CN117938428A - Alarm log reporting method and device, electronic equipment and storage medium - Google Patents
Alarm log reporting method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117938428A CN117938428A CN202311687137.4A CN202311687137A CN117938428A CN 117938428 A CN117938428 A CN 117938428A CN 202311687137 A CN202311687137 A CN 202311687137A CN 117938428 A CN117938428 A CN 117938428A
- Authority
- CN
- China
- Prior art keywords
- data
- reporting
- alarm log
- reported
- standardized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 96
- 238000001914 filtration Methods 0.000 claims abstract description 63
- 238000012545 processing Methods 0.000 claims abstract description 12
- 238000012550 audit Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 13
- 230000000153 supplemental effect Effects 0.000 claims description 11
- 230000001502 supplementing effect Effects 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 8
- 241000700605 Viruses Species 0.000 claims description 7
- 230000008520 organization Effects 0.000 claims description 5
- 238000010606 normalization Methods 0.000 claims description 2
- 230000009469 supplementation Effects 0.000 claims description 2
- 239000000463 material Substances 0.000 abstract description 7
- 230000008569 process Effects 0.000 description 49
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000008030 elimination Effects 0.000 description 4
- 238000003379 elimination reaction Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000011282 treatment Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The embodiment of the application provides a method, a device, electronic equipment and a storage medium for reporting an alarm log, wherein the method comprises the following steps: acquiring an alarm log of a user; carrying out standardized processing on the alarm log to obtain standardized alarm log data; the standardized alarm log data is subjected to data interpolation to obtain data to be reported; filtering the data to be reported to obtain filtered data to be reported; and reporting the filtered data to be reported to obtain a reporting result. By implementing the embodiment of the application, the accessed alarm logs can be analyzed and reported in a unified way, the low-quality alarm data is filtered according to the requirements of the user, the reporting efficiency is improved, the automatic matching of the attack type and the network asset is realized, and the consumption of the user on manpower and material resources is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for reporting an alarm log, an electronic device, and a storage medium.
Background
Along with the highlighting of network security problems, various industries pay more and more attention to network security, so that the establishment of a corresponding security situation sensing platform is more and more important, and the current situation of the security problems of the whole industry can be better represented by collecting alarm data of various units and related enterprises and performing summarized analysis, so that known or unknown security risks are better controlled and prevented.
Although the prior art has realized access and standardization of various security log data, there are various problems, for example, after data arrangement, automatic reporting is not supported, reporting cannot be performed according to audit results, enterprises cannot be helped to liberate from complicated and massive alarm data, in the prior art, low-quality alarm data cannot be filtered according to requirements before data reporting, related network assets and attack types cannot be automatically matched, and therefore, the enterprises need to spend more time and effort on accuracy and effectiveness of the data, and a large amount of manpower and material resources are consumed.
Disclosure of Invention
The embodiment of the application aims to provide a reporting method, a reporting device, electronic equipment and a storage medium for an alarm log, which can uniformly analyze and report an accessed alarm log, filter low-quality alarm data according to the requirement of a user, improve reporting efficiency, realize automatic matching of attack types and network assets and reduce the consumption of manpower and material resources by the user.
In a first aspect, an embodiment of the present application provides a method for reporting an alarm log, where the method includes:
Acquiring an alarm log of a user;
carrying out standardized processing on the alarm log to obtain standardized alarm log data;
The standardized alarm log data is subjected to data interpolation to obtain data to be reported;
Filtering the data to be reported to obtain filtered data to be reported;
And reporting the filtered data to be reported to obtain a reporting result.
In the implementation process, the accessed alarm logs can be analyzed and reported in a unified way by supplementing and filtering the data after the alarm logs are standardized, and the low-quality alarm data is filtered according to the requirements of users, so that the reporting efficiency is improved, the automatic matching of attack types and network assets is realized, and the consumption of the users on manpower and material resources is reduced.
Further, the step of performing standardization processing on the alarm log to obtain standardized alarm log data includes:
analyzing the alarm log to obtain an analyzed alarm log;
and performing field mapping on the parsed alarm log according to a field rule to obtain the standardized alarm log data.
In the implementation process, the alarm log is analyzed, and then the analyzed alarm log is subjected to field mapping, so that field-level data standardization can be realized, and the accuracy of standardized alarm log data is improved.
Further, the step of adding the data to the standardized alarm log data to obtain the data to be reported includes:
Acquiring a network asset;
Performing data interpolation on the standardized alarm log data according to the network asset to obtain supplementary data;
and checking the supplementary data to obtain the data to be reported.
In the implementation process, the standardized alarm log data is supplemented according to the network asset, so that the obtained supplementary data is more perfect, the efficiency of the checking process is improved, and the checking is realized more quickly.
Further, the step of adding data to the standardized alarm log data according to the network asset to obtain the supplemental data includes:
Matching the standardized alarm log data with the attack field of the network asset to obtain initial supplementary data;
and matching the initial supplementary data with the attack type of the network asset to obtain the supplementary data.
In the implementation process, the standardized alarm log data can be rapidly expanded by matching the attack field and the attack type with the network asset, so that the obtained supplementary data contains more attack fields and attack types.
Further, the step of matching the standardized alarm log data with the attack field of the network asset to obtain initial supplementary data includes:
Matching the standardized alarm log data with the network asset, and judging whether an attacked IP field exists in the standardized alarm log data;
If yes, determining the attacked IP field as a first main key, and acquiring the initial supplementary data according to the first main key;
And if not, determining the standardized alarm log data as the initial supplementary data.
In the implementation process, the IP field in the standardized alarm log data is matched, so that the possible attack field IP in the standardized alarm log data can be accurately acquired, and the attack discrimination capability of the data is improved.
Further, the step of obtaining the initial supplementary data according to the first primary key includes:
querying each asset data in the network asset according to the first primary key;
If the network asset is queried that the asset data corresponding to the first primary key exists, adding attribute information of the asset data corresponding to the first primary key to the standardized alarm log data to obtain the initial supplementary data; the attribute information comprises a attribution system, a branch office name and an area to which an organization belongs of asset data corresponding to the first primary key.
In the implementation process, each piece of asset data of the network asset is queried according to the first main key, and the attribute information is supplemented into the standardized alarm log data one by one, so that the standardized alarm log data can be rapidly and accurately expanded, and the generalization capability of the standardized alarm log data is improved.
Further, the step of matching the initial supplemental data with the attack type of the network asset to obtain the supplemental data includes:
matching the standardized alarm log data with the network asset, and judging whether an attack subdivision sub-class field exists in the standardized alarm log data;
if yes, determining the attack subdivision sub-class field as a second main key, and acquiring the supplementary data according to the second main key;
if not, the initial supplementary data is determined to be the supplementary data.
In the implementation process, the attack sub-subclass field is matched, so that the attack range in the alarm log data can be standardized accurately, the efficiency of further confirming the attack field is improved, and the error and error probability are reduced.
Further, the step of obtaining the supplementary data according to the second primary key includes:
inquiring attack type enumeration data in the network asset according to the second primary key;
and if the network asset is queried that the attack type enumeration data corresponding to the second main key exists, adding an attack type code of the attack type enumeration data corresponding to the second main key into the initial supplementary data to obtain the supplementary data.
In the implementation process, the attack type codes of the attack type enumeration data are added, so that the subsequent searching process of the attack type codes can be avoided, the matching and inquiring precision is improved, and the supplementary data is more perfect.
Further, the step of checking the supplementary data to obtain the data to be reported includes:
judging whether a secondary auditing interface is opened or not according to the supplementary data;
judging whether the supplementary data accords with the condition of the secondary audit under the condition that the secondary audit interface is opened, if the supplementary data accords with the condition of the secondary audit, caching the supplementary data, waiting for the secondary audit, and if the supplementary data does not accord with the condition of the secondary audit, determining the supplementary data as the data to be reported, and updating the state of the data to be reported as the data to be reported; the condition of the secondary audit comprises the system, attack type/virus type, whether malicious information is hit or not;
And under the condition that the secondary auditing interface is not opened, determining the supplementary data as the data to be reported, and updating the state of the data to be reported as the data to be reported.
In the implementation process, the supplementary data is checked, different treatments are respectively carried out on the supplementary data according to the opening condition of the secondary checking interface, and the attack fields in the supplementary data can be further checked, so that omission is avoided.
Further, the step of filtering the data to be reported to obtain filtered data to be reported includes:
Filtering the data to be reported according to a filtering rule to obtain filtered data to be reported, and updating the state of the filtered data to be reported into a filtering state;
The filtering rules comprise repeated alarm filtering, attack IP filtering, flow threshold alarm filtering and non-current alarm filtering.
In the implementation process, the data to be reported is filtered according to the filtering rules, so that the possibility of error filtering in the filtering process is reduced, and the filtered data to be reported is more accurate.
Further, the step of reporting the filtered data to be reported to obtain a reporting result includes:
reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a corresponding second reporting result and a corresponding third reporting result;
If any one of the first reporting result, the second reporting result and the third reporting result is reporting success, determining that the reporting result is reporting success, and recording reporting modes corresponding to the reporting success in the first reporting result, the second reporting result and the third reporting result;
And if the first reporting result, the second reporting result and the third reporting result are reporting failure, determining that the reporting result is reporting failure.
In the implementation process, the reporting is performed according to different reporting modes, so that the reporting mode of successful data reporting can be intuitively known, a basis is provided for subsequent data reporting, and the condition of repeated reporting failure is avoided.
Further, the step of reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a second reporting result and a third reporting result includes:
judging whether an interface of the first reporting mode is opened or not;
if yes, reporting the filtered data to be reported according to the first reporting mode to obtain a first reporting result;
if not, judging whether an interface of the second reporting mode is opened;
if the interface of the second reporting mode is opened, reporting the filtered data to be reported according to the second reporting mode to obtain a second reporting result;
If the interface of the second reporting mode is not opened, judging whether the interface of the third reporting mode is opened or not;
and if the interface of the third reporting mode is started, reporting the filtered data to be reported according to the third reporting mode to obtain the third reporting result.
In the implementation process, the filtered data to be reported are reported in the first reporting mode, the second reporting mode and the third reporting mode in sequence, so that reporting can be realized rapidly, accurately and effectively, and reporting efficiency is improved.
In a second aspect, an embodiment of the present application further provides a device for reporting an alarm log, where the device includes:
The acquisition module is used for acquiring an alarm log of a user;
the standardized module is used for carrying out standardized processing on the alarm log to obtain standardized alarm log data;
The supplementing module is used for carrying out data supplementation on the standardized alarm log data to obtain data to be reported;
the filtering module is used for filtering the data to be reported to obtain filtered data to be reported;
and the reporting module is used for reporting the filtered data to be reported to obtain a reporting result.
In the implementation process, the accessed alarm logs can be analyzed and reported in a unified way by supplementing and filtering the data after the alarm logs are standardized, and the low-quality alarm data is filtered according to the requirements of users, so that the reporting efficiency is improved, the automatic matching of attack types and network assets is realized, and the consumption of the users on manpower and material resources is reduced.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, where instructions are stored, when the instructions are executed on a computer, to cause the computer to perform the method according to any one of the first aspects.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer causes the computer to perform the method according to any of the first aspects.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques of the disclosure.
And can be implemented in accordance with the teachings of the specification, the following detailed description of the preferred embodiments of the application, taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be construed as limiting the scope values, and other related drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for reporting an alarm log according to an embodiment of the present application;
Fig. 2 is a schematic structural diagram of a report device for an alarm log according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
The following describes in further detail the embodiments of the present application with reference to the drawings and examples. The following examples are illustrative of the application and are not intended to limit the scope of the application.
Example 1
Fig. 1 is a flow chart of a method for reporting an alarm log according to an embodiment of the present application, as shown in fig. 1, where the method includes:
S1, acquiring an alarm log of a user;
S2, carrying out standardized processing on the alarm log to obtain standardized alarm log data;
s3, data interpolation is carried out on the standardized alarm log data to obtain data to be reported;
s4, filtering the data to be reported to obtain filtered data to be reported;
and S5, reporting the filtered data to be reported to obtain a reporting result.
In the implementation process, the accessed alarm logs can be analyzed and reported in a unified way by supplementing and filtering the data after the alarm logs are standardized, and the low-quality alarm data is filtered according to the requirements of users, so that the reporting efficiency is improved, the automatic matching of attack types and network assets is realized, and the consumption of the users on manpower and material resources is reduced.
The embodiment of the application provides a method for automatically reporting an alarm log, which can report standardized log data in various modes, provide an auditing mechanism before reporting, only report the data which pass the auditing, filter low-quality or alarm data which an enterprise is not willing to report, and realize standardized access of the alarm log.
Further, S2 includes:
analyzing the alarm log to obtain an analyzed alarm log;
and performing field mapping on the analyzed alarm log according to the field rule to obtain standardized alarm log data.
In the implementation process, the alarm log is analyzed, and then the analyzed alarm log is subjected to field mapping, so that the standardization of field-level data can be realized, and the accuracy of standardized alarm log data is improved.
After the alarm log is accessed, three modes of regular expression, json data (JavaScript object notation) and separator can be used for data analysis, and field mapping is carried out according to a field matching rule after analysis, for example, the alert_ip in the log data is mapped into an ip field in a system, and the alarm log is standardized into a json data (namely standardized alarm log data).
Further, S3 includes:
Acquiring a network asset;
Adding data to the standardized alarm log data according to the network asset to obtain supplementary data;
and checking the supplementary data to obtain the data to be reported.
In the implementation process, the standardized alarm log data is supplemented according to the network asset, so that the obtained supplementary data is more perfect, the efficiency of the checking process is improved, and the checking is realized more quickly.
Further, the step of supplementing the standardized alarm log data according to the network asset to obtain the supplemental data includes:
carrying out attack field matching on the standardized alarm log data and the network asset to obtain initial supplementary data;
And matching the initial supplementary data with the attack type of the network asset to obtain the supplementary data.
In the implementation process, the standardized alarm log data can be rapidly expanded by matching the attack field and the attack type with the network asset, so that the obtained supplementary data contains more attack fields and attack types.
Further, the step of matching the standardized alarm log data with the network asset in the attack field to obtain initial supplementary data includes:
matching the standardized alarm log data with network assets, and judging whether an attacked IP field exists in the standardized alarm log data;
if yes, determining the attacked IP field as a first main key, and acquiring initial supplementary data according to the first main key;
If not, the standardized alarm log data is determined as initial supplementary data.
In the implementation process, the IP field in the standardized alarm log data is matched, so that the possible attack field IP in the standardized alarm log data can be accurately acquired, and the attack discrimination capability of the data is improved.
And if the attacked IP field exists, extracting the attacked IP field in the standardized alarm log data as a main key of the network asset, and inquiring all the network assets cached in the system according to the first main key.
Further, the step of obtaining initial supplementary data according to the first primary key includes:
inquiring each asset data in the network asset according to the first primary key;
If the network asset is queried that the asset data corresponding to the first main key exists, adding the attribute information of the asset data corresponding to the first main key into the standardized alarm log data to obtain initial supplementary data; the attribute information comprises a attribution system of asset data corresponding to the first primary key, a branch office name and an area to which the organization belongs.
In the implementation process, each piece of asset data of the network asset is queried according to the first main key, and the attribute information is supplemented into the standardized alarm log data one by one, so that the standardized alarm log data can be rapidly and accurately expanded, and the generalization capability of the standardized alarm log data is improved.
If the asset data corresponding to the first primary key is queried, supplementing a attribution system, a branch office name and an area to which the organization belongs, which correspond to the asset data, into the piece of data; and if the asset data is not queried, storing the first primary key into a system so as to query and supplement the asset data corresponding to the primary key for a user.
Further, the step of matching the initial supplemental data with the attack type of the network asset to obtain supplemental data includes:
Matching the standardized alarm log data with network assets, and judging whether an attack subdivision sub-class field exists in the standardized alarm log data;
If yes, determining the attack subdivision sub-category field as a second main key, and acquiring supplementary data according to the second main key;
If not, the initial supplementary data is determined as supplementary data.
In the implementation process, the attack sub-subclass field is matched, so that the attack range in the alarm log data can be standardized accurately, the efficiency of further confirming the attack field is improved, and the error is reduced and the error probability is reduced.
Further, the step of obtaining the supplementary data according to the second primary key includes:
Inquiring attack type enumeration data in the network asset according to the second main key;
if the attack type enumeration data corresponding to the second main key exists in the network asset, adding the attack type code of the attack type enumeration data corresponding to the second main key to the initial supplementary data to obtain the supplementary data.
In the implementation process, the attack type codes of the attack type enumeration data are added, so that the subsequent searching process of the attack type codes can be avoided, the matching and inquiring precision is improved, and the supplementary data is more perfect.
If the standardized alarm log data has the attack subdivision sub-class field, the attack subdivision sub-class field is continuously extracted as a second main key, the attack type enumeration data in the system is cached by the query system, if the attack type enumeration data is queried, the corresponding attack type code is supplemented according to the attack type, and if the attack type enumeration data is not queried, the data is also saved so as to be queried by a user and supplement the attack type related data.
Further, the step of checking the supplementary data to obtain the data to be reported includes:
judging whether a secondary auditing interface is opened or not according to the supplementary data;
Under the condition that the secondary auditing interface is opened, judging whether the supplementary data accords with the secondary auditing condition, if so, caching the supplementary data, waiting for the secondary auditing, and if not, determining the supplementary data as data to be reported and updating the state of the data to be reported as the data to be reported; the condition of the secondary audit comprises the system, attack type/virus type, whether to hit malicious information;
And under the condition that the secondary audit interface is not opened, determining the supplementary data as data to be reported, and updating the state of the data to be reported as the data to be reported.
In the implementation process, the supplementary data is checked, different treatments are respectively carried out on the supplementary data according to the opening condition of the secondary checking interface, and the attack fields in the supplementary data can be further checked, so that omission is avoided.
Optionally, the secondary audit may be a manual audit mode, and the condition for judging whether the piece of supplementary data needs manual audit is that: the method comprises the steps of determining whether the system belongs to the system, the attack type/virus type and whether malicious information is hit or not, namely if the system of the asset data corresponding to the piece of supplementary data is not queried in the network asset, the attack type/virus type corresponding to the piece of supplementary data is not queried in the network asset, the piece of supplementary data does not hit the malicious information, and when the piece of data meets the three conditions, manual auditing is needed, reporting can be continued after the manual auditing passes, and the report is stored in a storage medium and waits for reporting.
The embodiment of the application reduces the invasion of massive alarm data by using a manual auditing mechanism, different types of alarm log data have different filtering rules, the flexibility is higher, meanwhile, the manual auditing also supports flexible configuration of various conditions, helps enterprises intercept and secondarily confirm the data needing to be reported, and ensures that the data to be reported is effective and accurate.
Further, S4 includes:
filtering the data to be reported according to the filtering rule to obtain filtered data to be reported, and updating the state of the filtered data to be reported into filtered data;
the filtering rules include repetition alert filtering, attack IP filtering, traffic threshold alert filtering, and non-day alert filtering.
In the implementation process, the data to be reported is filtered according to the filtering rules, so that the possibility of error filtering in the filtering process is reduced, and the filtered data to be reported is more accurate.
The specific filtering mode of the filtering rule is as follows: repeated alarm filtering is carried out, different types of data to be reported have different rules for judging repetition, and the method can be specifically divided into duplication elimination according to an attack source IP and attack subdivision categories, duplication elimination according to a target IP and occurrence time, duplication elimination according to an infection IP and a virus name, and duplication elimination according to a sender source IP and a mail title. Meanwhile, a time range of de-duplication can be selected, and if two pieces of network attack type data are accessed in the selected time range, such as 24 hours, and the attack source IP is the same as the attack subdivision sub-class, then the second piece of data is filtered, but after 24 hours, the data to be reported, which are the same as the first attack source IP and the attack subdivision sub-class, can be continuously accessed normally and reported.
The attack IP is filtered, the filtered attack IP is an alarm log of the asset IP, the alarm log can be effective on all types of data, and if the attack IP is matched with the system asset IP, the data to be reported can be filtered.
The alarm with the lower attack flow can be filtered by filtering the alarm with the lower attack flow by only aiming at ddos type alarm log data.
The non-current alarm is filtered, all types of data are validated, and the non-current alarm log data are filtered according to the occurrence time of the alarm log.
Further, S5 includes:
reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a corresponding second reporting result and a corresponding third reporting result;
If any one of the first reporting result, the second reporting result and the third reporting result is reporting success, determining that the reporting result is reporting success, and recording reporting modes corresponding to the reporting success in the first reporting result, the second reporting result and the third reporting result;
if the first reporting result, the second reporting result and the third reporting result are reporting failure, determining that the reporting result is reporting failure.
In the implementation process, the reporting is performed according to different reporting modes, so that the reporting mode of successful data reporting can be intuitively known, a basis is provided for subsequent data reporting, and the condition of repeated reporting failure is avoided.
The embodiment of the application can report through kafka, api, syslog modes, and a manufacturer can turn on or off a switch of any reporting mode according to actual conditions, and then report according to the selected reporting mode.
Further, reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain corresponding first reporting results, second reporting results and third reporting results, including:
Judging whether an interface of the first reporting mode is opened or not;
If yes, reporting the filtered data to be reported according to the first reporting mode to obtain a first reporting result;
if not, judging whether an interface of the second reporting mode is opened;
if the interface of the second reporting mode is opened, reporting the filtered data to be reported according to the second reporting mode to obtain a second reporting result;
if the interface of the second reporting mode is not opened, judging whether the interface of the third reporting mode is opened;
and if the interface of the third reporting mode is started, reporting the filtered data to be reported according to the third reporting mode to obtain a third reporting result.
In the implementation process, the filtered data to be reported are reported in the first reporting mode, the second reporting mode and the third reporting mode in sequence, so that reporting can be realized rapidly, accurately and effectively, and reporting efficiency is improved.
Specifically, the data to be reported can check whether the corresponding reporting switch is turned on according to the sequence of kafka, api, syslog, if yes, reporting is performed by using the mode, meanwhile, reporting success or failure state is recorded, if reporting is successful, reporting state is updated to be reporting success, then, which reporting mode, such as kafka+api, is used for the enterprise to backtrack and check, and finally, the data after reporting success is saved and isolated from the data which is not reporting success/filtered/data to be reported.
The method includes the steps of obtaining two alarm logs, firstly reporting the first alarm log, and because the data which are the same as the attack IP and attack subdivision subclass of the alarm log cannot be queried in a reported list, the alarm log accords with reporting conditions, then reporting successfully in a syslog mode, marking the reporting success state of the alarm log, deleting records in a list to be reported, and transferring the records to a storage medium of a reporting success list.
And then reporting the second alarm log, wherein the first report is successful, so that when the data is filtered, the fact that one piece of data is identical to the attack IP and attack type subdivision subclass of the piece of data in the report success list can be inquired, the report success list can be marked as repeated data, the state of the piece of data is marked as not meeting the report condition, the state is updated to the storage medium, and the report flow is stopped.
The application automatically accesses, collates and standardizes alarm logs of different manufacturers, and simultaneously helps enterprises to clean and extract truly useful safety alarms in massive alarm logs according to manual auditing and data filtering modes, thereby ensuring the validity and accuracy of reported data, supporting the reporting of various modes (kafka, syslog, api) and improving the safety capability of the enterprises.
The embodiment of the application can help manufacturers to leak and repair defects and perfect related asset and attack type data sets. Finally, after the reporting is successful, the reported data and other data are stored in an isolated mode, the possibility of data pollution is eliminated from the source, and meanwhile, enterprise users are supported to trace and audit all access data.
Example two
In order to execute a corresponding method of the foregoing embodiment to achieve the corresponding functions and technical effects, a report device for an alarm log is provided below, as shown in fig. 2, where the device includes:
the acquisition module 1 is used for acquiring an alarm log of a user;
The standardized module 2 is used for carrying out standardized processing on the alarm log to obtain standardized alarm log data;
the supplementing module 3 is used for supplementing the standardized alarm log data to obtain data to be reported;
the filtering module 4 is used for filtering the data to be reported to obtain filtered data to be reported;
and the reporting module 5 is used for reporting the filtered data to be reported to obtain a reporting result.
In the implementation process, the accessed alarm logs can be analyzed and reported in a unified way by supplementing and filtering the data after the alarm logs are standardized, and the low-quality alarm data is filtered according to the requirements of users, so that the reporting efficiency is improved, the automatic matching of attack types and network assets is realized, and the consumption of the users on manpower and material resources is reduced.
Further, the normalization module 2 is also configured to:
analyzing the alarm log to obtain an analyzed alarm log;
and performing field mapping on the analyzed alarm log according to the field rule to obtain standardized alarm log data.
In the implementation process, the alarm log is analyzed, and then the analyzed alarm log is subjected to field mapping, so that field-level data standardization can be realized, and the accuracy of standardized alarm log data is improved.
Further, the supplementary module 3 is also for:
Acquiring a network asset;
Adding data to the standardized alarm log data according to the network asset to obtain supplementary data;
and checking the supplementary data to obtain the data to be reported.
In the implementation process, the standardized alarm log data is supplemented according to the network asset, so that the obtained supplementary data is more perfect, the efficiency of the checking process is improved, and the checking is realized more quickly.
Further, the supplementary module 3 is also for:
carrying out attack field matching on the standardized alarm log data and the network asset to obtain initial supplementary data;
And matching the initial supplementary data with the attack type of the network asset to obtain the supplementary data.
In the implementation process, the standardized alarm log data can be rapidly expanded by matching the attack field and the attack type with the network asset, so that the obtained supplementary data contains more attack fields and attack types.
Further, the supplementary module 3 is also for:
matching the standardized alarm log data with network assets, and judging whether an attacked IP field exists in the standardized alarm log data;
if yes, determining the attacked IP field as a first main key, and acquiring initial supplementary data according to the first main key;
If not, the standardized alarm log data is determined as initial supplementary data.
In the implementation process, the IP field in the standardized alarm log data is matched, so that the possible attack field IP in the standardized alarm log data can be accurately acquired, and the attack discrimination capability of the data is improved.
Further, the supplementary module 3 is also for:
inquiring each asset data in the network asset according to the first primary key;
If the network asset is queried that the asset data corresponding to the first main key exists, adding the attribute information of the asset data corresponding to the first main key into the standardized alarm log data to obtain initial supplementary data; the attribute information comprises a attribution system of asset data corresponding to the first primary key, a branch office name and an area to which the organization belongs.
In the implementation process, each piece of asset data of the network asset is queried according to the first main key, and the attribute information is supplemented into the standardized alarm log data one by one, so that the standardized alarm log data can be rapidly and accurately expanded, and the generalization capability of the standardized alarm log data is improved.
Further, the supplementary module 3 is also for:
Matching the standardized alarm log data with network assets, and judging whether an attack subdivision sub-class field exists in the standardized alarm log data;
If yes, determining the attack subdivision sub-category field as a second main key, and acquiring supplementary data according to the second main key;
If not, the initial supplementary data is determined as supplementary data.
In the implementation process, the attack sub-subclass field is matched, so that the attack range in the alarm log data can be standardized accurately, the efficiency of further confirming the attack field is improved, and the error and error probability are reduced.
Further, the supplementary module 3 is also for:
Inquiring attack type enumeration data in the network asset according to the second main key;
if the attack type enumeration data corresponding to the second main key exists in the network asset, adding the attack type code of the attack type enumeration data corresponding to the second main key to the initial supplementary data to obtain the supplementary data.
In the implementation process, the attack type codes of the attack type enumeration data are added, so that the subsequent searching process of the attack type codes can be avoided, the matching and inquiring precision is improved, and the supplementary data is more perfect.
Further, the supplementary module 3 is also for:
judging whether a secondary auditing interface is opened or not according to the supplementary data;
Under the condition that the secondary auditing interface is opened, judging whether the supplementary data accords with the secondary auditing condition, if so, caching the supplementary data, waiting for the secondary auditing, and if not, determining the supplementary data as data to be reported and updating the state of the data to be reported as the data to be reported; the condition of the secondary audit comprises the system, attack type/virus type, whether to hit malicious information;
And under the condition that the secondary audit interface is not opened, determining the supplementary data as data to be reported, and updating the state of the data to be reported as the data to be reported.
In the implementation process, the supplementary data is checked, different treatments are respectively carried out on the supplementary data according to the opening condition of the secondary checking interface, and the attack fields in the supplementary data can be further checked, so that omission is avoided.
Further, the filtering module 4 is further configured to:
filtering the data to be reported according to the filtering rule to obtain filtered data to be reported, and updating the state of the filtered data to be reported into filtering;
the filtering rules include repetition alert filtering, attack IP filtering, traffic threshold alert filtering, and non-day alert filtering.
In the implementation process, the data to be reported is filtered according to the filtering rules, so that the possibility of error filtering in the filtering process is reduced, and the filtered data to be reported is more accurate.
Further, the reporting module 5 is further configured to:
reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a corresponding second reporting result and a corresponding third reporting result;
If any one of the first reporting result, the second reporting result and the third reporting result is reporting success, determining that the reporting result is reporting success, and recording reporting modes corresponding to the reporting success in the first reporting result, the second reporting result and the third reporting result;
if the first reporting result, the second reporting result and the third reporting result are reporting failure, determining that the reporting result is reporting failure.
In the implementation process, the reporting is performed according to different reporting modes, so that the reporting mode of successful data reporting can be intuitively known, a basis is provided for subsequent data reporting, and the condition of repeated reporting failure is avoided.
Further, the reporting module 5 is further configured to:
Judging whether an interface of the first reporting mode is opened or not;
If yes, reporting the filtered data to be reported according to the first reporting mode to obtain a first reporting result;
if not, judging whether an interface of the second reporting mode is opened;
if the interface of the second reporting mode is opened, reporting the filtered data to be reported according to the second reporting mode to obtain a second reporting result;
if the interface of the second reporting mode is not opened, judging whether the interface of the third reporting mode is opened;
and if the interface of the third reporting mode is started, reporting the filtered data to be reported according to the third reporting mode to obtain a third reporting result.
In the implementation process, the filtered data to be reported are reported in the first reporting mode, the second reporting mode and the third reporting mode in sequence, so that reporting can be realized rapidly, accurately and effectively, and reporting efficiency is improved.
The above-mentioned report device for alarm log may implement the method of the first embodiment. The options in the first embodiment described above also apply to this embodiment, and are not described in detail here.
The rest of the embodiments of the present application may refer to the content of the first embodiment, and in this embodiment, no further description is given.
Example III
The embodiment of the application provides an electronic device, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic device to execute the reporting method of the alarm log in the first embodiment.
Alternatively, the electronic device may be a server.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the application. The electronic device may include a processor 31, a communication interface 32, a memory 33, and at least one communication bus 34. Wherein the communication bus 34 is used to enable direct connection communication of these components. The communication interface 32 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 31 may be an integrated circuit chip with signal processing capabilities.
The processor 31 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. The general purpose processor may be a microprocessor or the processor 31 may be any conventional processor or the like.
The Memory 33 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 33 has stored therein computer readable instructions which, when executed by the processor 31, enable the apparatus to perform the various steps described above in relation to the embodiment of the method of fig. 1.
Optionally, the electronic device may further include a storage controller, an input-output unit. The memory 33, the memory controller, the processor 31, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the components may be electrically coupled to each other via one or more communication buses 34. The processor 31 is arranged to execute executable modules stored in the memory 33, such as software functional modules or computer programs comprised by the device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In addition, the embodiment of the application also provides a computer readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the method for reporting the alarm log in the first embodiment is realized.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method described in the method embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The above description is merely illustrative of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about variations or substitutions within the scope of the present application, and the application is intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be defined by the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (15)
1. The method for reporting the alarm log is characterized by comprising the following steps:
Acquiring an alarm log of a user;
carrying out standardized processing on the alarm log to obtain standardized alarm log data;
The standardized alarm log data is subjected to data interpolation to obtain data to be reported;
Filtering the data to be reported to obtain filtered data to be reported;
And reporting the filtered data to be reported to obtain a reporting result.
2. The method for reporting an alarm log according to claim 1, wherein the step of performing normalization processing on the alarm log to obtain normalized alarm log data includes:
analyzing the alarm log to obtain an analyzed alarm log;
and performing field mapping on the parsed alarm log according to a field rule to obtain the standardized alarm log data.
3. The method for reporting an alarm log according to claim 1, wherein the step of performing data interpolation on the standardized alarm log data to obtain data to be reported comprises:
Acquiring a network asset;
Performing data interpolation on the standardized alarm log data according to the network asset to obtain supplementary data;
and checking the supplementary data to obtain the data to be reported.
4. The method for reporting an alarm log according to claim 3, wherein the step of supplementing the standardized alarm log data according to the network asset to obtain the supplemental data comprises:
Matching the standardized alarm log data with the attack field of the network asset to obtain initial supplementary data;
and matching the initial supplementary data with the attack type of the network asset to obtain the supplementary data.
5. The method for reporting an alarm log according to claim 4, wherein the step of matching the standardized alarm log data with the network asset in an attack field to obtain initial supplementary data comprises:
Matching the standardized alarm log data with the network asset, and judging whether an attacked IP field exists in the standardized alarm log data;
If yes, determining the attacked IP field as a first main key, and acquiring the initial supplementary data according to the first main key;
And if not, determining the standardized alarm log data as the initial supplementary data.
6. The method of reporting an alarm log according to claim 5, wherein the step of obtaining the initial supplemental data according to the first primary key comprises:
querying each asset data in the network asset according to the first primary key;
If the network asset is queried that the asset data corresponding to the first primary key exists, adding attribute information of the asset data corresponding to the first primary key to the standardized alarm log data to obtain the initial supplementary data; the attribute information comprises a attribution system, a branch office name and an area to which an organization belongs of asset data corresponding to the first primary key.
7. The method for reporting an alarm log according to claim 4, wherein the step of matching the initial supplemental data with the attack type of the network asset to obtain the supplemental data comprises:
matching the standardized alarm log data with the network asset, and judging whether an attack subdivision sub-class field exists in the standardized alarm log data;
if yes, determining the attack subdivision sub-class field as a second main key, and acquiring the supplementary data according to the second main key;
if not, the initial supplementary data is determined to be the supplementary data.
8. The method for reporting an alarm log according to claim 7, wherein the step of obtaining the supplementary data according to the second primary key comprises:
inquiring attack type enumeration data in the network asset according to the second primary key;
and if the network asset is queried that the attack type enumeration data corresponding to the second main key exists, adding an attack type code of the attack type enumeration data corresponding to the second main key into the initial supplementary data to obtain the supplementary data.
9. The method for reporting an alarm log according to claim 3, wherein the step of checking the supplemental data to obtain the data to be reported comprises:
judging whether a secondary auditing interface is opened or not according to the supplementary data;
judging whether the supplementary data accords with the condition of the secondary audit under the condition that the secondary audit interface is opened, if the supplementary data accords with the condition of the secondary audit, caching the supplementary data, waiting for the secondary audit, and if the supplementary data does not accord with the condition of the secondary audit, determining the supplementary data as the data to be reported, and updating the state of the data to be reported as the data to be reported; the condition of the secondary audit comprises the system, attack type/virus type, whether malicious information is hit or not;
And under the condition that the secondary auditing interface is not opened, determining the supplementary data as the data to be reported, and updating the state of the data to be reported as the data to be reported.
10. The method for reporting an alarm log according to claim 1, wherein the step of filtering the data to be reported to obtain filtered data to be reported comprises:
Filtering the data to be reported according to a filtering rule to obtain filtered data to be reported, and updating the state of the filtered data to be reported into a filtering state;
The filtering rules comprise repeated alarm filtering, attack IP filtering, flow threshold alarm filtering and non-current alarm filtering.
11. The method for reporting an alarm log according to claim 1, wherein the step of reporting the filtered data to be reported to obtain a reporting result includes:
reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a corresponding second reporting result and a corresponding third reporting result;
If any one of the first reporting result, the second reporting result and the third reporting result is reporting success, determining that the reporting result is reporting success, and recording reporting modes corresponding to the reporting success in the first reporting result, the second reporting result and the third reporting result;
And if the first reporting result, the second reporting result and the third reporting result are reporting failure, determining that the reporting result is reporting failure.
12. The method for reporting the alarm log according to claim 11, wherein the step of reporting the filtered data to be reported according to the first reporting mode, the second reporting mode and the third reporting mode in sequence to obtain a corresponding first reporting result, a second reporting result and a third reporting result includes:
judging whether an interface of the first reporting mode is opened or not;
if yes, reporting the filtered data to be reported according to the first reporting mode to obtain a first reporting result;
if not, judging whether an interface of the second reporting mode is opened;
if the interface of the second reporting mode is opened, reporting the filtered data to be reported according to the second reporting mode to obtain a second reporting result;
If the interface of the second reporting mode is not opened, judging whether the interface of the third reporting mode is opened or not;
and if the interface of the third reporting mode is started, reporting the filtered data to be reported according to the third reporting mode to obtain the third reporting result.
13. An apparatus for reporting an alarm log, the apparatus comprising:
The acquisition module is used for acquiring an alarm log of a user;
the standardized module is used for carrying out standardized processing on the alarm log to obtain standardized alarm log data;
The supplementing module is used for carrying out data supplementation on the standardized alarm log data to obtain data to be reported;
the filtering module is used for filtering the data to be reported to obtain filtered data to be reported;
and the reporting module is used for reporting the filtered data to be reported to obtain a reporting result.
14. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the method of reporting an alarm log according to any one of claims 1 to 12.
15. A storage medium storing a computer program which, when executed by a processor, implements the method of reporting an alarm log according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311687137.4A CN117938428A (en) | 2023-12-08 | 2023-12-08 | Alarm log reporting method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311687137.4A CN117938428A (en) | 2023-12-08 | 2023-12-08 | Alarm log reporting method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117938428A true CN117938428A (en) | 2024-04-26 |
Family
ID=90765516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311687137.4A Pending CN117938428A (en) | 2023-12-08 | 2023-12-08 | Alarm log reporting method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938428A (en) |
-
2023
- 2023-12-08 CN CN202311687137.4A patent/CN117938428A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108989150B (en) | Login abnormity detection method and device | |
| CN111159706A (en) | Database security detection method, device, equipment and storage medium | |
| US11848913B2 (en) | Pattern-based malicious URL detection | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN114006778B (en) | Threat information identification method and device, electronic equipment and storage medium | |
| CN108989336B (en) | Emergency disposal system and emergency disposal method for network security event | |
| CN113469857A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113609261A (en) | Vulnerability information mining method and device based on knowledge graph of network information security | |
| CN113901484A (en) | Vulnerability management method and device based on risks | |
| CN115238247A (en) | Data processing method based on zero trust data access control system | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN117938428A (en) | Alarm log reporting method and device, electronic equipment and storage medium | |
| CN114598513B (en) | Industrial control threat event response method and device, industrial control equipment and medium | |
| CN117294527B (en) | Attack judging method, device, storage medium and equipment | |
| CN114461762A (en) | Archive change identification method, device, equipment and storage medium | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| CN115333930B (en) | Log classification method and device based on scene, electronic equipment and storage medium | |
| CN115664863B (en) | Network attack event processing method, device, storage medium and equipment | |
| CN115913789B (en) | Network attack identification method and device | |
| CN116991680B (en) | Log noise reduction method and electronic equipment | |
| CN115118498B (en) | Vulnerability data analysis method and system based on relevance | |
| CN114817929B (en) | Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium | |
| CN117910030A (en) | Log sensitive information detection method, system, electronic equipment and storage medium | |
| CN116894253A (en) | Method and apparatus for detecting use of component containing known vulnerability | |
| CN115396208A (en) | Method and device for detecting database intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |