CN117978541A - Enterprise information security monitoring alarm system and method - Google Patents

Enterprise information security monitoring alarm system and method Download PDF

Info

Publication number
CN117978541A
CN117978541A CN202410361520.9A CN202410361520A CN117978541A CN 117978541 A CN117978541 A CN 117978541A CN 202410361520 A CN202410361520 A CN 202410361520A CN 117978541 A CN117978541 A CN 117978541A
Authority
CN
China
Prior art keywords
alarm
information
monitoring
level
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410361520.9A
Other languages
Chinese (zh)
Other versions
CN117978541B (en
Inventor
魏水平
任伟
陈祖辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou Andu Shenzhou Technology Co ltd
Original Assignee
Fuzhou Andu Shenzhou Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou Andu Shenzhou Technology Co ltd filed Critical Fuzhou Andu Shenzhou Technology Co ltd
Priority to CN202410361520.9A priority Critical patent/CN117978541B/en
Publication of CN117978541A publication Critical patent/CN117978541A/en
Application granted granted Critical
Publication of CN117978541B publication Critical patent/CN117978541B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Alarm Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of enterprise information security management, and particularly relates to an enterprise information security monitoring alarm system and method. The invention collects and analyzes the flow monitoring data in the enterprise network, applies classification processing and feature extraction technology to realize hierarchical response to alarm signals, reasonably distributes feedback periods according to the characteristics of each monitoring level, forms alarm statistics reports according to the feedback conditions of the alarm signals in the feedback periods, ensures comprehensive and timely monitoring and alarming of enterprise information safety, and reevaluates the monitoring level of each alarm signal through the combined analysis of trend fluctuation frequency and fluctuation value in the alarm feedback periods, synchronously adjusts the safety risk level of the enterprise information, and improves the accuracy and practicability of a monitoring alarm system.

Description

Enterprise information security monitoring alarm system and method
Technical Field
The invention belongs to the technical field of enterprise information security management, and particularly relates to an enterprise information security monitoring alarm system and method.
Background
With the rapid development of information technology, enterprises are increasingly dependent on information systems. Information systems become a core tool for enterprise management, data processing, and decision support. However, with the increase of information security threats, including network attacks, data leakage, malware attacks, etc., these security threats may not only cause loss or leakage of important data of enterprises, but also may have significant impact on the operation of enterprises, even cause economic loss and damage of brand reputation, so that real-time monitoring of enterprise information and timely alarming when an enterprise network is invaded are necessary.
The existing security monitoring measures have shortcomings in terms of automatic processing, for example, when a security event occurs, for conventional or low confidentiality information in enterprises, the existing system may provide alarm information too general to enable management staff to quickly respond effectively, further investigation and solving of alarm reasons and alarm levels are needed, manual intervention is often needed, the efficiency is low, loss is possibly aggravated due to response delay, and in addition, after the alarm is released, the corresponding security log is only used for reference of the management staff, and the validity evaluation cannot be carried out on the level of an alarm signal.
Disclosure of Invention
The invention aims to provide an enterprise information security monitoring alarm system and method, which can distinguish the grades of alarm signals and dynamically adjust the security risk grade of corresponding enterprise information and the monitoring grade of the alarm signals according to the real-time alarm condition.
The technical scheme adopted by the invention is as follows:
An enterprise information security monitoring and alarming method comprises the following steps:
Acquiring flow monitoring data in an enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
Classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
extracting the second characteristic information to obtain a first-level abnormal characteristic and a second-level abnormal characteristic, and carrying out grading treatment on a plurality of alarm signals according to the first-level abnormal characteristic and the second-level abnormal characteristic to obtain a plurality of monitoring grades;
And distributing alarm feedback periods of corresponding enterprise information according to the monitoring grades, counting alarm information in each feedback period after each feedback period is finished, forming an alarm statistical report, and re-evaluating the monitoring grade of each alarm signal according to the alarm statistical report.
In a preferred embodiment, the step of obtaining traffic monitoring data in the enterprise network and calibrating the traffic monitoring data as the first characteristic information includes:
Acquiring a monitoring period, and counting enterprise network data in the monitoring period to be calibrated as flow monitoring data;
Acquiring demand characteristics, and extracting alarm information and conventional information from flow monitoring data according to the demand characteristics;
Preprocessing the alarm information and the conventional information, and summarizing the preprocessed alarm information and conventional information into first characteristic information;
The pretreatment of the alarm information and the conventional information comprises filling missing values, removing repeated items and abnormal values.
In a preferred embodiment, the step of classifying the first feature information to obtain a plurality of second feature information includes:
acquiring classification conditions, wherein the classification conditions comprise sources and types of alarm signals;
Classifying the alarm information in the first characteristic information according to the classification condition to obtain a plurality of classification subsets;
and calibrating the alarm information in the classified subset as second characteristic information, and carrying out characteristic coding on the second characteristic information to obtain a unique identifier of each alarm signal.
In a preferred embodiment, the step of extracting the features of the second feature information to obtain a first-level abnormal feature and a second-level abnormal feature includes:
respectively acquiring second characteristic information in each classification subset;
acquiring demand characteristics, extracting characteristics of second characteristic information in each classification subset according to the demand characteristics to obtain a plurality of initial abnormal characteristics, and carrying out statistical processing on the initial abnormal characteristics to obtain first classification parameters;
Acquiring grading conditions, wherein the grading conditions comprise grading thresholds corresponding to a plurality of first grading parameters one by one;
if the first grading parameter is greater than or equal to the grading threshold, the corresponding initial abnormal feature is calibrated as a first-level abnormal feature;
and if the first grading parameter is smaller than the grading threshold, the corresponding initial abnormal characteristic is marked as a second-level abnormal characteristic.
In a preferred embodiment, the step of classifying the plurality of alarm signals according to the first-level abnormal feature and the second-level abnormal feature to obtain a plurality of monitoring levels includes:
Acquiring the first-level abnormal feature and the second-level abnormal feature, and distributing weight coefficients one by one, wherein the weight coefficients comprise a first-level abnormal feature weight and a second-level abnormal feature weight;
Acquiring a first standard function, inputting first grading parameters and weight coefficients corresponding to the first-level abnormal characteristics and the second-level abnormal characteristics into the first standard function, and outputting a comprehensive abnormal score of an alarm signal;
obtaining a grading standard, wherein the grading standard comprises scoring areas corresponding to a plurality of monitoring grades one by one;
and comparing the comprehensive abnormal scores with the scoring areas one by one, and distributing corresponding monitoring grades for the corresponding alarm signals.
In a preferred embodiment, the step of allocating the alarm feedback period of the corresponding enterprise information according to the monitoring level includes:
acquiring monitoring levels of the alarm signals and corresponding enterprise information;
Acquiring a feedback period distribution table, wherein the feedback period distribution table comprises feedback periods corresponding to different monitoring grades;
And searching a corresponding feedback period in the feedback period distribution table according to the monitoring grade, and calibrating the feedback period as an alarm feedback period corresponding to the enterprise information.
In a preferred scheme, after the alarm feedback period of the enterprise information is output, counting the occurrence interval of alarm signals in the alarm feedback period, and calibrating the interval as a reference parameter;
Sequencing the reference parameters according to the occurrence nodes, and equally dividing the alarm feedback period to obtain a plurality of reference time periods;
Acquiring a second standard function, respectively inputting the reference parameters in each reference period into the second standard function, and calibrating the output result as a parameter to be checked;
counting trend fluctuation frequency of the parameter to be checked and fluctuation value under each trend fluctuation frequency, and outputting security risk level of corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value;
After the security risk level of the enterprise information is output, converting the security risk level into numerical data, and calibrating the numerical data as a reference parameter;
and acquiring the comprehensive abnormal score of the alarm signal in the alarm feedback period, acquiring a third standard function, inputting the comprehensive abnormal score and the reference parameter into the third standard function together to obtain an updated score, and re-classifying the enterprise information according to the updated score.
In a preferred embodiment, the step of outputting the security risk level of the corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value includes:
acquiring an evaluation interval corresponding to the trend fluctuation frequency and the fluctuation value, wherein the evaluation interval comprises a frequency evaluation interval and a fluctuation value evaluation interval, a plurality of frequency evaluation intervals and fluctuation value evaluation intervals are arranged, each frequency evaluation interval corresponds to a first evaluation score, and each frequency evaluation interval corresponds to a second evaluation score;
comparing each trend fluctuation frequency and fluctuation value with an evaluation interval, and outputting a corresponding first evaluation score and a corresponding second evaluation score;
Summing the first evaluation score and the second evaluation score, and calibrating a summation result as a second grading parameter;
And acquiring a plurality of grading intervals, comparing the grading intervals with each second grading parameter one by one, and outputting the security risk level of the enterprise information, wherein the second grading parameters are positively correlated with the security risk level.
The invention also provides an enterprise information security monitoring alarm system, which is applied to the enterprise information security monitoring alarm method, and comprises the following steps:
the data acquisition module is used for acquiring flow monitoring data in the enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
The data classification module is used for classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
The feature extraction module is used for carrying out feature extraction on the second feature information to obtain a first-level abnormal feature and a second-level abnormal feature, and carrying out hierarchical processing on a plurality of alarm signals according to the first-level abnormal feature and the second-level abnormal feature to obtain a plurality of monitoring levels;
And the alarm feedback module is used for distributing alarm feedback periods of corresponding enterprise information according to the monitoring grades, counting alarm information in each feedback period after each feedback period is finished, forming an alarm statistical report, and re-evaluating the monitoring grade of each alarm signal according to the alarm statistical report.
And, an enterprise information security monitoring alarm terminal, comprising:
At least one processor;
and a memory communicatively coupled to the at least one processor;
Wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the enterprise information security monitoring and alert method described above.
The invention has the technical effects that:
The invention collects and analyzes the flow monitoring data in the enterprise network, applies classification processing and feature extraction technology to realize hierarchical response to the alarm signals, reasonably distributes feedback periods according to the characteristics of each monitoring level, forms alarm statistics reports according to the feedback conditions of the alarm signals in the feedback periods, ensures comprehensive and timely monitoring and alarming of enterprise information safety, and reevaluates the monitoring level of each alarm signal through the combined analysis of trend fluctuation frequency and fluctuation value in the alarm feedback periods, synchronously adjusts the safety risk level of the enterprise information, and improves the accuracy and practicability of the monitoring alarm system.
Drawings
FIG. 1 is a flow chart of a method provided by the present invention;
FIG. 2 is a block diagram of a system provided by the present invention;
fig. 3 is a diagram of a terminal structure according to the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one preferred embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Further, in describing the embodiments of the present invention in detail, the cross-sectional view of the device structure is not partially enlarged to a general scale for convenience of description, and the schematic is only an example, which should not limit the scope of protection of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Referring to fig. 1, the invention provides an enterprise information security monitoring and alarming method, which comprises the following steps:
S1, acquiring flow monitoring data in an enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
s2, classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
S3, extracting features of the second feature information to obtain primary abnormal features and secondary abnormal features, and carrying out grading treatment on the plurality of alarm signals according to the primary abnormal features and the secondary abnormal features to obtain a plurality of monitoring grades;
S4, distributing alarm feedback periods corresponding to the enterprise information according to the monitoring grades, counting alarm information in each feedback period after each feedback period is finished, forming an alarm statistical report, and re-evaluating the monitoring grade of each alarm signal according to the alarm statistical report.
In order to effectively cope with the potential information security threat, as described in the above steps S1-S4, the present embodiment provides an efficient enterprise information security monitoring and alarming method, first, traffic monitoring data in the enterprise network needs to be acquired, the data is calibrated as first feature information, the first feature information includes alarm information and regular information, the alarm information refers to data possibly indicating the potential security threat, the regular information is data generated during normal operation of the network, then, by classifying the first feature information, a plurality of second feature information can be obtained, each of the second feature information corresponds to an alarm signal, the signals are key for identifying the potential security threat, and by further analyzing the second feature information, the method can extract first-level abnormal characteristics and second-level abnormal characteristics, which provide the basis for measuring the severity of alarm signals for enterprises, and based on the basis, the method carries out grading treatment on a plurality of alarm signals according to the first-level abnormal characteristics and the second-level abnormal characteristics, thereby obtaining a plurality of monitoring levels, thus improving the accuracy of alarm, each monitoring level corresponds to different alarm feedback periods, the enterprises can flexibly adjust the frequency of alarm feedback according to the severity of security threats, after each feedback period is finished, alarm information in each feedback period is counted, alarm statistics reports are formed, the reports not only record the occurrence times, the occurrence time and the corresponding monitoring levels of each alarm signal in detail, but also provide important decision basis for an enterprise management layer according to the alarm statistics reports, the enterprise can re-evaluate the monitoring level of each alarm signal so as to better cope with potential security threats and provide firmer guarantee for the information security of the enterprise.
In a preferred embodiment, the step of acquiring traffic monitoring data in the enterprise network and calibrating the traffic monitoring data as the first characteristic information includes:
S101, acquiring a monitoring period, and counting enterprise network data in the monitoring period to calibrate the enterprise network data into flow monitoring data;
s102, acquiring demand characteristics, and extracting alarm information and conventional information from flow monitoring data according to the demand characteristics;
s103, preprocessing the alarm information and the conventional information, and summarizing the preprocessed alarm information and the preprocessed conventional information into first characteristic information;
The pretreatment of the alarm information and the conventional information comprises filling the missing value, removing the repeated item and the abnormal value.
As described in the above steps S101-S103, before calibrating the first feature information, a monitoring period is first required, which generally depends on the service requirement and network usage habit of the enterprise, for example, if the enterprise uses more frequently in a peak period in a working day, the period may be set as a monitoring period, after determining the monitoring period, enterprise network data in the period needs to be collected, these data may be used as flow monitoring data, and then clear requirement features are required, the requirement features may be derived from the service requirement, network security requirement or other aspects of the enterprise, according to these requirement features, alarm information and conventional information may be extracted from the flow monitoring data, and after extracting the alarm information and the conventional information, preprocessing is required to improve the data quality, and specific steps of preprocessing include filling missing values, removing duplicate items and abnormal values, filling missing values may use methods such as average values, median values or interpolation, removing duplicate items may be used as redundancy information in the data, and then removing redundant items in the data may be used as redundancy values, and then specific data may be required to better support the subsequent analysis of the quality and the conventional information, and the quality of the data may be better analyzed, and the quality of the data may be better than the conventional information is better than the first analysis.
In a preferred embodiment, the step of classifying the first feature information to obtain a plurality of second feature information includes:
S201, acquiring classification conditions, wherein the classification conditions comprise sources and types of alarm signals;
S202, classifying alarm information in the first characteristic information according to classification conditions to obtain a plurality of classification subsets;
S203, calibrating the alarm information in the classified subset as second characteristic information, and carrying out characteristic coding on the second characteristic information to obtain a unique identifier of each alarm signal.
As described in the foregoing steps S201-S203, when the first feature information is classified, firstly, a classification condition needs to be obtained, where the classification condition generally includes the source, the type and other related attributes of the alarm signal, these conditions will help the enterprise to better understand and distinguish different types of alarm information, according to the classification condition, the alarm information in the first feature information is classified, and multiple methods, such as rule-based classification, cluster analysis or machine learning algorithm, etc., are not repeated herein, and multiple classification subsets are obtained through classification, each subset represents a specific alarm signal type, then, the alarm information in the classification subset is calibrated into second feature information, the second feature information is further refined and described on the alarm information, which can help the enterprise to locate and identify the security problem more accurately, and finally, feature encoding is performed on the second feature information to obtain a unique identifier of each alarm signal, where feature encoding is a process of converting text or type data into numerical data, which is helpful for subsequent data analysis and processing.
In a preferred embodiment, the step of extracting the features of the second feature information to obtain the first-level abnormal feature and the second-level abnormal feature includes:
S301, respectively acquiring second characteristic information in each classification subset;
S302, acquiring demand characteristics, extracting characteristics of second characteristic information in each classification subset according to the demand characteristics to obtain a plurality of initial abnormal characteristics, and carrying out statistical processing on the initial abnormal characteristics to obtain first classification parameters;
s303, acquiring grading conditions, wherein the grading conditions comprise grading thresholds corresponding to the first grading parameters one by one;
If the first grading parameter is greater than or equal to the grading threshold, the corresponding initial abnormal feature is calibrated as a first-level abnormal feature;
if the first grading parameter is smaller than the grading threshold, the corresponding initial abnormal characteristic is calibrated to be the second-level abnormal characteristic.
As described in the above steps S301 to S303, when extracting the second feature information, it is first required to obtain the second feature information from each classification subset, and then to determine the required features, which are the key information extracted from the data, and based on the required features, it is necessary to perform feature selection on the second feature information in each classification subset to extract the initial abnormal features, and after obtaining the initial abnormal features, it is necessary to perform statistical processing, determine the number of the initial abnormal features to determine the first classification parameters, which can quantify the importance or the degree of abnormality of each initial abnormal feature, and then we need to set the classification conditions. These conditions include a ranking threshold value that corresponds one-to-one to a plurality of first ranking parameters. The thresholds are set according to actual requirements and data characteristics and are used for distinguishing primary abnormal features and secondary abnormal features, finally, according to a comparison result of the first grading parameters and the grading thresholds, initial abnormal features can be calibrated into primary abnormal features or secondary abnormal features, if the first grading parameters are larger than or equal to the grading thresholds, the corresponding initial abnormal features are calibrated into primary abnormal features to represent that the features have higher abnormal degrees, and conversely, if the first grading parameters are smaller than the grading thresholds, the corresponding initial abnormal features are calibrated into secondary abnormal features to represent that the features have lower abnormal degrees, and the whole feature extraction and grading process is an iterative and optimized process. In practical application, we may need to continuously adjust parameters such as demand characteristics, classification conditions, threshold values and the like according to the actual situation of data and the effect of anomaly detection, so as to obtain a better anomaly detection effect.
In a preferred embodiment, the step of classifying the plurality of alarm signals according to the first-level abnormal feature and the second-level abnormal feature to obtain a plurality of monitoring levels includes:
S304, acquiring a first-level abnormal feature and a second-level abnormal feature, and distributing weight coefficients one by one, wherein the weight coefficients comprise a first-level abnormal feature weight and a second-level abnormal feature weight;
s305, acquiring a first standard function, inputting first grading parameters and weight coefficients corresponding to the first-level abnormal characteristics and the second-level abnormal characteristics into the first standard function, and outputting a comprehensive abnormal score of the alarm signal;
s306, acquiring a grading standard, wherein the grading standard comprises scoring areas corresponding to a plurality of monitoring grades one by one;
S307, comparing each comprehensive abnormal score with the scoring area one by one, and distributing corresponding monitoring grades for the corresponding alarm signals.
As described in the above steps S304-S307, when classifying the alarm signal, it is first necessary to acquire the first-level abnormal feature and the second-level abnormal feature, and assign weight coefficients to them one by one, the weight coefficients reflecting the importance of the different abnormal features in evaluating the alarm signal, the first-level abnormal feature weight and the second-level abnormal feature weight coefficient are comprehensively determined according to historical data, expert experience and system performance requirements, for example, the first-level abnormal feature may comprise key parameters such as temperature abnormality, pressure abnormality and the like, the second-level abnormal feature may relate to more specific parameter changes such as frequency and amplitude of temperature fluctuation, and then a first standard function is introduced, and the expression of the first function is as follows: In the above, the ratio of/> Representing the composite anomaly score,/>Weight coefficient representing first-order anomaly characteristic,/>Weight coefficient representing secondary anomaly characteristic,/>Representing and first grading parameters corresponding to abnormal features,/>The first grading parameter representing the second grade abnormal characteristics takes the first grading parameter and the weight coefficient corresponding to the first grade abnormal characteristics and the second grade abnormal characteristics as input, and the comprehensive abnormal score of the alarm signal is output through calculation, is a quantization index, can intuitively reflect the severity and the emergency degree of the alarm signal, after the comprehensive abnormal score is determined, the grading standard is required to be obtained, the standard sets corresponding scoring areas according to a plurality of monitoring levels, each monitoring level corresponds to one scoring area, and the corresponding monitoring level is allocated to the corresponding alarm signal by comparing each comprehensive abnormal score with the scoring area one by one, so that the powerful support is provided for subsequent emergency response and fault investigation.
In a preferred embodiment, the step of allocating the alarm feedback period of the corresponding enterprise information according to the monitoring level includes:
S401, acquiring monitoring levels of all alarm signals and corresponding enterprise information;
s402, acquiring a feedback period distribution table, wherein the feedback period distribution table comprises feedback periods corresponding to different monitoring levels;
s403, searching a corresponding feedback period in the feedback period distribution table according to the monitoring level, and calibrating the feedback period as an alarm feedback period corresponding to the enterprise information.
As described in the above steps S401-S403, firstly, the monitoring level of each alarm signal and the corresponding enterprise information need to be obtained, then, a feedback period allocation table needs to be obtained, which is formulated according to the actual situation and operation requirement of the enterprise, and includes feedback periods corresponding to different monitoring levels, where the length of the feedback period depends on the level of the monitoring level, generally, the higher the monitoring level is, the shorter the feedback period is, so as to ensure that the problem can be timely handled and solved, for example, for the alarm signal of the high monitoring level, the feedback period may be only a few minutes or a few hours, and for the alarm signal of the low monitoring level, the feedback period may be as long as a few days or a few weeks, finally, according to the monitoring level, the corresponding feedback period is searched in the feedback period allocation table and calibrated as an alarm feedback period corresponding to the enterprise information, which needs to ensure accuracy and timeliness, so that the alarm signal and the feedback period information can be quickly responded when the alarm occurs, and in addition, the alarm signal and the feedback period information can be displayed on the monitoring center or the management platform of the enterprise in real time, so that the relevant personnel can know the alarm condition and process at any time.
In a preferred embodiment, after the output of the alarm feedback period of the enterprise information, counting the occurrence interval of the alarm signal in the alarm feedback period, and calibrating the interval as a reference parameter;
sequencing the reference parameters according to the occurrence nodes, and equally dividing the alarm feedback period to obtain a plurality of reference time periods;
Acquiring a second standard function, respectively inputting the reference parameters in each reference period into the second standard function, and calibrating the output result as a parameter to be checked;
counting trend fluctuation frequency of parameters to be checked and fluctuation values of the parameters to be checked under each trend fluctuation frequency, and outputting security risk levels of corresponding enterprise information according to the trend fluctuation frequency and the fluctuation values;
after the security risk level of the enterprise information is output, converting the security risk level into numerical data, and calibrating the numerical data as a reference parameter;
and acquiring the comprehensive abnormal score of the alarm signal in the alarm feedback period, acquiring a third standard function, inputting the comprehensive abnormal score and the reference parameter into the third standard function together to obtain an updated score, and re-classifying the enterprise information according to the updated score.
In this embodiment, after the output of the enterprise information alarm feedback period, statistics and analysis processing are performed, based on the occurrence interval of the alarm signal in the alarm feedback period, the alarm signal is calibrated as a reference parameter, then the reference parameter is sequenced according to occurrence nodes so as to better grasp the time distribution characteristics of the alarm signal, then the alarm feedback period is equally divided to obtain a plurality of reference periods, the alarm signal in each period is analyzed more carefully, the monitoring precision and efficiency are improved, and then a second standard function is obtained, where the expression of the second standard function is: In the above, the ratio of/> Representing the parameters to be checked,/>Representing the number of alarms in a reference period,/>And/>Representing the occurrence interval of adjacent alarm signals, inputting reference parameters in each reference period into a second standard function, calibrating output results of the reference parameters into parameters to be verified, counting trend fluctuation frequencies and fluctuation values of the trend fluctuation frequencies each time after the parameters to be verified are obtained, evaluating the security risk level of enterprise information through analysis of the trend fluctuation frequencies and the fluctuation values, converting the security risk level of the enterprise information into numerical data and calibrating the numerical data into reference parameters, wherein the security risk level is more visual and quantifiable, facilitating subsequent analysis and processing, and realizing level-to-numerical conversion by adopting a corresponding conversion table or a conversion formula, wherein the higher the security risk level is, the larger the corresponding reference parameters are, finally, acquiring the comprehensive abnormal score of the alarm signals in an alarm feedback period, and acquiring a third standard function, wherein the expression of the third standard function is as follows: In the above, the ratio of/> Representing update score,/>Weight factor representing composite anomaly score,/>A weight factor representing the reference parameter, and/>>/>,/>The reference parameters are represented, the comprehensive abnormal score and the reference parameters are input into the third standard function together, an update score can be obtained, the enterprise information can be subjected to repartitioning of monitoring grades according to the update score, so that more accurate and effective monitoring on the enterprise information is achieved, the higher the update score is, the higher the monitoring grade corresponding to the enterprise information is, the higher the required attention degree is, the corresponding alarm signal grade is, and in addition, the enterprise information related to the embodiment is of an enterprise allowed regulated monitoring grade and an alarm grade, and the enterprise information directly endowed with the monitoring grade and the alarm grade by the enterprise does not participate in regulation of the process.
In a preferred embodiment, the step of outputting the security risk level of the corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value includes:
Step1, acquiring an evaluation interval corresponding to trend fluctuation frequency and fluctuation value, wherein the evaluation interval comprises a frequency evaluation interval and a fluctuation value evaluation interval, a plurality of frequency evaluation intervals and fluctuation value evaluation intervals are arranged, each frequency evaluation interval corresponds to a first evaluation score, and each frequency evaluation interval corresponds to a second evaluation score;
step2, comparing each trend fluctuation frequency and fluctuation value with an evaluation interval, and outputting a corresponding first evaluation score and a corresponding second evaluation score;
Step3, carrying out summation processing on the first evaluation score and the second evaluation score, and calibrating the summation result as a second grading parameter;
Step4, acquiring a plurality of grading intervals, comparing the grading intervals with each second grading parameter one by one, and outputting the security risk level of the enterprise information, wherein the second grading parameters are positively correlated with the security risk level.
As described in the steps Step1-Step4, when determining the security risk level of the enterprise information, it is required to determine the relationship between the trend fluctuation frequency and the fluctuation value and the information security risk level, which requires to obtain the evaluation intervals corresponding to the trend fluctuation frequency and the fluctuation value, where the evaluation intervals include a frequency evaluation interval and a fluctuation value evaluation interval, each frequency evaluation interval and each fluctuation value evaluation interval corresponds to a different risk level, so as to form a complete evaluation system, next, comparing each trend fluctuation frequency and each fluctuation value with the evaluation interval, by comparing, a first evaluation score and a second evaluation score corresponding to each trend fluctuation frequency and each fluctuation value can be obtained, these scores reflect the positions of the trend fluctuation frequency and the fluctuation value in the evaluation system, then the first evaluation score and the second evaluation score are summed, the summed result is calibrated as a second classification parameter, and by the summed processing, the two dimensional evaluation scores can be integrated into a comprehensive index, so that the two-dimensional evaluation result is more comprehensive and finally, and the two-dimensional evaluation score can be more comprehensively obtained, and the two-dimensional evaluation score can be compared with the enterprise information from the higher security risk level to the higher security level by comparing the two-dimensional evaluation parameters, and the two-dimensional security risk parameters are not sequentially higher than the first and higher than the enterprise security level.
As shown in fig. 2, an enterprise information security monitoring alarm system is applied to the above enterprise information security monitoring alarm method, and includes:
the data acquisition module is used for acquiring flow monitoring data in the enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
The data classification module is used for classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
the feature extraction module is used for carrying out feature extraction on the second feature information to obtain a first-level abnormal feature and a second-level abnormal feature, and carrying out hierarchical processing on a plurality of alarm signals according to the first-level abnormal feature and the second-level abnormal feature to obtain a plurality of monitoring levels;
And the alarm feedback module is used for distributing alarm feedback periods of corresponding enterprise information according to the monitoring grades, counting alarm information in each feedback period after each feedback period is finished, forming an alarm statistical report, and re-evaluating the monitoring grade of each alarm signal according to the alarm statistical report.
In the above, when the system is executed, firstly, the data acquisition module captures flow monitoring data from the network environment of the enterprise in real time, and calibrates the flow monitoring data into first characteristic information, the first characteristic information covers the alarm information and the conventional information, then, the classification module carries out careful classification processing on the first characteristic information, further extracts a plurality of second characteristic information, each second characteristic information is associated with a specific alarm signal, so that the system can accurately classify and respond according to different security events, then, the feature extraction module carries out deep feature extraction on the second characteristic information, the first-stage abnormal feature and the second-stage abnormal feature can be identified, the alarm signals can be classified according to the features, thereby determining the emergency degree and the priority of each security event, finally, the alarm feedback module is utilized to allocate corresponding alarm feedback periods for each alarm signal, after each feedback period is finished, the system can count the alarm information in each period, and generate detailed alarm statistics reports, the precious reference information can also be provided for security manager, the system can help to carry out accurate classification and response according to different security events, the statistics system can carry out accurate assessment on the alarm signals, thereby only the security management level of the security management system is improved, and the security management system can not only dynamically adjust the security level of the security is carried out on the security management signals.
As shown in fig. 3, an enterprise information security monitoring alarm terminal includes:
At least one processor;
And a memory communicatively coupled to the at least one processor;
The memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor, so that the at least one processor can execute the enterprise information security monitoring and alarming method.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that comprises the element.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention. Structures, devices and methods of operation not specifically described and illustrated herein, unless otherwise indicated and limited, are implemented according to conventional means in the art.

Claims (9)

1. An enterprise information security monitoring alarm method is characterized in that: comprising the following steps:
Acquiring flow monitoring data in an enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
Classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
extracting the second characteristic information to obtain a first-level abnormal characteristic and a second-level abnormal characteristic, and carrying out grading treatment on a plurality of alarm signals according to the first-level abnormal characteristic and the second-level abnormal characteristic to obtain a plurality of monitoring grades;
According to the monitoring level, alarm feedback periods of corresponding enterprise information are distributed, after each feedback period is finished, alarm information in each feedback period is counted, alarm statistical reports are formed, and according to the alarm statistical reports, the monitoring level of each alarm signal is reevaluated;
Counting the occurrence interval of alarm signals in the alarm feedback period after the output of the alarm feedback period of the enterprise information, and calibrating the occurrence interval as a reference parameter;
Sequencing the reference parameters according to the occurrence nodes, and equally dividing the alarm feedback period to obtain a plurality of reference time periods;
Acquiring a second standard function, respectively inputting the reference parameters in each reference period into the second standard function, and calibrating the output result as a parameter to be checked;
counting trend fluctuation frequency of the parameter to be checked and fluctuation value under each trend fluctuation frequency, and outputting security risk level of corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value;
After the security risk level of the enterprise information is output, converting the security risk level into numerical data, and calibrating the numerical data as a reference parameter;
and acquiring the comprehensive abnormal score of the alarm signal in the alarm feedback period, acquiring a third standard function, inputting the comprehensive abnormal score and the reference parameter into the third standard function together to obtain an updated score, and re-classifying the enterprise information according to the updated score.
2. The enterprise information security monitoring and alarming method as set forth in claim 1, wherein: the step of obtaining the flow monitoring data in the enterprise network and calibrating the flow monitoring data as the first characteristic information comprises the following steps:
Acquiring a monitoring period, and counting enterprise network data in the monitoring period to be calibrated as flow monitoring data;
Acquiring demand characteristics, and extracting alarm information and conventional information from flow monitoring data according to the demand characteristics;
Preprocessing the alarm information and the conventional information, and summarizing the preprocessed alarm information and conventional information into first characteristic information;
The pretreatment of the alarm information and the conventional information comprises filling missing values, removing repeated items and abnormal values.
3. The enterprise information security monitoring and alarming method as set forth in claim 1, wherein: the step of classifying the first feature information to obtain a plurality of second feature information includes:
acquiring classification conditions, wherein the classification conditions comprise sources and types of alarm signals;
Classifying the alarm information in the first characteristic information according to the classification condition to obtain a plurality of classification subsets;
and calibrating the alarm information in the classified subset as second characteristic information, and carrying out characteristic coding on the second characteristic information to obtain a unique identifier of each alarm signal.
4. A method for monitoring and alarming information of enterprises as set forth in claim 3, wherein: the step of extracting the second characteristic information to obtain a first-level abnormal characteristic and a second-level abnormal characteristic comprises the following steps:
respectively acquiring second characteristic information in each classification subset;
acquiring demand characteristics, extracting characteristics of second characteristic information in each classification subset according to the demand characteristics to obtain a plurality of initial abnormal characteristics, and carrying out statistical processing on the initial abnormal characteristics to obtain first classification parameters;
Acquiring grading conditions, wherein the grading conditions comprise grading thresholds corresponding to a plurality of first grading parameters one by one;
if the first grading parameter is greater than or equal to the grading threshold, the corresponding initial abnormal feature is calibrated as a first-level abnormal feature;
and if the first grading parameter is smaller than the grading threshold, the corresponding initial abnormal characteristic is marked as a second-level abnormal characteristic.
5. The enterprise information security monitoring and alarming method as set forth in claim 1, wherein: the step of grading the alarm signals according to the first-level abnormal characteristics and the second-level abnormal characteristics to obtain a plurality of monitoring levels comprises the following steps:
Acquiring the first-level abnormal feature and the second-level abnormal feature, and distributing weight coefficients one by one, wherein the weight coefficients comprise a first-level abnormal feature weight and a second-level abnormal feature weight;
Acquiring a first standard function, inputting first grading parameters and weight coefficients corresponding to the first-level abnormal characteristics and the second-level abnormal characteristics into the first standard function, and outputting a comprehensive abnormal score of an alarm signal;
obtaining a grading standard, wherein the grading standard comprises scoring areas corresponding to a plurality of monitoring grades one by one;
and comparing the comprehensive abnormal scores with the scoring areas one by one, and distributing corresponding monitoring grades for the corresponding alarm signals.
6. The enterprise information security monitoring and alarming method as set forth in claim 1, wherein: the step of distributing the alarm feedback period of the corresponding enterprise information according to the monitoring level comprises the following steps:
acquiring monitoring levels of the alarm signals and corresponding enterprise information;
Acquiring a feedback period distribution table, wherein the feedback period distribution table comprises feedback periods corresponding to different monitoring grades;
And searching a corresponding feedback period in the feedback period distribution table according to the monitoring grade, and calibrating the feedback period as an alarm feedback period corresponding to the enterprise information.
7. The enterprise information security monitoring and alarming method as set forth in claim 1, wherein: the step of outputting the security risk level of the corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value comprises the following steps:
acquiring an evaluation interval corresponding to the trend fluctuation frequency and the fluctuation value, wherein the evaluation interval comprises a frequency evaluation interval and a fluctuation value evaluation interval, a plurality of frequency evaluation intervals and fluctuation value evaluation intervals are arranged, each frequency evaluation interval corresponds to a first evaluation score, and each frequency evaluation interval corresponds to a second evaluation score;
comparing each trend fluctuation frequency and fluctuation value with an evaluation interval, and outputting a corresponding first evaluation score and a corresponding second evaluation score;
Summing the first evaluation score and the second evaluation score, and calibrating a summation result as a second grading parameter;
And acquiring a plurality of grading intervals, comparing the grading intervals with each second grading parameter one by one, and outputting the security risk level of the enterprise information, wherein the second grading parameters are positively correlated with the security risk level.
8. An enterprise information security monitoring alarm system, applied to the enterprise information security monitoring alarm method of any one of claims 1 to 7, characterized in that: comprising the following steps:
the data acquisition module is used for acquiring flow monitoring data in the enterprise network and calibrating the flow monitoring data as first characteristic information, wherein the first characteristic information comprises alarm information and conventional information;
The data classification module is used for classifying the first characteristic information to obtain a plurality of second characteristic information, wherein each second characteristic information corresponds to one alarm signal;
The feature extraction module is used for carrying out feature extraction on the second feature information to obtain a first-level abnormal feature and a second-level abnormal feature, and carrying out hierarchical processing on a plurality of alarm signals according to the first-level abnormal feature and the second-level abnormal feature to obtain a plurality of monitoring levels;
The alarm feedback module is used for distributing alarm feedback periods of corresponding enterprise information according to the monitoring grades, counting alarm information in each feedback period after each feedback period is finished, forming an alarm statistics report, and re-evaluating the monitoring grade of each alarm signal according to the alarm statistics report;
Counting the occurrence interval of alarm signals in the alarm feedback period after the output of the alarm feedback period of the enterprise information, and calibrating the occurrence interval as a reference parameter;
Sequencing the reference parameters according to the occurrence nodes, and equally dividing the alarm feedback period to obtain a plurality of reference time periods;
Acquiring a second standard function, respectively inputting the reference parameters in each reference period into the second standard function, and calibrating the output result as a parameter to be checked;
counting trend fluctuation frequency of the parameter to be checked and fluctuation value under each trend fluctuation frequency, and outputting security risk level of corresponding enterprise information according to the trend fluctuation frequency and the fluctuation value;
After the security risk level of the enterprise information is output, converting the security risk level into numerical data, and calibrating the numerical data as a reference parameter;
and acquiring the comprehensive abnormal score of the alarm signal in the alarm feedback period, acquiring a third standard function, inputting the comprehensive abnormal score and the reference parameter into the third standard function together to obtain an updated score, and re-classifying the enterprise information according to the updated score.
9. An enterprise information security monitoring alarm terminal which is characterized in that: comprising the following steps:
At least one processor;
and a memory communicatively coupled to the at least one processor;
Wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the enterprise information security monitoring and alert method of any one of claims 1 to 7.
CN202410361520.9A 2024-03-28 2024-03-28 Enterprise information security monitoring alarm system and method Active CN117978541B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410361520.9A CN117978541B (en) 2024-03-28 2024-03-28 Enterprise information security monitoring alarm system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410361520.9A CN117978541B (en) 2024-03-28 2024-03-28 Enterprise information security monitoring alarm system and method

Publications (2)

Publication Number Publication Date
CN117978541A true CN117978541A (en) 2024-05-03
CN117978541B CN117978541B (en) 2024-07-09

Family

ID=90846289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410361520.9A Active CN117978541B (en) 2024-03-28 2024-03-28 Enterprise information security monitoring alarm system and method

Country Status (1)

Country Link
CN (1) CN117978541B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714421A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on bus or train route collaboration joins automobilism system
CN112291232A (en) * 2020-10-27 2021-01-29 中国联合网络通信有限公司深圳市分公司 Safety capability and safety service chain management platform based on tenants
CN113159264A (en) * 2020-11-12 2021-07-23 江西理工大学 Intrusion detection method, system, equipment and readable storage medium
CN113194087A (en) * 2021-04-23 2021-07-30 深圳市威斯登信息科技有限公司 Safety risk high-intensity monitoring system for different information domains
CN115550053A (en) * 2022-10-18 2022-12-30 中国工商银行股份有限公司 Monitoring alarm prediction method and device
CN115834221A (en) * 2022-11-28 2023-03-21 国网山东省电力公司信息通信公司 Intelligent analysis method, system, equipment and storage medium for network security
CN117392815A (en) * 2023-10-12 2024-01-12 李桂法 Alarm method and system for secondary water supply based on Internet of things

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714421A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on bus or train route collaboration joins automobilism system
CN112291232A (en) * 2020-10-27 2021-01-29 中国联合网络通信有限公司深圳市分公司 Safety capability and safety service chain management platform based on tenants
CN113159264A (en) * 2020-11-12 2021-07-23 江西理工大学 Intrusion detection method, system, equipment and readable storage medium
CN113194087A (en) * 2021-04-23 2021-07-30 深圳市威斯登信息科技有限公司 Safety risk high-intensity monitoring system for different information domains
CN115550053A (en) * 2022-10-18 2022-12-30 中国工商银行股份有限公司 Monitoring alarm prediction method and device
CN115834221A (en) * 2022-11-28 2023-03-21 国网山东省电力公司信息通信公司 Intelligent analysis method, system, equipment and storage medium for network security
CN117392815A (en) * 2023-10-12 2024-01-12 李桂法 Alarm method and system for secondary water supply based on Internet of things

Also Published As

Publication number Publication date
CN117978541B (en) 2024-07-09

Similar Documents

Publication Publication Date Title
US20170140312A1 (en) System and method for performing signal processing and dynamic analysis and forecasting of risk of third parties
CN107239707B (en) Threat data processing method for information system
CN106951984B (en) Dynamic analysis and prediction method and device for system health degree
CN105516130B (en) Data processing method and device
US20150304346A1 (en) Apparatus and method for detecting anomaly of network
CN111898647A (en) Clustering analysis-based low-voltage distribution equipment false alarm identification method
CN112819336A (en) Power monitoring system network threat-based quantification method and system
CN106254317A (en) A kind of data security exception monitoring system
CN103366123A (en) Software risk assessment method based on defect analysis
CN115086089B (en) Method and system for network security assessment prediction
CN108989097A (en) A kind of mimicry system of defense threat warning method for visualizing and device
CN116737510B (en) Data analysis-based intelligent keyboard monitoring method and system
CN117172556A (en) Construction risk early warning method and system for bridge engineering
CN116823496A (en) Intelligent insurance risk assessment and pricing system based on artificial intelligence
US11954945B2 (en) Systems and methods for analyzing machine performance
KR101281460B1 (en) Method for anomaly detection using statistical process control
CN114298558B (en) Electric power network safety research and judgment system and research and judgment method thereof
CN115544519A (en) Method for carrying out security association analysis on threat information of metering automation system
KR100524649B1 (en) Risk analysis system for information assets
CN117978541B (en) Enterprise information security monitoring alarm system and method
CN117421735A (en) Mining evaluation method based on big data vulnerability mining
CN116781358A (en) Vehicle security situation layered evaluation method based on mathematical model
CN109962916B (en) Multi-attribute-based industrial internet security situation evaluation method
CN112905956B (en) Distribution network metering event checking method based on power grid operation characteristic analysis
CN112732773B (en) Method and system for checking uniqueness of relay protection defect data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant