprises at least one piece of second alarm data; the anomaly alert data includes at least one of: alarm data with a null target field and/or alarm data with a target field value not within a preset value range.
Step 504, the central control system stores at least one second alarm data in the first database.
Fig. 6 is a second interactive schematic diagram of an alarm data reporting method according to an embodiment of the present invention, as shown in fig. 6, applied to a central control system, an application system and at least one terminal device, where the alarm data reporting method includes the following steps:
and 601, under the condition that at least one alarm data is detected, the terminal equipment matches each alarm data with a safety rule.
Step 602, the terminal equipment sends a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the security rule is determined based on at least one previously acquired historical alert data.
Optionally, in the case that the security rule is a white list rule, the first alarm data is alarm data that does not match the security rule; and under the condition that the security rule is a blacklist rule, the first alarm data is alarm data matched with the security rule.
Step 603, the application system screens out abnormal alarm data in the at least one first alarm data to obtain at least one second alarm data, and sends a second alarm message to the central control system based on the at least one second alarm data; the second alarm message comprises at least one piece of second alarm data; the anomaly alert data includes at least one of: alarm data with a null target field and/or alarm data with a target field value not within a preset value range.
Step 604, the central control system acquires the security rule from a second database, matches each second alarm data in each received second alarm message with the security rule, and stores the second alarm data which is not matched with the security rule into the first database when the security rule is a white list rule; and storing second alarm data matched with the security rule into the first database under the condition that the security rule is a blacklist rule.
Step 605, the central control system determines a new security rule based on the second alarm data, replaces the security rule in the second database with the new security rule, and uploads the new security rule to the cloud storage component.
Step 606, the application server acquires the security rule from the cloud storage component based on the second preset duration, and when determining that the security rule in the third database is different from the security rule acquired from the cloud storage component, replaces the security rule in the third database with the security rule acquired from the cloud storage component.
The alarm data reporting method of the present embodiment may implement various functions of each execution body in the alarm data reporting system in each implementation, and its specific implementation process and technical effects are similar to those of the corresponding execution body side embodiment in the alarm data acquisition system, and specific reference may be made to detailed description of the corresponding execution body side embodiment in the alarm data acquisition system, which is not repeated herein.
The alarm data reporting device provided by the embodiment of the present invention is described below, and the alarm data reporting device described below and the alarm data reporting method described above may be referred to correspondingly.
Fig. 7 is a schematic structural diagram of an alarm data reporting device according to an embodiment of the present invention, and as shown in fig. 7, the alarm data reporting device 700 includes a matching unit 701 and a sending unit 702; wherein:
a matching unit 701, configured to match each alarm data with a security rule when at least one alarm data is detected;
a sending unit 702, configured to send a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
The device of the present embodiment may be used to execute the method of the alarm data reporting method side embodiment, and its specific implementation process and technical effects are similar to those of the alarm data reporting method side embodiment, and specific reference may be made to the detailed description of the alarm data reporting method side embodiment, which is not repeated herein.
Fig. 8 is a schematic physical structure of an electronic device according to an embodiment of the present invention, as shown in fig. 8, where the electronic device may include: processor 810, communication interface (Communications Interface) 820, memory 830, and communication bus 840, wherein processor 810, communication interface 820, memory 830 accomplish communication with each other through communication bus 840. The processor 810 may call logic instructions in the memory 830 to perform the following method:
under the condition that at least one alarm data is detected, matching each alarm data with a safety rule;
sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
Further, the logic instructions in the memory 830 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program is implemented when executed by a processor to perform the alarm data reporting method provided in the foregoing embodiments, for example, includes:
under the condition that at least one alarm data is detected, matching each alarm data with a safety rule;
sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
In yet another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the alert data reporting method provided by the above methods, the method comprising:
under the condition that at least one alarm data is detected, matching each alarm data with a safety rule;
Sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (15)

1. The alarm data reporting system is characterized by comprising a central control system and at least one terminal device connected with the central control system;
the terminal equipment is used for matching each alarm data with the safety rule under the condition that at least one alarm data is detected, and sending a first alarm message to the central control system based on a matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the security rule is determined based on at least one previously acquired historical alert data;
the central control system is used for storing at least one first alarm data into a first database.
2. The alarm data reporting system of claim 1, further comprising an application system, wherein the central control system is connected to at least one of the terminal devices through the application system;
the terminal equipment is specifically configured to send the first alarm message to the application system based on the matching result;
the application system is used for screening out abnormal alarm data in at least one first alarm data to obtain at least one second alarm data, and sending a second alarm message to the central control system based on the at least one second alarm data; the second alarm message comprises at least one piece of second alarm data; the anomaly alert data includes at least one of: alarm data with a null target field and/or alarm data with a target field value not within a preset value range;
the central control system is specifically configured to store at least one second alarm data into the first database.
3. The alarm data reporting system of claim 2, wherein, in the case where the security rule is a whitelist rule, the first alarm data is alarm data that does not match the security rule;
And under the condition that the security rule is a blacklist rule, the first alarm data is alarm data matched with the security rule.
4. The alert data reporting system of claim 3 wherein the application system comprises a first load balancing device and at least one application server connected to the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system;
the first load balancing device is configured to receive the first alarm messages sent by each terminal device, and allocate corresponding first alarm messages to each application server based on a first load balancing policy;
the application server is configured to screen out abnormal alarm data in at least one of the first alarm data in the first alarm messages for each received first alarm message, obtain at least one second alarm data, and send the second alarm message to the central control system based on the at least one second alarm data.
5. The alert data reporting system of claim 4, wherein the central control system comprises a second load balancing device and at least one central control server connected to the second load balancing device, each of the application servers being connected to the second load balancing device;
The second load balancing device is configured to receive the second alarm messages sent by the application servers, and allocate corresponding second alarm messages to the central control servers based on a second load balancing policy;
the central control server is used for storing at least one second alarm data in each received second alarm message into the first database.
6. The alarm data reporting system of claim 5, wherein each of the central control servers has a kafka message queue installed thereon;
the second load balancing device is specifically configured to send a second alarm message allocated to each central control server to the kafka message queue of the corresponding central control server;
the central control server is specifically configured to obtain the second alarm messages from the kafka message queue based on a first preset duration, and store at least one piece of second alarm data in the second alarm messages into the first database.
7. The alert data reporting system as recited in claim 5 wherein,
the central control server is specifically configured to obtain the security rule from a second database, and match each second alarm data in each received second alarm message with the security rule;
The central control server is specifically configured to store, when the security rule is a white list rule, second alarm data that is not matched with the security rule into the first database; and storing second alarm data matched with the security rule into the first database under the condition that the security rule is a blacklist rule.
8. The alert data reporting system as recited in claim 7, wherein,
the central control server is further configured to determine a new security rule based on the second alarm data, replace the security rule in the second database with the new security rule, and upload the new security rule to the cloud storage component.
9. The alarm data reporting system as in any one of claims 4-8, wherein,
the application server is further configured to obtain a security rule from the cloud storage component based on a second preset duration, and replace the security rule in the third database with the security rule obtained from the cloud storage component when it is determined that the security rule in the third database is different from the security rule obtained from the cloud storage component.
10. The alert data reporting system as recited in claim 9 wherein,
the terminal device is further configured to send a policy acquisition request to the first load balancing device based on a third preset duration;
the first load balancing device is configured to determine a target application server based on the first load balancing policy, and send the policy acquisition request to the target application server;
the target application server is configured to obtain a security rule from the third database, and send the security rule obtained from the third database to the terminal device through the first load balancing policy; the third preset duration is smaller than or equal to the second preset duration.
11. The method for reporting the alarm data is characterized by being applied to terminal equipment, and comprises the following steps:
under the condition that at least one alarm data is detected, matching each alarm data with a safety rule;
sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
12. An alarm data reporting device, comprising:
the matching unit is used for matching each alarm data with the safety rule under the condition that at least one alarm data is detected;
the sending unit is used for sending a first alarm message to the central control system based on the matching result; the first alarm message comprises at least one piece of first alarm data representing malicious property; the first alarm message is used for the central control system to store at least one first alarm data into a first database; the security rule is determined based on at least one previously acquired historical alert data.
13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the alarm data reporting method of claim 11 when the program is executed by the processor.
14. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the alarm data reporting method of claim 11.
15. A computer program product having stored thereon executable instructions which, when executed by a processor, cause the processor to implement the alarm data reporting method of claim 11.
CN202310620154.XA 2023-05-29 2023-05-29 Alarm data reporting system, alarm data reporting method and device Pending CN117081776A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310620154.XA CN117081776A (en) 2023-05-29 2023-05-29 Alarm data reporting system, alarm data reporting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310620154.XA CN117081776A (en) 2023-05-29 2023-05-29 Alarm data reporting system, alarm data reporting method and device

Publications (1)

Publication Number Publication Date
CN117081776A true CN117081776A (en) 2023-11-17

Family

ID=88712246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310620154.XA Pending CN117081776A (en) 2023-05-29 2023-05-29 Alarm data reporting system, alarm data reporting method and device

Country Status (1)

Country Link
CN (1) CN117081776A (en)

Similar Documents

Publication Publication Date Title
AU2019200445B2 (en) Methods and apparatus for dealing with malware
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
US20210248230A1 (en) Detecting Irregularities on a Device
EP3430560B1 (en) Using private threat intelligence in public cloud
CN108353079B (en) Detection of cyber threats against cloud-based applications
US7836174B2 (en) Systems and methods for grid-based data scanning
US20180373877A1 (en) Data quarantine and recovery
CN104468282B (en) cluster monitoring processing system and method
EP2835948A1 (en) Method for processing a signature rule, server and intrusion prevention system
CN108551449B (en) Anti-virus management system and method
CN112073389A (en) Cloud host security situation awareness system, method, device and storage medium
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
CN117081776A (en) Alarm data reporting system, alarm data reporting method and device
US11777988B1 (en) Probabilistically identifying anomalous honeypot activity
CN110022301A (en) Firewall is used in internet of things equipment protection
CN115412359B (en) Web application security protection method and device, electronic equipment and storage medium
CN114338175B (en) Data collection management system and data collection management method
CN116821896A (en) Malicious sample file acquisition system, malicious sample file reporting method and device
CN115086076A (en) Zero-day vulnerability attack defense method and system, electronic equipment and storage medium
CN117978450A (en) Security detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination