CN117955721A - Security event self-adaptive circulation method and system based on AI algorithm - Google Patents
Security event self-adaptive circulation method and system based on AI algorithm Download PDFInfo
- Publication number
- CN117955721A CN117955721A CN202410162976.2A CN202410162976A CN117955721A CN 117955721 A CN117955721 A CN 117955721A CN 202410162976 A CN202410162976 A CN 202410162976A CN 117955721 A CN117955721 A CN 117955721A
- Authority
- CN
- China
- Prior art keywords
- security event
- treatment subject
- treatment
- algorithm
- factors
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 33
- 238000011282 treatment Methods 0.000 claims abstract description 114
- 238000011156 evaluation Methods 0.000 claims description 21
- 230000003044 adaptive effect Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 14
- 238000003860 storage Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 3
- 238000002347 injection Methods 0.000 claims description 3
- 239000007924 injection Substances 0.000 claims description 3
- 238000012549 training Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 6
- 230000000903 blocking effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000035945 sensitivity Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013102 re-test Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 1
- 206010072219 Mevalonic aciduria Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000011369 optimal treatment Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000011045 prefiltration Methods 0.000 description 1
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Abstract
The invention relates to the field of network security, and provides a security event self-adaptive circulation method and system based on an AI algorithm. The method comprises the steps of acquiring a security event and extracting relevant influence factors of the security event; acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject; based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
Description
Technical Field
The invention relates to the field of network security, in particular to a security event self-adaptive circulation method and system based on an AI algorithm.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
In the field of network security, for the flow setting of security event response, the method generally adopted in industry is to perform flow processing according to a given disposal strategy, and the following three methods are mainly adopted: and (5) unifying the process, the strategy library process and the custom script process SOAR product. Mainly the following problems are ignored by the industry:
The setting sensitivity of the security policy is too high, the magnitude of the flow to manual treatment becomes high, and the untimely response can lead to missing the optimal treatment time, so that the security policy is damaged by intrusion implementation.
The security policy setting sensitivity is too low, the security policy setting sensitivity is directly ignored or sent to blocking equipment for automatic blocking, and if a false alarm event is blocked, the internet surfing experience or service interruption can be influenced; if a real attack is determined to be a false alarm is ignored, the intrusion can have serious consequences without knowledge.
The formulation and configuration of the user's site security policies are too specialized and complex, such as writing scripts, which are often difficult for the user to handle.
Disclosure of Invention
In order to solve the technical problems in the background art, the invention provides a security event self-adaptive circulation method and a security event self-adaptive circulation system based on an AI algorithm.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
the first aspect of the invention provides a security event self-adaptive circulation method based on an AI algorithm.
A security event self-adaptive circulation method based on an AI algorithm comprises the following steps:
Acquiring a security event and extracting relevant influence factors of the security event;
Acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
Based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
Further, the relevant impact factors of the security event include, but are not limited to: product object type, deployed network location, defended subject, historical false alarm rate, accuracy, time of occurrence, threat level, and yield magnitude; wherein the defended body comprises a server, a terminal and a network device, and the occurrence time comprises working time, non-working time and white day/night.
Further, the treatment body includes a human and a tool type device.
Further, when the treatment subject is a human, relevant influencing factors of the treatment subject include, but are not limited to: boundary factors, traffic factors, terminal factors, and business system factors.
Further, when the treatment subject is a tool-type device, relevant impact factors of the treatment subject include, but are not limited to: boundary type devices, traffic type devices, and host type devices.
Further, after the result of the treatment subject is obtained, the result of the treatment subject needs to be evaluated, and the evaluation result is obtained, and the evaluation method includes, but is not limited to: whether a threat event occurs, password guessing, vulnerability scanning, continuous detection, sql injection, vulnerability scanning retesting whether the threat event has been repaired, treatment work receiving time, treatment time, retesting times, and accuracy of treatment results.
Further, after the evaluation result is obtained, the method further comprises:
Converting the evaluation result into an evaluation factor;
Performing differential comparison on the evaluation factors and the treatment main body to obtain influence factors of the treatment main body;
the AI selector is trained based on the influence factor of the treatment subject, and the parameters of the AI selector are updated, so that the optimal AI selector is obtained.
A second aspect of the present invention provides a security event adaptive streaming system based on an AI algorithm.
A security event adaptive streaming system based on AI algorithm, comprising:
A first acquisition module configured to: acquiring a security event and extracting relevant influence factors of the security event;
A second acquisition module configured to: acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
A flow selection module configured to: based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
A third aspect of the present invention provides a computer-readable storage medium.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps in the AI-algorithm-based security event adaptive streaming method of the first aspect described above.
A fourth aspect of the invention provides a computer device.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps in the AI algorithm-based security event adaptive circulation method of the first aspect described above when the program is executed.
Compared with the prior art, the invention has the beneficial effects that:
The invention is different from event classification and event management technologies, the adopted dynamic self-adaptive response technology emphasizes the quality and efficiency of the safety event in the response flow, and the AI technology is applied to carry out on-site training so as to adapt to the capacities of personnel, tools, safety facilities and other aspects in the site and obtain the optimal event response flow.
Depending on the field conditions, dynamic flow computation methods may allow high priority events to be handled most quickly.
The optimization of the process can improve the comprehensive cost of on-site personnel based on the performance of personnel capacity/quality obtained by AI feedback.
The AI algorithm with continuous feedback and training can cope with frequent changes of field conditions, and particularly in terms of flow treatment, the optimal flow can be rapidly calculated.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
FIG. 1 is a schematic diagram of a security event adaptive streaming method based on the AI algorithm shown in the present invention;
FIG. 2 is a flow chart illustrating the production use phase of the present invention using an AI selector;
Fig. 3 is a flow chart illustrating the feedback training phase using the AI selector in accordance with the present invention.
Detailed Description
The invention will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present invention. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
It is noted that the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems according to various embodiments of the present disclosure. It should be noted that each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the logical functions specified in the various embodiments. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or operations, or combinations of special purpose hardware and computer instructions.
Example 1
As shown in fig. 1, the present embodiment provides a security event adaptive circulation method based on an AI algorithm, and the present embodiment is illustrated by applying the method to a server, and it can be understood that the method may also be applied to a terminal, and may also be applied to a system and a terminal, and implemented through interaction between the terminal and the server. The server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network servers, cloud communication, middleware services, domain name services, security services CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein. In this embodiment, the method includes the steps of:
Acquiring a security event and extracting relevant influence factors of the security event;
Acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
Based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
Emergency handling procedures for security events in the field of network security are generally divided into three phases: discovery and validation of security events, circulation of security events, handling/threat-elimination of security events.
The discovery technique of security events is the basis of the network security defense system, and ITs ability determines the most basic security level of IT organizations, and the events generally include: attack threat, vulnerability risk, intelligence trending (similar to normal behavior, false alarms are often generated, so general alarms are suspected potential risks), security equipment self operation faults, service system alarms and the like. However, in these events, there are various situations such as false alarm, missing report, false alarm, etc.; the alarm is blocked and the alarm is released; there are also cases where the vulnerability is found to have to be repaired manually. The first stage, although the most important and fundamental safeguarding means in security systems, is not capable of assuming all security defenses.
The circulation of the security event reflects the timeliness of the security response flow, and the faster and more accurate the response speed is, the less the influence of network attack damage is. The number of the security events normalized every day may be tens of thousands, and all the flows are not realistic to be treated by manual links, and the links such as pre-filters, aggregation, association and the like are required to be preprocessed, and the induced security events still need scientific flow means to be shunted to people and equipment for treatment.
The security event disposal can be carried out according to a set system and technology, threat tracing or vulnerability repairing is carried out, and finally the event influence surface is evaluated. The link can be automatically plugged by using safety equipment, can be finished manually or can be treated by combining the safety equipment and the source IP. The third stage can be handled according to the established action as long as the type of the event is clear. The biggest problem comes from the magnitude of the event not converging and the false positive being too many.
The invention is positioned at the second stage, and in order to solve the problems existing in the existing security event response flow, the following process is designed:
the present embodiment includes four parts: the impact factors of the source of the security event, the impact factors of the treatment subject, the impact factors of the results of the treatment subject, and the training and prediction of the algorithm model of the flow AI selector.
(1) Security event source: including different types of security-related events, their associated impact factors include, but are not limited to, their product object type, deployed network location, defended principal (server, terminal, network device … …), historical false positive rate, accuracy, time of occurrence (on-time, off-time, white day/night), threat level, yield level, etc.
Let the security event object be E and the related security event impact factor be w 1、w2、w3…wn, then the impact factor of E is expressed as: e (w 1)、E(w2)、E(w3)…E(wn).
(2) Treatment subject: the main body is classified into manual and tool type devices. Human impact factors include, but are not limited to, boundary analysis and handling capabilities, traffic analysis and handling capabilities, terminal analysis and handling capabilities, business system analysis and handling capabilities; the impact factors of the tool device include, but are not limited to, the type of device (boundary type, traffic type, host type).
Wherein the boundary analysis and handling capabilities include: such as firewall, web firewall WAF, IPS, internet behavior management, etc.
Flow analysis and handling capabilities include: such as IDS, IPS, switches, traffic admission devices.
Terminal analysis and handling capabilities include: such as antivirus software, host firewall, host EDR, HIDS, etc.
The analysis and handling capabilities of the business system include: log audit, soC, SIEM, database audit/database firewall, etc.
Let the treatment subject be O, and the treatment capability influence factor is: s 1、s2、s3…sn, the relevant influence factor of O is expressed as: o (s 1)、O(s2)、O(s3)…O(sn).
(3) Results of treatment of subjects: the elements related to the treatment result need to be evaluated, and the evaluation methods include, but are not limited to, whether a threat event still occurs, password guessing, vulnerability scanning, continuous detection, sql injection, whether vulnerability scanning retests have been repaired, treatment work receiving time, treatment time, retest times, accuracy of the treatment result and the like. The evaluation result of the treatment result is put into an AI model for feedback training to adapt to the change of the site.
Assuming that the object of the treatment result is O in (2), the influence factor concerning the treatment result is expressed as: r 1、r2、r3…rn, the evaluation-related influence factor of O is expressed as: o (r 1)、O(r2)、O(r3)… O(rn).
(4) Training and prediction of algorithm model of flow AI selector: a variety of AI algorithms are supported: CNN, GAN, etc., the system can preset factory setting network, and in the use process, the AI algorithm is continuously corrected through feedback training, so as to achieve the ratio of continuously balancing the human input/risk release effect.
As shown in fig. 1, engineers O1, O2, on and blocking devices 01, 02, 03 are all as treatment subjects, and their relevant influencing factors will be used as output layer parameters of the flow AI selector, and the output result of the AI selector is: which devices and persons are put into the event as the treatment subject of the event.
The output supporting multiple treatment objects may be interpreted as requiring multiple blocking devices to cooperatively treat a certain type of event, as well as possibly requiring multiple persons to cooperatively treat the event according to the state of the art.
The overall operation of this embodiment is divided into two phases: a production and use stage and a feedback training stage.
And the production and use stages are as follows: the initialized or trained AI selector is set to a use (prediction) mode, and its output data is transferred as an effective flow of the system to the relevant treatment subject for treatment.
As shown in fig. 2, the process of the production use phase includes the following steps:
S1: influence factor of global retention event source: including but not limited to its product object type, deployed network location, defended principal (server, terminal, network device …), historical false alarm rate, accuracy, time of occurrence (on-time, off-time, white day/night), threat level, yield magnitude, etc., and data pre-processing and formatting.
S2: obtaining an impact factor of a global treatment subject: including, but not limited to, boundary analysis and handling capabilities, traffic analysis and handling capabilities, terminal analysis and handling capabilities, analysis and handling capabilities of the business system; the impact factors of the tool device include, but are not limited to, the type of device (boundary type, traffic type, host type).
S3: the factors generated in the S1 and S2 links are put into the flow AI selector, which is now a trained selector model. The output item comprises at least one disposal subject, and when the disposal subject is a person, the related engineer can receive the event details and perform manual disposal; when the treatment subject is a tool or safety device, automated occlusion or further circulation is effected by the tool. An event may be delivered concurrently to multiple treatment subjects in parallel.
S4: when the treatment subject receives the treatment content, the relevant state is updated to be working in real time, and the treatment subject is updated to be in an idle state after the treatment is completed. When the treatment result is wrong or not ideal, the corresponding influence factors are updated, and the next event is re-included in the calculation in S2.
Feedback training stage: and carrying out secondary evaluation on the event treatment result, and throwing the result into a flow AI selector as feedback parameters to carry out feedback training.
As shown in fig. 3, the feedback training process includes the following steps;
S5: the event evaluation module forms the content of the treatment result into an evaluation factor, O (r 1)、O(r2)、O(r3)…O(rn).
S6: the new impact factor for the subject is further formed by a differential comparison with the subject (the event evaluation module generates a new outcome evaluation for the outcome of the treatment of the relevant subject, which evaluation is used for the secondary feedback training): o (s 1)、O(s2)、O(s3)…O(sn).
S7: setting the flow AI selector to a training mode, and treating the subject updated parameters: o (s 1)、O(s2)、O(s3)…O(sn) is put into the AI selector and then its internal parameters are updated.
S8: the AI selector can perform feedback calculation for multiple times based on different neural network algorithms to reach an optimal model, and the process AI selector is tuned back to the production prediction mode.
Example two
The embodiment provides a security event self-adaptive circulation system based on an AI algorithm.
A security event adaptive streaming system based on AI algorithm, comprising:
A first acquisition module configured to: acquiring a security event and extracting relevant influence factors of the security event;
A second acquisition module configured to: acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
A flow selection module configured to: based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
It should be noted that, the first obtaining module, the second obtaining module, and the flow selection module are the same as examples and application scenarios implemented by the steps in the first embodiment, but are not limited to the disclosure of the first embodiment. It should be noted that the modules described above may be implemented as part of a system in a computer system, such as a set of computer-executable instructions.
Example III
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the AI-algorithm-based security event adaptive streaming method as described in the above embodiment.
Example IV
The present embodiment provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps in the security event adaptive circulation method based on the AI algorithm according to the above embodiment when executing the program.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a Random access Memory (Random AccessMemory, RAM), or the like.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. The security event self-adaptive circulation method based on the AI algorithm is characterized by comprising the following steps:
Acquiring a security event and extracting relevant influence factors of the security event;
Acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
Based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
2. The AI algorithm-based security event adaptive streaming method of claim 1, wherein the security event-related impact factors include, but are not limited to: product object type, deployed network location, defended subject, historical false alarm rate, accuracy, time of occurrence, threat level, and yield magnitude; wherein the defended body comprises a server, a terminal and a network device, and the occurrence time comprises working time, non-working time and white day/night.
3. The AI algorithm-based security event adaptive streaming method of claim 1, wherein the treatment subject comprises a human and a tool-type device.
4. The AI algorithm-based security event adaptive streaming method of claim 3, wherein when the treatment subject is a person, the relevant impact factors of the treatment subject include, but are not limited to: boundary factors, traffic factors, terminal factors, and business system factors.
5. The AI algorithm-based security event adaptive streaming method of claim 3, wherein when the treatment subject is a tool-type device, the relevant impact factors of the treatment subject include, but are not limited to: boundary type devices, traffic type devices, and host type devices.
6. The AI-algorithm-based security event adaptive circulation method of claim 1, wherein after obtaining the result of the treatment subject, the result of the treatment subject is evaluated, and the evaluation result is obtained, and the evaluation method includes, but is not limited to: whether a threat event occurs, password guessing, vulnerability scanning, continuous detection, sql injection, vulnerability scanning retesting whether the threat event has been repaired, treatment work receiving time, treatment time, retesting times, and accuracy of treatment results.
7. The AI-algorithm-based security event adaptive streaming method of claim 6, further comprising, after obtaining the evaluation result:
Converting the evaluation result into an evaluation factor;
Performing differential comparison on the evaluation factors and the treatment main body to obtain influence factors of the treatment main body;
the AI selector is trained based on the influence factor of the treatment subject, and the parameters of the AI selector are updated, so that the optimal AI selector is obtained.
8. A security event adaptive streaming system based on AI algorithm, comprising:
A first acquisition module configured to: acquiring a security event and extracting relevant influence factors of the security event;
A second acquisition module configured to: acquiring a current online treatment subject, and extracting relevant influence factors of the treatment subject;
A flow selection module configured to: based on the relevant influence factors of the security event, the current online treatment subject and the relevant influence factors of the treatment subject, one or more treatment objects are obtained by adopting an AI selector, the treatment subject is used as a throwing target of the security event, the corresponding work is completed by the treatment subject, and the result of the treatment subject is output.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of the AI algorithm-based security event adaptive streaming method of any of claims 1-7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps in the AI algorithm-based security event adaptive circulation method of any of claims 1-7 when the program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410162976.2A CN117955721A (en) | 2024-02-05 | 2024-02-05 | Security event self-adaptive circulation method and system based on AI algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410162976.2A CN117955721A (en) | 2024-02-05 | 2024-02-05 | Security event self-adaptive circulation method and system based on AI algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117955721A true CN117955721A (en) | 2024-04-30 |
Family
ID=90796046
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410162976.2A Pending CN117955721A (en) | 2024-02-05 | 2024-02-05 | Security event self-adaptive circulation method and system based on AI algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117955721A (en) |
-
2024
- 2024-02-05 CN CN202410162976.2A patent/CN117955721A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dietz et al. | Integrating digital twin security simulations in the security operations center | |
| US10339309B1 (en) | System for identifying anomalies in an information system | |
| Cook et al. | The industrial control system cyber defence triage process | |
| DE102017128693A1 (en) | Feature and limit setting for threat detection in an industrial plant control system | |
| DE102017128694A1 (en) | Multi-mode border selection for threat detection in an industrial plant control system | |
| Anwar et al. | Anomaly detection in electric network database of smart grid: Graph matching approach | |
| CN110830287B (en) | Internet of things environment situation sensing method based on supervised learning | |
| Jahromi et al. | An ensemble deep federated learning cyber-threat hunting model for Industrial Internet of Things | |
| CN109981686A (en) | A kind of network security situational awareness method and system based on circulation confrontation | |
| CN113240116B (en) | Wisdom fire prevention cloud system based on class brain platform | |
| CN112446511A (en) | Fault handling method, device, medium and equipment | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| Nadiammai et al. | A comprehensive analysis and study in intrusion detection system using data mining techniques | |
| JP7213626B2 (en) | Security measure review tool | |
| WO2014096761A1 (en) | Network security management | |
| CN109753796A (en) | A kind of big data computer network security protective device and application method | |
| Robles-Durazno et al. | Newly engineered energy-based features for supervised anomaly detection in a physical model of a water supply system | |
| CN117955721A (en) | Security event self-adaptive circulation method and system based on AI algorithm | |
| Jakhale | Design of anomaly packet detection framework by data mining algorithm for network flow | |
| CN113553147A (en) | Task processing method and device based on AI and RPA | |
| KR102617150B1 (en) | Device, method and program for preventing false positives based on artificial intelligence using rule filtering | |
| Jeffries et al. | Behavior-based approach to misuse detection of a simulated SCADA system | |
| KR102517057B1 (en) | Detecting apparatus of evasion type malicious code for virtualization system based on artificial intelligence using integrated features | |
| Bhimineni et al. | Development of Critical Information Framework by Big Data Analytics and Artificial Intelligence to Prevent Cyber Attacks in WSN | |
| Kumar et al. | Rule-based Intrusion Detection System using Logical Analysis of Data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |