CN117201273A - Automatic analysis and noise reduction method and device for safety alarm and server - Google Patents
Automatic analysis and noise reduction method and device for safety alarm and server Download PDFInfo
- Publication number
- CN117201273A CN117201273A CN202311167478.9A CN202311167478A CN117201273A CN 117201273 A CN117201273 A CN 117201273A CN 202311167478 A CN202311167478 A CN 202311167478A CN 117201273 A CN117201273 A CN 117201273A
- Authority
- CN
- China
- Prior art keywords
- alarm
- information
- target
- analysis
- alarm information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 107
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000009467 reduction Effects 0.000 title claims abstract description 16
- 238000001514 detection method Methods 0.000 claims abstract description 64
- 238000012545 processing Methods 0.000 claims abstract description 51
- 238000007405 data analysis Methods 0.000 claims abstract description 15
- 230000002776 aggregation Effects 0.000 claims description 11
- 238000004220 aggregation Methods 0.000 claims description 11
- 238000012216 screening Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 238000001914 filtration Methods 0.000 claims description 9
- 238000013433 optimization analysis Methods 0.000 claims description 4
- 238000006116 polymerization reaction Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 10
- 230000006399 behavior Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000013515 script Methods 0.000 description 1
Landscapes
- Alarm Systems (AREA)
Abstract
The application provides a method, a device and a server for automatically analyzing and reducing noise of safety alarm, which relate to the technical field of situation awareness and comprise the following steps: acquiring an analysis dimension set, alarm information to be processed and a target detection item; performing dimension acquisition processing on the alarm information to be processed according to the target detection items and the keyword information in the alarm information to be processed, and determining a target analysis dimension set and target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection items; and solidifying the historical analysis experience data into logic codes, and respectively carrying out data analysis processing on the target alarm information in each target analysis dimension by utilizing the logic codes to determine alarm noise information, wherein the alarm noise information is false alarm information. The application can automatically detect the alarm noise, thereby improving the stability of the safety alarm analysis result and remarkably improving the noise reduction efficiency.
Description
Technical Field
The application relates to the technical field of situation awareness, in particular to a method, a device and a server for automatically analyzing and reducing noise of safety alarm.
Background
The situation awareness platform is a safety monitoring system and has the functions of real-time monitoring, early warning, analysis, response and the like, when the situation awareness platform is used, various security devices and alarm and log data of a business system can be accessed, and when partial threat detection rules are improperly configured or business behaviors are not standard, the situation awareness platform can generate massive false or invalid alarms (namely alarm noise). At present, related technologies propose that the alarm problem existing in the situation awareness platform can be determined through manual analysis, but the manual analysis is excessively dependent on the experience level of safety personnel, so that the actual effect is large in variability and long in time consumption.
Disclosure of Invention
Accordingly, the present application is directed to a method, an apparatus, and a server for automatically analyzing and reducing noise of a security alarm, which can automatically detect the alarm noise, thereby improving the stability of the analysis result of the security alarm and remarkably improving the noise reduction efficiency.
In a first aspect, an embodiment of the present application provides a method for automatically analyzing and reducing noise of a security alarm, where the method is applied to a situation awareness platform, and the method includes: acquiring an analysis dimension set, alarm information to be processed and a target detection item; performing dimension acquisition processing on the alarm information to be processed according to the target detection items and the keyword information in the alarm information to be processed, and determining a target analysis dimension set and target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection items; and solidifying the historical analysis experience data into logic codes, and respectively carrying out data analysis processing on the target alarm information in each target analysis dimension by utilizing the logic codes to determine alarm noise information, wherein the alarm noise information is false alarm information.
In one embodiment, according to the target detection item and the keyword information in the alarm information to be processed, the step of performing dimension acquisition processing on the alarm information to be processed and determining the target analysis dimension set and the target alarm information includes: determining a target analysis dimension set in the analysis dimension set by utilizing a target detection item; according to dimension acquisition logic corresponding to each target analysis dimension, dimension acquisition processing is respectively carried out on the alarm information to be processed, and the target alarm information is determined, wherein the dimension acquisition logic comprises: conditional filtration and layer-by-layer polymerization.
In one embodiment, according to dimension collection logic corresponding to each target analysis dimension, dimension collection processing is performed on alarm information to be processed, and the step of determining the target alarm information includes: performing condition filtering treatment on the alarm information to be treated according to the target detection item to obtain a preliminary screening result; and carrying out layer-by-layer aggregation processing on the primary screening result by utilizing the keyword information in the alarm information to be processed, and determining the target alarm information.
In one embodiment, after the step of determining the target alert information, the method includes: and performing back-pushing processing on the target alarm information through a preset configuration optimization analysis model, and determining a platform configuration problem of the situation awareness platform.
In one embodiment, prior to the step of analyzing the set of dimensions, the alert information to be processed, and the target detection item, the method comprises: platform information of the situation awareness platform is obtained, performance detection processing is carried out on the situation awareness platform by utilizing the platform information, and a performance detection result is determined, wherein the platform information comprises: platform rule version, accessed security equipment, platform running state and alarm white list configuration, and when the performance detection result is passing, the situation awareness platform is allowed to carry out security alarm automatic analysis.
In one embodiment, after the step of determining the alert noise information, the method comprises: adjusting the format of the alarm noise information according to preset standard format information to determine standard alarm noise information, wherein in the standard alarm noise information, the target analysis dimension and the target alarm information are in one-to-one correspondence; template matching processing is carried out on the standard alarm noise information, and the target alarm noise information is determined; and storing the target alarm noise information into a report file.
In one embodiment, the step of performing template matching processing on the standard alarm noise information to determine target alarm noise information includes: performing data type analysis on the target alarm noise information, and determining the input data type and the data set; matching a preset description template set with the input data type and the data set to determine a target description template; and combining the standard alarm noise information with the target description template to generate target alarm noise information.
In a second aspect, an embodiment of the present application further provides a security alarm automatic analysis noise reduction device, where the device is applied to a situation awareness platform, and the device includes: the data acquisition module is used for acquiring an analysis dimension set, alarm information to be processed and target detection items; the dimension acquisition module is used for carrying out dimension acquisition processing on the alarm information to be processed according to the target detection items and the keyword information in the alarm information to be processed, and determining a target analysis dimension set and the target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection items; the data analysis module is used for solidifying the historical analysis experience data into logic codes, and utilizing the logic codes to respectively conduct data analysis processing on the target alarm information in each target analysis dimension to determine alarm noise information, wherein the alarm noise information is false alarm information.
In a third aspect, embodiments of the present application also provide a server comprising a processor and a memory, the memory storing computer executable instructions executable by the processor, the processor executing the computer executable instructions to implement the method of any one of the first aspects.
In a fourth aspect, embodiments of the present application also provide a computer-readable storage medium storing computer-executable instructions that, when invoked and executed by a processor, cause the processor to implement the method of any one of the first aspects.
The embodiment of the application has the following beneficial effects:
according to the method, the device and the server for automatically analyzing and denoising the security alarm, after the analysis dimension set, the alarm information to be processed and the target detection item are acquired, dimension acquisition processing is carried out on the alarm information to be processed according to the target detection item and the keyword information in the alarm information to be processed, the target analysis dimension set and the target alarm information are determined, historical analysis experience data are solidified into logic codes, the logic codes are utilized to respectively carry out data analysis processing on the target alarm information in each target analysis dimension, and alarm noise information is determined.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a method for automatically analyzing and reducing noise of a security alarm according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a method for automatically analyzing and reducing noise of a security alarm according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a security alarm automatic analysis noise reduction device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the present application will be clearly and completely described in conjunction with the embodiments, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
At present, a situation awareness platform is a safety monitoring system and has the functions of real-time monitoring, early warning, analysis, response and the like, and the platform is used for helping a user to know the current safety situation and timely take measures to deal with threats by collecting, processing and analyzing data from various safety devices and systems, so that the situation awareness platform becomes one of important means for guaranteeing network safety in a modern informatization environment; when the situation awareness platform is used, various security devices and alarms and log data of a service system are accessed, when part of threat detection rules are improperly configured or service behaviors are not standard, massive false or invalid alarms (namely alarm noise) can be generated by the platform, and attack alarms really needing analysis and treatment can be difficult to find, so that the alarm noise needs to be cleared in the initial operation stage of the situation awareness platform, the problem of alarms in the situation awareness platform can be determined through manual analysis, security personnel can directly operate the situation awareness platform, and the problem of the alarms in the situation awareness platform can be judged through modes of alarm retrieval, alarm aggregation, platform configuration item inspection, probe configuration item inspection and the like; however, because the manual detection is very dependent on the experience level of safety personnel, the actual detection effect has larger difference, the stability of the detection analysis result is poorer, in addition, the platform alarm and configuration are manually checked and analyzed, the problems are recorded and the report is summarized, and a larger time cost is required to be input.
Referring to fig. 1, which is a flow chart of a security alarm automation analysis noise reduction method, the method is applied to a situation awareness platform, and the method mainly includes the following steps S102 to S106:
step S102, an analysis dimension set, alarm information to be processed and target detection items are obtained, and in one implementation mode, various scene characteristics can be collected and summarized through security personnel, each scene is used as an analysis dimension, and the analysis dimension set is established; when the situation awareness platform is connected with various security devices and business systems, various alarm information and log data are received, and when part of threat detection rules are improperly configured or business behaviors are not standard, the situation awareness platform can generate massive false or invalid alarms (namely alarm noise), and the alarm information to be processed is a set of alarm noise received in the process; the target detection item is a specific category of alarm information or log data to be analyzed (such as XSS attack (Cross Site Scripting, cross site scripting attack), TLS (Transport Layer Security )) in the process of automatic analysis and noise reduction of security alarm, in one embodiment, a user with enough authority can log in a user name password manner through a request back end interface, or a user can acquire a cookie after manually logging in a platform, so that data such as an analysis dimension set, alarm information to be processed, target detection item and the like are acquired.
Step S104, dimension collection processing is performed on the alarm information to be processed according to the target detection items and the keyword information in the alarm information to be processed, a target analysis dimension set and target alarm information are determined, wherein the target alarm information is the alarm information to be processed comprising the target detection items, the keyword information in the alarm information to be processed is an aggregation field which can comprise alarm names, alarm types, attack directions, attack results and the like, in one implementation mode, different screening conditions and aggregation conditions can be selected according to different analysis dimensions, corresponding logs or alarm information is collected, firstly, preliminary screening is performed on massive alarm information to be processed according to the target detection items, the alarm information to be processed with the same aggregation field is distributed to the same group through the keyword information, and therefore the target alarm information and the target analysis dimension set corresponding to the target alarm information are obtained, wherein the target analysis dimension and the target alarm information can be in one-to-one correspondence.
Step S106, solidifying the historical analysis experience data into logic codes, and utilizing the logic codes to respectively carry out data analysis processing on target alarm information in each target analysis dimension to determine alarm noise information, wherein the alarm noise information is false alarm information, in one embodiment, carrying out multidimensional analysis on the acquired data through the logic codes after the historical analysis experience data are solidified, and outputting analysis results in a document form, and in another embodiment, pushing an original log (or simply log) to the original data of a situation awareness platform by a data source such as a security device, an application system and the like, wherein the original log comprises an alarm log, an operation state log, an audit log and the like. After receiving the original log, the situation awareness platform can detect the original log by using various analysis models, so that the security threat in the original log is output in the form of an alarm. The alarm information generally comprises alarm level, alarm type, alarm time, alarm description and the like, and is used for helping a security team analyze and handle security threats, in one embodiment, the alarm information in the steps can be replaced by log data, and noise reduction treatment can be performed on the log data by adopting the same method.
According to the automatic analysis and noise reduction method for the safety alarm, which is provided by the embodiment of the application, the alarm noise is automatically detected, so that the stability of the analysis result of the safety alarm is improved, and the noise reduction efficiency is obviously improved.
Referring to a schematic diagram of a method for automatically analyzing and reducing noise of a security alarm shown in fig. 2, an embodiment of the present application further provides an implementation manner for analyzing and reducing noise of alarm information, which is specifically described in the following (1) to (2):
(1) The step of collecting data required for analysis from a situational awareness platform includes the following steps: (a) to (b):
(a) Acquiring platform information of the situation awareness platform, performing performance detection processing on the situation awareness platform by utilizing the platform information, and determining a performance detection result, thereby judging that the situation awareness platform can normally complete an abnormal monitoring task, wherein the platform information comprises: and (3) platform rule version, accessed safety equipment, platform running state and alarm white list configuration, and when the performance detection result is passing, allowing the situation awareness platform to carry out safety alarm automatic analysis, wherein in one embodiment, the platform information of the situation awareness platform can be obtained through an OpenAPI of the platform.
(b) Determining a target analysis dimension set in the analysis dimension set by utilizing a target detection item, and respectively carrying out dimension acquisition processing on alarm information to be processed according to dimension acquisition logic corresponding to each target analysis dimension to determine target alarm information, wherein the dimension acquisition logic comprises: conditional filtration and layer-by-layer polymerization. In one embodiment, the acquisition of the platform alarm is the core of the data acquisition module, after the alarm data required to be acquired in different analysis dimensions are determined, the acquisition logic is written into the configuration file, and finally, the acquisition module executes the corresponding acquisition logic to acquire the target alarm information, specifically, condition filtering processing is performed on the alarm information to be processed according to the target detection item to obtain a preliminary screening result, so that a desired part is screened out from a large number of alarm information to be processed, the key word information in the alarm information to be processed is utilized to perform layer-by-layer aggregation processing on the preliminary screening result, alarms with the same aggregation field value enter the same group, and the alarms in each group are acquired to determine the target alarm information, wherein after the layer-by-layer aggregation processing is performed, the screened alarm information to be processed can be further de-duplicated, the key information is reserved, and the acquired data quantity is reduced.
(2) A step of automatically analyzing the collected data based on the solidified analysis experience and outputting standardized analysis results and treatment advice in a form of natural language, comprising the steps of: (A) to (B):
(A) After the security personnel collect and summarize various scene features, each scene is used as an analysis dimension and is respectively written into logic codes (analysis experience is solidified), after the alarm or original log data is acquired according to each analysis scene, the corresponding logic codes are executed to perform feature detection on the alarm or original log data, and false alarm alarms meeting judgment conditions are output, wherein the scene features can comprise attack directions, attack types, attack sources, targets and the like, in one implementation mode, each analysis dimension corresponds to one type ID and different data contents need to be output when the output is performed, and the standard format is as follows: { "type": "A_01", "data": { "ip": [ "192.168.10.10" ] }, in another implementation manner, the target alarm information can be subjected to back-pushing treatment through a preset configuration optimization analysis model, and the platform configuration problem of the situation awareness platform can be determined through back-pushing the collected abnormal logs or alarms.
In practical application, the false alarm of the alarm information XXS is analyzed: XSS attack (Cross Site Scripting, cross-site scripting attack) is a way of attacking a Web site, and an attacker can achieve the purposes of stealing a user account, modifying user settings, stealing/polluting cookies, tampering Web pages and the like by inserting malicious scripts into the Web site, wherein XSS vulnerability detection attack is usually initiated to the same target Web site by a single source or a few attack sources and triggers a large number of alarms, besides the real vulnerability detection behavior, part of normal business behaviors can also cause XSS attack alarms of flow detection equipment, such as special characters including brackets and the like in transmitted interface parameters, and when a normal access request is identified as XSS attack, alarms of a large number of source IPs for initiating attacks to the target system can appear. Thus, the false positive features are summarized as follows: there are a large number of XSS alarms for destination IP, but the proportion of alarms generated by source IP of TOP10 in the total amount of alarms is less than 30% (i.e. the distribution of alarm sources is very loose). According to the false alarm characteristics, the data collection module firstly screens XSS attack alarms, aggregates and counts the alarm number of each aggregate packet according to the target site field, aggregates and counts the alarm number of each aggregate packet according to the source IP field. The data analysis module counts and judges the information and outputs the target site which accords with the false alarm feature, and the format is as follows: { "type": "A_01", "data": { "domain": [ "www.example1.com", "www.example2.com" ] } }.
In practical applications, when the encrypted traffic is not analyzed, the application layer traffic is mostly encrypted traffic based on TLS protocol, where TLS (Transport Layer Security ) is an encryption protocol for providing secure data transmission over a computer network. The primary purpose of TLS protocols is to ensure the privacy and integrity of communications to prevent data from being eavesdropped, tampered with, or forged during transmission, and TLS protocols are typically used to protect Web applications, email communications, and other applications that require confidentiality and data integrity; when the communication key of the internal server is not configured in the traffic detection device, the traffic detection device cannot analyze the communication traffic and cannot detect the attack traffic therein, so that great potential safety hazards are caused, the unresolved application traffic is pushed to the situation awareness platform in the form of a TLS protocol communication log, therefore, the external-to-internal and internal TLS protocol communication logs can be screened out from the original log by utilizing the data collection module and aggregated according to an SNI field, wherein SNI (Server Name Indication ) is a TLS extension, and the client is allowed to specify the host name of the connected server. When a Web server hosts multiple domain names, the SNI can help the server distinguish the requests from different domain names and select the correct certificate for encryption connection, so that an open service on the server can be identified through the SNI, and the data analysis module extracts all SNIs from the collected data and finally outputs the SNIs in the format of a data list, wherein the format is as follows: { "type": "A_02", "data": { "domain": [ "www.example1.com", "www.example2.com" ] } }.
(B) Each output of each analysis dimension needs to have corresponding detailed description and treatment suggestion, when alarm noise information, the format of the alarm noise information is adjusted according to preset standard format information, standard alarm noise information is determined, template matching processing is carried out on the standard alarm noise information, target alarm noise information is determined, and the target alarm noise information is stored in a report file, wherein in the standard alarm noise information, the target analysis dimension and the target alarm noise information are in one-to-one correspondence, in one embodiment, data type analysis can be carried out on the target alarm noise information, input data types and data sets are determined, a preset description template set is matched with the input data types and the data sets, a target description template is determined, the standard alarm noise information is combined with the target description template, the standard alarm noise information is filled into the target description template, and the target alarm noise information is generated, wherein the target alarm noise information is the description text of the alarm noise.
In summary, the data can be acquired in a condition filtering and layer-by-layer aggregation mode, analysis experience is solidified into code logic, and automatic acquisition and analysis are performed on situation awareness platform data, so that stability of analysis quality is ensured, and analysis and summarization efficiency of safety personnel can be greatly improved through coding most repeated actions.
For the method for automatically analyzing and denoising the security alarm provided in the foregoing embodiment, the embodiment of the present application provides a device for automatically analyzing and denoising the security alarm, which is applied to a situation awareness platform, and is shown in fig. 3, and the device includes the following parts:
the data acquisition module 302 acquires an analysis dimension set, alarm information to be processed and target detection items;
the dimension acquisition module 304 performs dimension acquisition processing on the alarm information to be processed according to the target detection item and the keyword information in the alarm information to be processed, and determines a target analysis dimension set and target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection item;
the data analysis module 306 solidifies the historical analysis experience data into logic codes, and performs data analysis processing on the target alarm information in each target analysis dimension by utilizing the logic codes to determine alarm noise information, wherein the alarm noise information is false alarm information.
The data processing device provided by the embodiment of the application can automatically detect the alarm noise, thereby improving the stability of the safety alarm analysis result and remarkably improving the noise reduction efficiency.
In one embodiment, when performing the step of performing dimension acquisition processing on the alert information to be processed according to the target detection item and the keyword information in the alert information to be processed, and determining the target analysis dimension set and the target alert information, the dimension acquisition module 304 is further configured to: determining a target analysis dimension set in the analysis dimension set by utilizing a target detection item; according to dimension acquisition logic corresponding to each target analysis dimension, dimension acquisition processing is respectively carried out on the alarm information to be processed, and the target alarm information is determined, wherein the dimension acquisition logic comprises: conditional filtration and layer-by-layer polymerization.
In an embodiment, when performing the step of performing dimension collection processing on the alarm information to be processed according to dimension collection logic corresponding to each target analysis dimension and determining the target alarm information, the dimension collection module 304 is further configured to: performing condition filtering treatment on the alarm information to be treated according to the target detection item to obtain a preliminary screening result; and carrying out layer-by-layer aggregation processing on the primary screening result by utilizing the keyword information in the alarm information to be processed, and determining the target alarm information.
In one embodiment, after the step of determining the target alarm information, the dimension collection module 304 is further configured to: and performing back-pushing processing on the target alarm information through a preset configuration optimization analysis model, and determining a platform configuration problem of the situation awareness platform.
In one embodiment, before the step of analyzing the dimension set, the alarm information to be processed, and the target detection item, the data obtaining module 302 is further configured to: platform information of the situation awareness platform is obtained, performance detection processing is carried out on the situation awareness platform by utilizing the platform information, and a performance detection result is determined, wherein the platform information comprises: platform rule version, accessed security equipment, platform running state and alarm white list configuration, and when the performance detection result is passing, the situation awareness platform is allowed to carry out security alarm automatic analysis.
In one embodiment, after the step of determining the alarm noise information, the data analysis module 306 is further configured to: adjusting the format of the alarm noise information according to preset standard format information to determine standard alarm noise information, wherein in the standard alarm noise information, the target analysis dimension and the target alarm information are in one-to-one correspondence; template matching processing is carried out on the standard alarm noise information, and the target alarm noise information is determined; and storing the target alarm noise information into a report file.
In one embodiment, when performing the step of performing the template matching process on the standard alarm noise information to determine the target alarm noise information, the data analysis module 306 is further configured to: performing data type analysis on the target alarm noise information, and determining the input data type and the data set; matching a preset description template set with the input data type and the data set to determine a target description template; and combining the standard alarm noise information with the target description template to generate target alarm noise information.
The device provided by the embodiment of the present application has the same implementation principle and technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment is not mentioned.
The embodiment of the application provides electronic equipment, which comprises a processor and a storage device; the storage means has stored thereon a computer program which, when executed by the processor, performs the method of any of the embodiments described above.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device 100 includes: a processor 40, a memory 41, a bus 42 and a communication interface 43, the processor 40, the communication interface 43 and the memory 41 being connected by the bus 42; the processor 40 is arranged to execute executable modules, such as computer programs, stored in the memory 41.
The memory 41 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and the at least one other network element is achieved via at least one communication interface 43 (which may be wired or wireless), which may use the internet, a wide area network, a local network, a metropolitan area network, etc.
Bus 42 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The memory 41 is configured to store a program, and the processor 40 executes the program after receiving an execution instruction, and the method executed by the apparatus for flow defining disclosed in any of the foregoing embodiments of the present application may be applied to the processor 40 or implemented by the processor 40.
The processor 40 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 40. The processor 40 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal processor (Digital Signal Processing, DSP for short), application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 41 and the processor 40 reads the information in the memory 41 and in combination with its hardware performs the steps of the method described above.
The computer program product of the readable storage medium provided by the embodiment of the present application includes a computer readable storage medium storing a program code, where the program code includes instructions for executing the method described in the foregoing method embodiment, and the specific implementation may refer to the foregoing method embodiment and will not be described herein.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present application, and are not intended to limit the scope of the present application, but it should be understood by those skilled in the art that the present application is not limited thereto, and that the present application is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A security alarm automation analysis noise reduction method, wherein the method is applied to a situation awareness platform, and the method comprises:
acquiring an analysis dimension set, alarm information to be processed and a target detection item;
performing dimension acquisition processing on the alarm information to be processed according to the target detection item and the keyword information in the alarm information to be processed, and determining a target analysis dimension set and target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection item;
and solidifying the historical analysis experience data into logic codes, and respectively carrying out data analysis processing on the target alarm information in each target analysis dimension by utilizing the logic codes to determine alarm noise information, wherein the alarm noise information is false alarm information.
2. The method for automatically analyzing and denoising a security alarm according to claim 1, wherein the step of performing dimension collection processing on the alarm to be processed according to the target detection item and the keyword information in the alarm to be processed, and determining a target analysis dimension set and target alarm information comprises the following steps:
determining the target analysis dimension set in the analysis dimension set by utilizing the target detection item;
performing dimension acquisition processing on the alarm information to be processed according to dimension acquisition logic corresponding to each target analysis dimension, and determining the target alarm information, wherein the dimension acquisition logic comprises: conditional filtration and layer-by-layer polymerization.
3. The method for automatically analyzing and denoising a security alarm according to claim 2, wherein the step of performing dimension acquisition processing on the alarm information to be processed according to dimension acquisition logic corresponding to each target analysis dimension to determine the target alarm information comprises the steps of:
performing condition filtering treatment on the alarm information to be treated according to the target detection item to obtain a preliminary screening result;
and carrying out layer-by-layer aggregation processing on the preliminary screening result by utilizing the keyword information in the alarm information to be processed, and determining the target alarm information.
4. A method of automatic analysis and noise reduction of security alarms according to claim 3, characterized in that it comprises, after the step of determining the target alarm information:
and performing back-pushing processing on the target alarm information through a preset configuration optimization analysis model, and determining a platform configuration problem of the situation awareness platform.
5. The method of claim 1, wherein prior to the step of analyzing the set of dimensions, the alert information to be processed, and the target detection item, comprising:
acquiring platform information of a situation awareness platform, and performing performance detection processing on the situation awareness platform by utilizing the platform information to determine a performance detection result, wherein the platform information comprises: and when the performance detection result is passing, allowing the situation awareness platform to carry out security alarm automatic analysis.
6. The method of claim 1, wherein after the step of determining alarm noise information, comprising:
adjusting the format of the alarm noise information according to preset standard format information to determine standard alarm noise information, wherein in the standard alarm noise information, the target analysis dimension and the target alarm information are in one-to-one correspondence;
performing template matching processing on the standard alarm noise information to determine target alarm noise information;
and storing the target alarm noise information into a report file.
7. The method of automatic analysis and noise reduction for safety alarm according to claim 6, wherein the step of performing template matching processing on the standard alarm noise information to determine target alarm noise information comprises:
performing data type analysis on the target alarm noise information to determine an input data type and a data set;
matching a preset description template set with the input data type and the data set to determine a target description template;
and combining the standard alarm noise information with the target description template to generate the target alarm noise information.
8. A security alert automated analysis noise reduction device, wherein the device is applied to a situational awareness platform, the device comprising:
the data acquisition module is used for acquiring an analysis dimension set, alarm information to be processed and target detection items;
the dimension acquisition module is used for carrying out dimension acquisition processing on the alarm information to be processed according to the target detection item and the keyword information in the alarm information to be processed, and determining a target analysis dimension set and target alarm information, wherein the target alarm information is the alarm information to be processed comprising the target detection item;
and the data analysis module is used for solidifying the historical analysis experience data into logic codes, and respectively carrying out data analysis processing on the target alarm information in each target analysis dimension by utilizing the logic codes to determine alarm noise information, wherein the alarm noise information is false alarm information.
9. A server comprising a processor and a memory, the memory storing computer executable instructions executable by the processor, the processor executing the computer executable instructions to implement the method of any one of claims 1 to 7.
10. A computer readable storage medium storing computer executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311167478.9A CN117201273A (en) | 2023-09-11 | 2023-09-11 | Automatic analysis and noise reduction method and device for safety alarm and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311167478.9A CN117201273A (en) | 2023-09-11 | 2023-09-11 | Automatic analysis and noise reduction method and device for safety alarm and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201273A true CN117201273A (en) | 2023-12-08 |
Family
ID=88983000
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311167478.9A Pending CN117201273A (en) | 2023-09-11 | 2023-09-11 | Automatic analysis and noise reduction method and device for safety alarm and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201273A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117439822A (en) * | 2023-12-20 | 2024-01-23 | 南京绛门信息科技有限公司 | Network security data management system and method based on Internet of things |
-
2023
- 2023-09-11 CN CN202311167478.9A patent/CN117201273A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117439822A (en) * | 2023-12-20 | 2024-01-23 | 南京绛门信息科技有限公司 | Network security data management system and method based on Internet of things |
| CN117439822B (en) * | 2023-12-20 | 2024-03-08 | 南京绛门信息科技有限公司 | Network security data management system and method based on Internet of things |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US10135862B1 (en) | Testing security incident response through automated injection of known indicators of compromise | |
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| CN113645065B (en) | Industrial control security audit system and method based on industrial Internet | |
| CN108111487B (en) | Safety monitoring method and system | |
| KR100732689B1 (en) | Web Security Method and apparatus therefor | |
| CN109495423A (en) | A kind of method and system preventing network attack | |
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| JP2015511338A (en) | Method and system for ensuring the reliability of IP data provided by a service provider | |
| TW201603529A (en) | Packet logging | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN117201273A (en) | Automatic analysis and noise reduction method and device for safety alarm and server | |
| CN112600797A (en) | Method and device for detecting abnormal access behavior, electronic equipment and storage medium | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| CN111181978A (en) | Abnormal network traffic detection method and device, electronic equipment and storage medium | |
| CN110955897A (en) | Software research and development safety control visualization method and system based on big data | |
| CN111030887B (en) | Web server discovery method and device and electronic equipment | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN114785567A (en) | Traffic identification method, device, equipment and medium | |
| CN112769739B (en) | Database operation violation processing method, device and equipment | |
| KR101464736B1 (en) | Security Assurance Management System and Web Page Monitoring Method | |
| KR20190027122A (en) | Apparatus and method for analyzing network attack pattern | |
| CN116015800A (en) | Scanner identification method and device, electronic equipment and storage medium | |
| Kergl et al. | Detection of zero day exploits using real-time social media streams |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |