[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114301758A - Alarm processing method, system, device and storage medium - Google Patents

Alarm processing method, system, device and storage medium Download PDF

Info

Publication number
CN114301758A
CN114301758A CN202111587910.0A CN202111587910A CN114301758A CN 114301758 A CN114301758 A CN 114301758A CN 202111587910 A CN202111587910 A CN 202111587910A CN 114301758 A CN114301758 A CN 114301758A
Authority
CN
China
Prior art keywords
entropy
alarm
time
information
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111587910.0A
Other languages
Chinese (zh)
Other versions
CN114301758B (en
Inventor
马浩翔
陆晨晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111587910.0A priority Critical patent/CN114301758B/en
Publication of CN114301758A publication Critical patent/CN114301758A/en
Application granted granted Critical
Publication of CN114301758B publication Critical patent/CN114301758B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an alarm processing method, a system, equipment and a storage medium, wherein the method comprises the following steps: the method comprises the steps of grouping original alarms according to IP pairs consisting of source IP addresses and destination IP addresses of network access events, wherein the IP pairs of each group are one-to-one, one-to-many or many-to-one, calculating information entropy for the original alarms in each group, and aggregating the original alarms with similarity degrees larger than a target value into super alarms according to the similarity degrees between the information entropy, wherein the information entropy comprises one or more of content entropy, source IP address entropy, destination IP entropy, time entropy and port entropy. According to the invention, on the basis of grouping the IP pairs formed by the source IP address and the destination IP address, grouping is carried out according to the information entropy of the original alarm, and the original alarms with similar information entropy are grouped into the super alarm, so that the number of the original alarms is obviously reduced, and the user experience is improved.

Description

告警处理方法、系统、设备及存储介质Alarm processing method, system, device and storage medium

技术领域technical field

本发明涉及网络安全领域,具体地说,涉及告警处理方法、系统、设备及存储介质。The present invention relates to the field of network security, and in particular, to an alarm processing method, system, device and storage medium.

背景技术Background technique

在电信网络中,网络攻击指的是利用网络存在的漏洞和安全缺陷对网络系统的硬件、软件及其系统中的数据进行的攻击。因此,网络中部署大量网络安全防护设备应对网络攻击,并产生大量的冗余告警日志。In the telecommunication network, network attack refers to the attack on the hardware, software and the data in the network system by exploiting the loopholes and security flaws in the network. Therefore, a large number of network security protection devices are deployed in the network to deal with network attacks, and a large number of redundant alarm logs are generated.

电信网络中,管理服务运维每天海量告警数据,传统的告警处理方式依赖人力,监控工作量大,人工负荷高。In the telecommunication network, the management service operation and maintenance generates massive alarm data every day. The traditional alarm processing method relies on manpower, and the monitoring workload is large and the labor load is high.

需要说明的是,上述背景技术部分公开的信息仅用于加强对本发明的背景的理解,因此可以包括不构成对本领域普通技术人员已知的现有技术的信息。It should be noted that the information disclosed in the above Background section is only for enhancing understanding of the background of the invention, and therefore may include information that does not form the prior art known to a person of ordinary skill in the art.

发明内容SUMMARY OF THE INVENTION

针对现有技术中的问题,本发明的目的在于提供告警处理方法、系统、设备及存储介质,克服了现有技术的困难,能够在根据源IP地址和目的IP地址所组成IP对进行分组的基础上,根据原始告警的信息熵对分组进行聚合,信息熵相似的原始告警被聚合成超告警,这显著降低了原始告警的数量,减轻了运维人员的工作量,而且聚合后的超告警对告警进行更精细聚合并提供处理优先级,这为后面运维人员对告警日志的精准响应提供可预期方案。本发明实施例能够提升用户体验。In view of the problems in the prior art, the purpose of the present invention is to provide an alarm processing method, system, equipment and storage medium, which overcomes the difficulties of the prior art, and can perform grouping according to the IP pair formed by the source IP address and the destination IP address. On the basis, the groups are aggregated according to the information entropy of the original alarms, and the original alarms with similar information entropy are aggregated into super-alarms, which significantly reduces the number of original alarms and reduces the workload of operation and maintenance personnel, and the aggregated super-alarms Aggregate alarms more finely and provide processing priority, which provides a predictable solution for subsequent operation and maintenance personnel to accurately respond to alarm logs. The embodiments of the present invention can improve user experience.

本发明的实施例提供一种告警处理方法,包括以下步骤:An embodiment of the present invention provides an alarm processing method, including the following steps:

获取对网络访问事件生成的原始告警;Get raw alerts generated for network access events;

对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;Group the original alarms according to the IP pairs composed of the source IP address and the destination IP address of the network access event to which they belong, wherein the IP pairs of each group are one-to-one, one-to-many or many-to-one;

对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种。Calculate the information entropy of the original alarms in each group, and aggregate the original alarms with a similarity greater than the target value into super alarms according to the similarity between the information entropies. The information entropy includes content entropy, source IP address entropy, destination IP entropy, One or more of time entropy and port entropy.

可选地,告警处理方法还包括:Optionally, the alarm processing method further includes:

对每个分组中的超告警计算多元信息熵,并根据多元信息熵对超告警配置处理优先级。Calculate the multivariate information entropy for the super alarm in each group, and configure the processing priority for the super alarm according to the multivariate information entropy.

可选地,在对每个分组中的原始告警计算信息熵之前,告警处理方法还包括:Optionally, before calculating the information entropy for the original alarm in each group, the alarm processing method further includes:

对每个分组的原始告警按照告警时间信息聚合成多个时间簇;The original alarms of each group are aggregated into multiple time clusters according to the alarm time information;

对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,包括:Calculate the information entropy for the original alarms in each group, and aggregate the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies, including:

对每个分组中的每个时间簇计算信息熵,并根据时间簇之间的信息熵相似度将信息熵相似度大于阈值的时间簇聚合成超告警。The information entropy is calculated for each time cluster in each group, and the time clusters whose information entropy similarity is greater than the threshold are aggregated into super-alarms according to the information entropy similarity between the time clusters.

可选地,对每个分组中的每个时间簇计算信息熵,包括:Optionally, information entropy is calculated for each time cluster in each group, including:

对IP对为一对一的单源单目的属性分组,对每个时间簇计算内容熵、时间熵和端口熵。The IP pairs are one-to-one single-source single-destination attribute grouping, and content entropy, time entropy and port entropy are calculated for each time cluster.

可选地,对每个分组中的每个时间簇计算信息熵,包括:Optionally, information entropy is calculated for each time cluster in each group, including:

对IP对为一对多的单源多目的属性分组,对每个时间簇计算目的IP熵、时间熵和端口熵。The IP pairs are one-to-many single-source multi-destination attribute groups, and the destination IP entropy, time entropy and port entropy are calculated for each time cluster.

可选地,对每个分组中的每个时间簇计算信息熵,包括:Optionally, information entropy is calculated for each time cluster in each group, including:

对IP对为多对一的多源单目的属性分组,对每个时间簇计算源IP熵、时间熵和端口熵。The IP pairs are many-to-one multi-source single-destination attribute groups, and source IP entropy, time entropy and port entropy are calculated for each time cluster.

可选地,对每个分组中的每个时间簇计算信息熵,并根据时间簇之间的信息熵相似度将信息熵相似度大于阈值的时间簇聚合成超告警,包括:Optionally, the information entropy is calculated for each time cluster in each group, and according to the information entropy similarity between the time clusters, the time clusters with the information entropy similarity greater than the threshold are aggregated into super-alarms, including:

对每个分组,计算各时间簇的信息熵之间的均方误差,基于均方误差获得信息熵相似度,并将均方误差不大于设定阈值的时间簇聚合成超告警。For each grouping, the mean square error between the information entropy of each time cluster is calculated, the information entropy similarity is obtained based on the mean square error, and the time clusters whose mean square error is not greater than the set threshold are aggregated into super-alarms.

可选地,计算各时间簇的信息熵之间的均方误差,包括:Optionally, calculate the mean square error between the information entropy of each time cluster, including:

对每个分组,计算时间差不大于时间阈值的各时间簇的信息熵之间的均方误差。For each group, calculate the mean square error between the information entropy of each time cluster whose time difference is not greater than the time threshold.

本发明的实施例还提供一种告警处理系统,用于实现上述的告警处理方法,告警处理系统包括:An embodiment of the present invention further provides an alarm processing system for implementing the above-mentioned alarm processing method, and the alarm processing system includes:

原始告警获取模块,获取对网络访问事件生成的原始告警;The original alarm acquisition module obtains the original alarm generated by the network access event;

分组模块,对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;The grouping module groups the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;

超告警聚合模块,对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种。The super-alarm aggregation module calculates the information entropy for the original alarms in each group, and aggregates the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies. The information entropy includes content entropy and source IP address entropy. , one or more of destination IP entropy, time entropy and port entropy.

本发明的实施例还提供一种告警处理设备,包括:An embodiment of the present invention also provides an alarm processing device, including:

处理器;processor;

存储器,其中存储有处理器的可执行指令;a memory in which executable instructions for the processor are stored;

其中,处理器配置为经由执行可执行指令来执行上述告警处理方法的步骤。Wherein, the processor is configured to execute the steps of the above-mentioned alarm processing method by executing the executable instructions.

本发明的实施例还提供一种计算机可读存储介质,用于存储程序,程序被执行时实现上述告警处理方法的步骤。Embodiments of the present invention further provide a computer-readable storage medium for storing a program, which implements the steps of the above-mentioned alarm processing method when the program is executed.

本发明的目的在于提供告警处理方法、系统、设备及存储介质,通过对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一,对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种。The purpose of the present invention is to provide an alarm processing method, system, equipment and storage medium, by grouping the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is a One-to-one, one-to-many, or many-to-one, calculate the information entropy for the original alarms in each group, and aggregate the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies. The information entropy includes the content One or more of entropy, source IP address entropy, destination IP entropy, time entropy, and port entropy.

本发明实施例在根据源IP地址和目的IP地址所组成IP对进行分组的基础上,根据原始告警的信息熵对分组进行聚合,信息熵相似的原始告警被聚合成超告警,这显著降低了原始告警的数量,减轻了运维人员的工作量,而且聚合后的超告警对告警进行更精细聚合并提供处理优先级,这为后面运维人员对告警日志的精准响应提供可预期方案。本发明实施例能够提升用户体验。In this embodiment of the present invention, on the basis of grouping the IP pairs formed by the source IP address and the destination IP address, the grouping is aggregated according to the information entropy of the original alarm, and the original alarms with similar information entropy are aggregated into super alarms, which significantly reduces the number of alarms. The number of original alarms reduces the workload of operation and maintenance personnel, and the aggregated super-alarms aggregate the alarms more finely and provide processing priority, which provides a predictable solution for the accurate response of the operation and maintenance personnel to the alarm log. The embodiments of the present invention can improve user experience.

附图说明Description of drawings

通过阅读参照以下附图对非限制性实施例所作的详细描述,本发明的其它特征、目的和优点将会变得更明显。Other features, objects and advantages of the present invention will become more apparent upon reading the detailed description of non-limiting embodiments with reference to the following drawings.

图1是本发明提供的告警处理方法的实施例之一的流程图;FIG. 1 is a flowchart of one of the embodiments of an alarm processing method provided by the present invention;

图2是本发明提供的告警处理方法的实施例之二的流程图;2 is a flowchart of Embodiment 2 of an alarm processing method provided by the present invention;

图3是本发明提供的告警处理方法的实施例之三的流程图;3 is a flowchart of Embodiment 3 of the alarm processing method provided by the present invention;

图4是本发明提供的告警处理方法的系统分析架构图;4 is a system analysis architecture diagram of the alarm processing method provided by the present invention;

图5是本发明的告警处理系统的实施例之一的模块示意图;5 is a schematic block diagram of one of the embodiments of the alarm processing system of the present invention;

图6是本发明的告警处理系统的实施例之二的模块示意图;FIG. 6 is a schematic block diagram of the second embodiment of the alarm processing system of the present invention;

图7是本发明的告警处理系统的实施例之三的模块示意图;7 is a schematic block diagram of Embodiment 3 of the alarm processing system of the present invention;

图8是本发明的告警处理系统运行的示意图。FIG. 8 is a schematic diagram of the operation of the alarm processing system of the present invention.

具体实施方式Detailed ways

现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的实施方式。相反,提供这些实施方式使本发明全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。Example embodiments will now be described more fully with reference to the accompanying drawings. However, example embodiments can be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.

附图仅为本发明的示意性图解,并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。附图中所示的一些方框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件转发模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The drawings are merely schematic illustrations of the invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repeated descriptions will be omitted. Some of the block diagrams shown in the figures are functional entities that do not necessarily necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software, or in one or more hardware forwarding modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices .

此外,附图中所示的流程仅是示例性说明,不是必须包括所有的步骤。例如,有的步骤可以分解,有的步骤可以合并或部分合并,且实际执行的顺序有可能根据实际情况改变。具体描述时使用的“第一”、“第二”以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。需要说明的是,在不冲突的情况下,本发明的实施例及不同实施例中的特征可以相互组合。In addition, the flow shown in the drawings is only an exemplary illustration, and does not necessarily include all steps. For example, some steps can be decomposed, and some steps can be combined or partially combined, and the actual execution order may be changed according to the actual situation. "First", "second" and similar words used in the detailed description do not denote any order, quantity or importance, but are only used to distinguish different components. It should be noted that the embodiments of the present invention and features in different embodiments may be combined with each other under the condition of no conflict.

图1为本发明的告警处理方法的一种实施例的流程图。如图1所示,本发明的实施例提供一种告警处理方法,包括以下步骤:FIG. 1 is a flowchart of an embodiment of an alarm processing method of the present invention. As shown in FIG. 1, an embodiment of the present invention provides an alarm processing method, including the following steps:

步骤110:获取对网络访问事件生成的原始告警;Step 110: Obtain the original alarm generated for the network access event;

步骤120:对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;Step 120: Group the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;

步骤130:对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种。Step 130: Calculate the information entropy for the original alarms in each group, and aggregate the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies. The information entropy includes content entropy, source IP address entropy, destination One or more of IP entropy, time entropy, and port entropy.

本发明实施例在根据源IP地址和目的IP地址所组成IP对进行分组的基础上,根据原始告警的信息熵对分组进行聚合,信息熵相似的原始告警被聚合成超告警,这显著降低了原始告警的数量,减轻了运维人员的工作量,而且聚合后的超告警对告警进行更精细聚合并提供处理优先级,这为后面运维人员对告警日志的精准响应提供可预期方案。本发明实施例能够提升用户体验。In this embodiment of the present invention, on the basis of grouping the IP pairs formed by the source IP address and the destination IP address, the grouping is aggregated according to the information entropy of the original alarm, and the original alarms with similar information entropy are aggregated into super alarms, which significantly reduces the number of alarms. The number of original alarms reduces the workload of operation and maintenance personnel, and the aggregated super-alarms aggregate the alarms more finely and provide processing priority, which provides a predictable solution for the accurate response of the operation and maintenance personnel to the alarm log. The embodiments of the present invention can improve user experience.

在本发明实施例中,可从数据库中获取一定时间区间内收集的原始告警。该原始告警是网络安全设备在对网络访问事件进行安全检测时生成的,本发明实施例对原始告警的类型不做限定。In this embodiment of the present invention, original alarms collected within a certain time interval may be acquired from a database. The original alarm is generated when the network security device performs security detection on the network access event, and the embodiment of the present invention does not limit the type of the original alarm.

在本发明实施例中,在对原始告警按照所属网络访问事件的IP对进行聚合分组时,可以得到一个或多个分组。举例来说,大致分为三个分组,分别是基于一对一IP对的单源单目的分组、基于一对多IP对的单源多目的分组及基于多对一IP对的多源单目的分组。In the embodiment of the present invention, when the original alarm is aggregated and grouped according to the IP pair of the network access event to which it belongs, one or more groups can be obtained. For example, it is roughly divided into three groups, namely single-source single-destination grouping based on one-to-one IP pair, single-source multi-purpose grouping based on one-to-many IP pair, and multi-source single-destination grouping based on many-to-one IP pair. .

在单源单目的分组中,各原始告警所属网络访问事件中一个源IP地址指向一个目的IP地址。In a single-source single-destination grouping, one source IP address points to one destination IP address in the network access event to which each original alarm belongs.

在单源多目的分组中,各原始告警所属网络访问事件中,一个源IP地址指向多个目的IP地址。In a single-source multi-destination grouping, in the network access event to which each original alarm belongs, one source IP address points to multiple destination IP addresses.

在多源单目的分组中,各原始告警所属网络访问事件中,多个源IP地址指向同一个目的IP地址。In a multi-source single-destination grouping, in the network access event to which each original alarm belongs, multiple source IP addresses point to the same destination IP address.

基于IP对原始告警聚合分组,是第一次聚合分组。The original alarm is aggregated into groups based on IP, which is the first aggregation group.

图2为本发明可选实施例提供的告警处理方法的流程图,参考图2,本方法具体包括如下步骤:FIG. 2 is a flowchart of an alarm processing method provided by an optional embodiment of the present invention. Referring to FIG. 2, the method specifically includes the following steps:

步骤210:获取对网络访问事件生成的原始告警;Step 210: Obtain the original alarm generated for the network access event;

步骤220:对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;Step 220: Group the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;

步骤230:对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种Step 230: Calculate the information entropy for the original alarms in each group, and aggregate the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies. The information entropy includes content entropy, source IP address entropy, destination One or more of IP entropy, time entropy, and port entropy

步骤240:对每个分组中的超告警计算多元信息熵,并根据多元信息熵对Step 240: Calculate the multivariate information entropy for the super-alarms in each group, and calculate the multivariate information entropy according to the multivariate information entropy.

在本实施例中,对每个分组中的超告警计算多元信息熵,获得多种信息熵的联合概率分布,利用该联合概率分布对各组超告警进行优先级排序。本发明实施例能够根据该超告警的多元信息熵确定处理优先级,实现了高危超告警优先处置,提升告警处理效率。In this embodiment, multivariate information entropy is calculated for the super-alarms in each group to obtain a joint probability distribution of various information entropies, and the priority of each group of super-alarms is sorted by using the joint probability distribution. The embodiment of the present invention can determine the processing priority according to the multivariate information entropy of the super-alarm, realizes the preferential treatment of high-risk super-alarms, and improves the alarm processing efficiency.

在可选实施例中,参考图3,图3为本发明另一种实施例的告警处理方法的流程图,本方法具体包括如下步骤:In an optional embodiment, referring to FIG. 3 , FIG. 3 is a flowchart of an alarm processing method according to another embodiment of the present invention. The method specifically includes the following steps:

步骤310:获取对网络访问事件生成的原始告警;Step 310: Obtain the original alarm generated for the network access event;

步骤320:对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;Step 320: Group the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;

步骤330:对每个分组的原始告警按照告警时间信息聚合成多个时间簇;Step 330: Aggregate the original alarms of each group into multiple time clusters according to the alarm time information;

步骤340:对每个分组中的每个时间簇计算信息熵,并根据时间簇之间的信息熵相似度将信息熵相似度大于阈值的时间簇聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种;Step 340: Calculate the information entropy for each time cluster in each group, and aggregate the time clusters whose information entropy similarity is greater than the threshold into a super-alarm according to the information entropy similarity between the time clusters. The information entropy includes content entropy, source One or more of IP address entropy, destination IP entropy, time entropy and port entropy;

步骤350:对每个分组中的超告警计算多元信息熵,并根据多元信息熵对超告警配置处理优先级。Step 350: Calculate the multivariate information entropy for the super alarm in each group, and configure the processing priority for the super alarm according to the multivariate information entropy.

在本实施例中,对每个分组第一次聚合得到时间簇,对各个时间簇按照信息熵的相似度进行第二次聚合,两次聚合进一步提升了对原始告警的聚合度和精确度,减轻了后续运维人员对告警的处理难度。In this embodiment, each group is aggregated for the first time to obtain time clusters, and each time cluster is aggregated for the second time according to the similarity of the information entropy. The two aggregations further improve the aggregation degree and accuracy of the original alarm. This reduces the difficulty of handling alarms by subsequent operation and maintenance personnel.

这里,在信息论中,熵(英语:entropy)是每条消息中包含的信息的平均量,又被称为信息熵、信源熵、平均自信息量。这里,“消息”代表来自分布或数据流中的事件、样本或特征,熵理解为不确定性的量度而不是确定性的量度,因为越随机的信源的熵越大。Here, in information theory, entropy is the average amount of information contained in each message, also known as information entropy, source entropy, and average self-information. Here, "messages" represent events, samples, or features from a distribution or data stream, and entropy is understood as a measure of uncertainty rather than determinism, since the more random the source, the greater the entropy.

对信息熵进行分类,包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵等。Classify information entropy, including content entropy, source IP address entropy, destination IP entropy, time entropy, and port entropy.

内容熵是代表时间簇内攻击方法的变化强度,时间熵代表时间簇内相邻攻击时间间隔的变化强度,端口熵代表时间簇内目的端口的变化强度,源IP/目的IP熵代表时间簇内源IP/目的IP的变化强度。The content entropy represents the change intensity of the attack method in the time cluster, the time entropy represents the change intensity of the adjacent attack time interval in the time cluster, the port entropy represents the change intensity of the destination port in the time cluster, and the source IP/destination IP entropy represents the change intensity in the time cluster. Change strength of source IP/destination IP.

在可选实施例中,对每个分组中的每个时间簇计算信息熵,包括:In an optional embodiment, the information entropy is calculated for each time cluster in each group, including:

对IP对为一对一的单源单目的属性分组,对每个时间簇计算内容熵、时间熵和端口熵。The IP pairs are one-to-one single-source single-destination attribute grouping, and content entropy, time entropy and port entropy are calculated for each time cluster.

在单源单目的属性分组中,源IP地址及目的IP地址的变化强度小,而内容熵、时间熵及端口熵更具有区分度。In the single-source single-destination attribute grouping, the source IP address and the destination IP address have a small change intensity, while the content entropy, time entropy and port entropy are more discriminative.

在可选实施例中,对每个分组中的每个时间簇计算信息熵,包括:In an optional embodiment, the information entropy is calculated for each time cluster in each group, including:

对IP对为一对多的单源多目的属性分组,对每个时间簇计算目的IP熵、时间熵和端口熵。The IP pairs are one-to-many single-source multi-destination attribute groups, and the destination IP entropy, time entropy and port entropy are calculated for each time cluster.

在单源多目的属性分组中,目的IP地址是多变的,因此选择计算目的IP熵、时间熵和端口熵。In the single-source multi-destination attribute grouping, the destination IP address is changeable, so choose to calculate the destination IP entropy, time entropy and port entropy.

在可选实施例中,对每个分组中的每个时间簇计算信息熵,包括:In an optional embodiment, the information entropy is calculated for each time cluster in each group, including:

对IP对为多对一的多源单目的属性分组,对每个时间簇计算源IP熵、时间熵和端口熵。The IP pairs are many-to-one multi-source single-destination attribute groups, and source IP entropy, time entropy and port entropy are calculated for each time cluster.

在多源单目的属性分组中,源IP地址是多变的,因此选择计算源IP熵、时间熵和端口熵。In the multi-source single-destination attribute grouping, the source IP address is changeable, so choose to calculate the source IP entropy, time entropy and port entropy.

在可选实施例中,对每个分组中的每个时间簇计算信息熵,并根据时间簇之间的信息熵相似度将信息熵相似度大于阈值的时间簇聚合成超告警,包括:In an optional embodiment, the information entropy is calculated for each time cluster in each group, and according to the information entropy similarity between the time clusters, the time clusters whose information entropy similarity is greater than a threshold are aggregated into super-alarms, including:

对每个分组,计算各时间簇的信息熵之间的均方误差,基于均方误差获得信息熵相似度,并将均方误差不大于设定阈值的时间簇聚合成超告警。For each grouping, the mean square error between the information entropy of each time cluster is calculated, the information entropy similarity is obtained based on the mean square error, and the time clusters whose mean square error is not greater than the set threshold are aggregated into super-alarms.

本实施例通过均方误差表征信息熵相似度,信息熵相似度较高的时间簇被认为具有相近特征,可以聚合成超告警,进行统一处理。In this embodiment, the mean square error is used to represent the information entropy similarity, and time clusters with high information entropy similarity are considered to have similar characteristics, and can be aggregated into super-alarms for unified processing.

在可选实施例中,计算各时间簇的信息熵之间的均方误差,包括:In an optional embodiment, calculating the mean square error between the information entropy of each time cluster includes:

对每个分组,计算时间差不大于时间阈值的各时间簇的信息熵之间的均方误差。For each group, calculate the mean square error between the information entropy of each time cluster whose time difference is not greater than the time threshold.

图4为本发明提供的一个具体实施例的告警处理方法的原理架构示意图,本方法通过综合分析告警类型、源IP地址、目的IP地址、及时间间隔,总结出原始告警的三种属性组,并对三种属性组分别做两级聚合与优先级处置。4 is a schematic diagram of the principle structure of an alarm processing method according to a specific embodiment of the present invention. The method summarizes three attribute groups of the original alarm by comprehensively analyzing the alarm type, source IP address, destination IP address, and time interval. Two-level aggregation and priority processing are performed for the three attribute groups respectively.

其中,属性组1为单源IP地址到单目的IP地址的攻击;Among them, attribute group 1 is an attack from a single source IP address to a single destination IP address;

属性组2为多源IP地址到单目的IP地址的攻击;Attribute group 2 is an attack from multiple source IP addresses to single destination IP addresses;

属性组3为单源IP地址到多目的IP地址的攻击。Attribute group 3 is an attack from a single source IP address to multiple destination IP addresses.

执行一级聚合,对这三种属性组分别在不大于聚合窗口(如4小时或其他时间区间)内的连续攻击聚合成时间簇,相邻时间簇的时间间隔大于密度窗口(如10分钟)。Perform first-level aggregation, and aggregate the consecutive attacks of these three attribute groups within the aggregation window (such as 4 hours or other time intervals) into time clusters, and the time interval between adjacent time clusters is greater than the density window (such as 10 minutes) .

具体地,对属性组1在聚合窗口内的多种攻击方法聚合为时间簇,对属性组2和属性组3在聚合窗口内的单攻击方法聚合为时间簇。Specifically, multiple attack methods within the aggregation window for attribute group 1 are aggregated into time clusters, and single attack methods for attribute group 2 and attribute group 3 within the aggregation window are aggregated into time clusters.

接着,对三种属性组内各自时间相近的时间簇计算均方误差,将均方误差小于预设阈值的时间簇聚合成超告警(二级聚合)。Next, the mean square error is calculated for the time clusters whose respective times are close to each other in the three attribute groups, and the time clusters with the mean square error smaller than the preset threshold are aggregated into a super-alarm (second-level aggregation).

对属性组1内的所有IP对在聚合窗口内的多个时间簇分别计算内容熵、时间熵与端口熵,并聚合均方误差低于阈值的时间簇A1,生成超告警B1Content entropy, time entropy and port entropy are respectively calculated for all IP pairs in attribute group 1 for multiple time clusters within the aggregation window, and time clusters A 1 whose mean square error is lower than the threshold are aggregated to generate over-alarm B 1 .

其中,内容熵计算公式为:

Figure BDA0003428631030000081
Among them, the content entropy calculation formula is:
Figure BDA0003428631030000081

时间熵计算公式为:

Figure BDA0003428631030000091
The time entropy calculation formula is:
Figure BDA0003428631030000091

端口熵计算公式为:

Figure BDA0003428631030000092
The formula for calculating port entropy is:
Figure BDA0003428631030000092

均方误差计算公式为:

Figure BDA0003428631030000093
The formula for calculating the mean square error is:
Figure BDA0003428631030000093

将MSEk<δ的时间簇聚合为超告警BkAggregate time clusters with MSE k < δ as superalarm B k .

其中时间簇A1、A2、A3分别代表三种属性组1、2和3在密度窗口内的数据集合;The time clusters A 1 , A 2 and A 3 respectively represent the data sets of the three attribute groups 1, 2 and 3 within the density window;

mi、si、di、ti、pi分别代表在时间簇内不同的攻击方法内容、源IP地址、目的IP地址、时间、端口;m i , s i , d i , t i , and p i respectively represent the content, source IP address, destination IP address, time and port of different attack methods in the time cluster;

超告警B1、B2、B3分别代表三种属性组内的时间簇聚合后的超告警集合;The super-alarms B 1 , B 2 , and B 3 respectively represent the super-alarm sets aggregated by the time clusters in the three attribute groups;

k是指某个属性组,对属性组1采用上述均方误差公式MSEk计算均方误差,均方误差反映时间簇之间信息熵的差异程度或说相似度。k refers to an attribute group. For attribute group 1, the above-mentioned mean square error formula MSE k is used to calculate the mean square error. The mean square error reflects the degree of difference or similarity of information entropy between time clusters.

对属性组2内的所有IP对在聚合窗口内的多个时间簇分别计算源IP熵、时间熵与端口熵,并聚合均方误差低于阈值的时间簇A2,生成超告警B2Source IP entropy, time entropy, and port entropy are calculated for all IP pairs in attribute group 2 for multiple time clusters within the aggregation window, and time clusters A 2 with mean square error lower than the threshold are aggregated to generate over-alarm B 2 .

其中源IP熵的计算公式为:

Figure BDA0003428631030000094
The formula for calculating source IP entropy is:
Figure BDA0003428631030000094

对属性组3内的所有IP对在聚合窗口内的多个时间簇分别计算目的IP熵、时间熵与端口熵,并聚合均方误差低于阈值的时间簇A3,生成超告警B3Calculate destination IP entropy, time entropy, and port entropy for all IP pairs in attribute group 3 for multiple time clusters within the aggregation window, and aggregate time clusters A 3 whose mean square error is lower than the threshold to generate over-alarm B 3 .

内容熵代表时间簇内攻击方法的变化强度,时间熵代表时间簇内相邻攻击时间间隔的变化强度,端口熵代表时间簇内目的端口的变化强度,源IP/目的IP熵代表时间簇内源IP/目的IP的变化强度。The content entropy represents the change intensity of the attack method in the time cluster, the time entropy represents the change intensity of the adjacent attack time interval in the time cluster, the port entropy represents the change intensity of the destination port in the time cluster, and the source IP/destination IP entropy represents the source IP/destination IP entropy in the time cluster. Change strength of IP/destination IP.

在三种属性组内,分别计算每个组内所有超告警的多元信息熵,并在各自组内对多元信息熵的值做排序,用于运维人员的优先处置In the three attribute groups, the multivariate information entropy of all super-alarms in each group is calculated respectively, and the values of the multivariate information entropy are sorted in the respective groups for the priority treatment of operation and maintenance personnel.

在本发明可选实施例中,在设定处理优先级时,处理优先级为属性组1>属性组2>属性组3,在三种属性组内分别对各自的超告警计算多元信息熵,在组内进行优先级排序。In an optional embodiment of the present invention, when the processing priority is set, the processing priority is attribute group 1 > attribute group 2 > attribute group 3, and the multivariate information entropy is calculated for the respective super-alarms in the three attribute groups, respectively. Prioritize within groups.

其中,计算多元信息熵的公式为:Among them, the formula for calculating multivariate information entropy is:

Figure BDA0003428631030000101
Figure BDA0003428631030000101

其中,Hi代表(Xi,k,Yi,k,Zi,k)离散的联合分布计数,k=1,2,3。Among them, H i represents (X i,k ,Y i,k ,Z i,k ) discrete joint distribution counts, k=1, 2, 3.

本发明实施例利用信息熵做二次聚合,将相似的时间簇聚合成超告警,并利用多元信息熵进行优先级排序。In the embodiment of the present invention, information entropy is used for secondary aggregation, similar time clusters are aggregated into super-alarms, and multivariate information entropy is used for priority sorting.

图5是本发明的告警处理系统的一种实施例的模块示意图。本发明的告警处理系统,如图5所示,包括但不限于:FIG. 5 is a schematic block diagram of an embodiment of an alarm processing system of the present invention. The alarm processing system of the present invention, as shown in Figure 5, includes but is not limited to:

原始告警获取模块510,获取对网络访问事件生成的原始告警;The original alarm obtaining module 510 obtains the original alarm generated for the network access event;

分组模块520,对原始告警按照所属网络访问事件的源IP地址和目的IP地址组成的IP对进行分组,其中每个分组的IP对为一对一、一对多或多对一;The grouping module 520 groups the original alarm according to the IP pair composed of the source IP address and the destination IP address of the network access event to which it belongs, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;

超告警聚合模块530,对每个分组中的原始告警计算信息熵,并根据信息熵之间的相似度将相似度大于目标值的原始告警聚合成超告警,信息熵包括内容熵、源IP地址熵、目的IP熵、时间熵和端口熵中的一种或多种。The super-alarm aggregation module 530 calculates information entropy for the original alarms in each group, and aggregates the original alarms whose similarity is greater than the target value into super-alarms according to the similarity between the information entropies, where the information entropy includes content entropy, source IP address One or more of entropy, destination IP entropy, time entropy, and port entropy.

上述模块的实现原理参见告警处理方法中的相关介绍,此处不再赘述。For the implementation principle of the above modules, please refer to the related introduction in the alarm processing method, which will not be repeated here.

本发明的告警处理系统本在根据源IP地址和目的IP地址所组成IP对进行分组的基础上,根据原始告警的信息熵对分组进行聚合,信息熵相似的原始告警被聚合成超告警,这显著降低了原始告警的数量,减轻了运维人员的工作量,而且聚合后的超告警对告警进行更精细聚合并提供处理优先级,这为后面运维人员对告警日志的精准响应提供可预期方案。本发明实施例能够提升用户体验。The alarm processing system of the present invention, on the basis of grouping according to the IP pair formed by the source IP address and the destination IP address, aggregates the grouping according to the information entropy of the original alarm, and the original alarms with similar information entropy are aggregated into super alarms. Significantly reduces the number of original alarms and reduces the workload of operation and maintenance personnel, and the aggregated super-alarms aggregate the alarms more finely and provide processing priority, which provides predictability for the accurate response of the operation and maintenance personnel to the alarm log. Program. The embodiments of the present invention can improve user experience.

可选地,与图5相比,图6所示告警处理系统还可以包括:Optionally, compared with FIG. 5 , the alarm processing system shown in FIG. 6 may further include:

优先级配置模块610,对每个分组中的超告警计算多元信息熵,并根据多元信息熵对超告警配置处理优先级。The priority configuration module 610 calculates the multivariate information entropy for the super alarm in each group, and configures the processing priority for the super alarm according to the multivariate information entropy.

可选地,与图5相比,图7所示告警处理系统还可以包括:Optionally, compared with FIG. 5 , the alarm processing system shown in FIG. 7 may further include:

时间簇聚合模块710,在对每个分组中的原始告警计算信息熵之前,对每个分组的原始告警按照告警时间信息聚合成多个时间簇;The time cluster aggregation module 710, before calculating the information entropy for the original alarms in each group, aggregates the original alarms of each group into a plurality of time clusters according to the alarm time information;

超告警聚合模块720具体用于:The super-alarm aggregation module 720 is specifically used for:

对每个分组中的每个时间簇计算信息熵,并根据时间簇之间的信息熵相似度将信息熵相似度大于阈值的时间簇聚合成超告警。The information entropy is calculated for each time cluster in each group, and the time clusters whose information entropy similarity is greater than the threshold are aggregated into super-alarms according to the information entropy similarity between the time clusters.

可选地,超告警聚合模块720具体还用于:Optionally, the super-alarm aggregation module 720 is further configured to:

对IP对为一对一的单源单目的属性分组,对每个时间簇计算内容熵、时间熵和端口熵。The IP pairs are one-to-one single-source single-destination attribute grouping, and content entropy, time entropy and port entropy are calculated for each time cluster.

可选地,超告警聚合模块720具体还用于:Optionally, the super-alarm aggregation module 720 is further configured to:

对IP对为一对多的单源多目的属性分组,对每个时间簇计算目的IP熵、时间熵和端口熵。The IP pairs are one-to-many single-source multi-destination attribute groups, and the destination IP entropy, time entropy and port entropy are calculated for each time cluster.

可选地,超告警聚合模块720具体还用于:Optionally, the super-alarm aggregation module 720 is further configured to:

对IP对为多对一的多源单目的属性分组,对每个时间簇计算源IP熵、时间熵和端口熵。The IP pairs are many-to-one multi-source single-destination attribute groups, and source IP entropy, time entropy and port entropy are calculated for each time cluster.

可选地,超告警聚合模块720具体还用于:Optionally, the super-alarm aggregation module 720 is further configured to:

对每个分组,计算各时间簇的信息熵之间的均方误差,基于均方误差获得信息熵相似度,并将均方误差不大于设定阈值的时间簇聚合成超告警。For each grouping, the mean square error between the information entropy of each time cluster is calculated, the information entropy similarity is obtained based on the mean square error, and the time clusters whose mean square error is not greater than the set threshold are aggregated into super-alarms.

可选地,超告警聚合模块720具体还用于:Optionally, the super-alarm aggregation module 720 is further configured to:

对每个分组,计算时间差不大于时间阈值的各时间簇的信息熵之间的均方误差。For each group, calculate the mean square error between the information entropy of each time cluster whose time difference is not greater than the time threshold.

本发明实施例还提供一种告警处理设备,包括处理器。存储器,其中存储有处理器的可执行指令。其中,处理器配置为经由执行可执行指令来执行的告警处理方法的步骤。An embodiment of the present invention further provides an alarm processing device, including a processor. A memory in which executable instructions for the processor are stored. Wherein, the processor is configured to execute the steps of the alarm processing method by executing the executable instructions.

所属技术领域的技术人员能够理解,本发明的各个方面可以实现为系统、方法或程序产品。因此,本发明的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“平台”。As will be appreciated by one skilled in the art, various aspects of the present invention may be implemented as a system, method or program product. Therefore, various aspects of the present invention can be embodied in the following forms: a complete hardware implementation, a complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, which may be collectively referred to herein as implementations "Circuit", "Module" or "Platform".

图8是本发明的告警处理设备的结构示意图。下面参照图8来描述根据本发明的这种实施方式的电子设备800。图8显示的电子设备800仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。FIG. 8 is a schematic structural diagram of an alarm processing device of the present invention. An electronic device 800 according to this embodiment of the present invention is described below with reference to FIG. 8 . The electronic device 800 shown in FIG. 8 is only an example, and should not impose any limitation on the function and scope of use of the embodiments of the present invention.

如图8所示,电子设备800以通用计算设备的形式表现。电子设备800的组件可以包括但不限于:至少一个处理单元810、至少一个存储单元820、连接不同平台组件(包括存储单元820和处理单元810)的总线830、显示单元840等。As shown in FIG. 8, electronic device 800 takes the form of a general-purpose computing device. Components of the electronic device 800 may include, but are not limited to, at least one processing unit 810, at least one storage unit 820, a bus 830 connecting different platform components (including the storage unit 820 and the processing unit 810), a display unit 840, and the like.

其中,存储单元存储有程序代码,程序代码可以被处理单元810执行,使得处理单元810执行本说明书上述告警处理方法部分中描述的根据本发明各种示例性实施方式的步骤。例如,处理单元810可以执行如图1-3中所示的步骤。The storage unit stores program codes, which can be executed by the processing unit 810, so that the processing unit 810 executes the steps according to various exemplary embodiments of the present invention described in the above-mentioned alarm processing method section of this specification. For example, the processing unit 810 may perform the steps shown in Figures 1-3.

存储单元820可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)821和/或高速缓存存储单元822,还可以进一步包括只读存储单元(ROM)823。The storage unit 820 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 821 and/or a cache storage unit 822 , and may further include a read only storage unit (ROM) 823 .

存储单元820还可以包括具有一组(至少一个)程序模块825的程序/实用工具824,这样的程序模块825包括但不限于:处理系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825 including, but not limited to, a processing system, one or more application programs, other program modules, and program data, An implementation of a network environment may be included in each or some combination of these examples.

总线830可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。The bus 830 may be representative of one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any of a variety of bus structures bus.

电子设备800也可以与一个或多个外部设备870(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备800交互的设备通信,和/或与使得该电子设备800能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口850进行。The electronic device 800 may also communicate with one or more external devices 870 (eg, keyboards, pointing devices, Bluetooth devices, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with Any device (eg, router, modem, etc.) that enables the electronic device 800 to communicate with one or more other computing devices. Such communication may take place through input/output (I/O) interface 850 .

并且,电子设备800还可以通过网络适配器860与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。网络适配器860可以通过总线830与电子设备800的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备800使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储平台等。Also, the electronic device 800 may communicate with one or more networks (eg, a local area network (LAN), a wide area network (WAN), and/or a public network such as the Internet) through a network adapter 860 . Network adapter 860 may communicate with other modules of electronic device 800 through bus 830 . It should be understood that, although not shown, other hardware and/or software modules may be used in conjunction with electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage platform, etc.

本发明实施例还提供一种计算机可读存储介质,用于存储程序,程序被执行时实现的告警处理方法的步骤。在一些可能的实施方式中,本发明的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当程序产品在终端设备上运行时,程序代码用于使终端设备执行本说明书上述告警处理方法部分中描述的根据本发明各种示例性实施方式的步骤。Embodiments of the present invention further provide a computer-readable storage medium for storing a program, and the steps of an alarm processing method implemented when the program is executed. In some possible implementations, various aspects of the present invention can also be implemented in the form of a program product, which includes program code, when the program product runs on a terminal device, the program code is used to cause the terminal device to execute the above-mentioned description in this specification. The steps according to various exemplary embodiments of the present invention are described in the section on the alarm handling method.

根据本发明的实施方式的用于实现上述方法的程序产品,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本发明的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。A program product for implementing the above method according to an embodiment of the present invention may adopt a portable compact disc read only memory (CD-ROM) and include program codes, and may run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

计算机可读存储介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读存储介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。可读存储介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。A computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied thereon. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable storage medium can also be any readable medium other than a readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

可以以一种或多种程序设计语言的任意组合来编写用于执行本发明处理的程序代码,程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。Program code for carrying out the processes of the present invention may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming Language - such as the "C" language or similar programming language. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server execute on. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (eg, using an Internet service provider business via an Internet connection).

综上,本发明的目的在于提供告警处理方法、系统、设备及存储介质,能够在根据源IP地址和目的IP地址所组成IP对进行分组的基础上,根据原始告警的信息熵对分组进行聚合,信息熵相似的原始告警被聚合成超告警,这显著降低了原始告警的数量,减轻了运维人员的工作量,而且聚合后的超告警对告警进行更精细聚合并提供处理优先级,这为后面运维人员对告警日志的精准响应提供可预期方案。本发明实施例能够提升用户体验。To sum up, the purpose of the present invention is to provide an alarm processing method, system, device and storage medium, which can aggregate the packets according to the information entropy of the original alarm on the basis of grouping the IP pairs formed by the source IP address and the destination IP address. , the original alarms with similar information entropy are aggregated into super-alarms, which significantly reduces the number of original alarms and reduces the workload of operation and maintenance personnel, and the aggregated super-alarms aggregate the alarms more finely and provide processing priorities. Provides a predictable solution for the subsequent operation and maintenance personnel to accurately respond to the alarm log. The embodiments of the present invention can improve user experience.

以上内容是结合具体的优选实施方式对本发明所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above content is a further detailed description of the present invention in combination with specific preferred embodiments, and it cannot be considered that the specific implementation of the present invention is limited to these descriptions. For those of ordinary skill in the technical field of the present invention, without departing from the concept of the present invention, some simple deductions or substitutions can be made, which should be regarded as belonging to the protection scope of the present invention.

Claims (11)

1. An alarm processing method, comprising:
acquiring an original alarm generated for a network access event;
grouping the original alarm according to an IP pair consisting of a source IP address and a destination IP address of the network access event, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;
and calculating information entropy for the original alarms in each group, and aggregating the original alarms with the similarity larger than a target value into the super alarm according to the similarity between the information entropy, wherein the information entropy comprises one or more of content entropy, source IP address entropy, destination IP entropy, time entropy and port entropy.
2. The alarm processing method according to claim 1, wherein the alarm processing method further comprises:
and calculating multivariate information entropy for the super alarm in each group, and configuring the processing priority for the super alarm according to the multivariate information entropy.
3. The alarm processing method of claim 1, wherein prior to computing the entropy for the original alarms in each packet, the alarm processing method further comprises:
aggregating the original alarms of each group into a plurality of time clusters according to the alarm time information;
the method for calculating the information entropy of the original alarms in each group and aggregating the original alarms with the similarity larger than the target value into the super alarm according to the similarity between the information entropies comprises the following steps:
and calculating the information entropy of each time cluster in each group, and aggregating the time clusters with the information entropy similarity larger than a threshold value into a super alarm according to the information entropy similarity between the time clusters.
4. The alarm processing method of claim 3, wherein the calculating an information entropy for each time cluster in each packet comprises:
and calculating the content entropy, the time entropy and the port entropy for each time cluster for the attribute groups of the single-source single-object with the IP pairs in a one-to-one mode.
5. The alarm processing method of claim 3, wherein the calculating an information entropy for each time cluster in each packet comprises:
and for the attribute grouping of the IP pair which is one-to-many single source and multiple destinations, calculating the destination IP entropy, the time entropy and the port entropy for each time cluster.
6. The alarm processing method of claim 3, wherein the calculating an information entropy for each time cluster in each packet comprises:
and for the attribute grouping of the multi-source single-purpose with the IP pairs being many-to-one, calculating the source IP entropy, the time entropy and the port entropy for each time cluster.
7. The alarm processing method according to claim 3, wherein the calculating information entropy for each time cluster in each group and aggregating the time clusters with information entropy similarity greater than a threshold value into the super alarm according to the information entropy similarity between the time clusters comprises:
and calculating the mean square error between the information entropies of the time clusters for each group, obtaining the information entropy similarity based on the mean square error, and aggregating the time clusters with the mean square error not greater than a set threshold value into a super alarm.
8. The alarm processing method according to claim 3, wherein the calculating a mean square error between information entropies of the time clusters comprises:
and calculating the mean square error between the information entropies of the time clusters with the time difference not larger than the time threshold value for each group.
9. An alarm processing system, comprising:
the original alarm acquisition module is used for acquiring an original alarm generated for the network access event;
the grouping module is used for grouping the original alarm according to an IP pair consisting of a source IP address and a destination IP address of the network access event, wherein the IP pair of each group is one-to-one, one-to-many or many-to-one;
and the super alarm aggregation module is used for calculating information entropy of the original alarms in each group and aggregating the original alarms with the similarity larger than a target value into the super alarms according to the similarity between the information entropy, wherein the information entropy comprises one or more of content entropy, source IP address entropy, destination IP entropy, time entropy and port entropy.
10. An alarm processing device, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the alert processing method of any of claims 1 to 8 via execution of the executable instructions.
11. A computer-readable storage medium storing a program, wherein the program when executed by a processor implements the steps of the alert processing method of any one of claims 1 to 8.
CN202111587910.0A 2021-12-23 2021-12-23 Alarm processing method, system, device and storage medium Active CN114301758B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111587910.0A CN114301758B (en) 2021-12-23 2021-12-23 Alarm processing method, system, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111587910.0A CN114301758B (en) 2021-12-23 2021-12-23 Alarm processing method, system, device and storage medium

Publications (2)

Publication Number Publication Date
CN114301758A true CN114301758A (en) 2022-04-08
CN114301758B CN114301758B (en) 2024-12-13

Family

ID=80969487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111587910.0A Active CN114301758B (en) 2021-12-23 2021-12-23 Alarm processing method, system, device and storage medium

Country Status (1)

Country Link
CN (1) CN114301758B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134159A (en) * 2022-07-06 2022-09-30 辽宁振兴银行股份有限公司 Safety alarm analysis optimization method
CN115549953A (en) * 2022-08-15 2022-12-30 国家管网集团北方管道有限责任公司 A network security alarm method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008052637A (en) * 2006-08-28 2008-03-06 Kddi Corp Abnormality detection device, abnormality detection program, and recording medium
KR20110107880A (en) * 2010-03-26 2011-10-05 노기섭 Distributed Denial of Service Attack Detection Method Using Fast Information Entropy and Active Moving Average Detector
US20130296724A1 (en) * 2010-11-22 2013-11-07 Balachandra R. Deshpande Method and Apparatus For Early Warning of Critical Care Patient Hemodynamic Instability
US20190171823A1 (en) * 2017-12-06 2019-06-06 Cisco Technology, Inc. Key threat prediction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008052637A (en) * 2006-08-28 2008-03-06 Kddi Corp Abnormality detection device, abnormality detection program, and recording medium
KR20110107880A (en) * 2010-03-26 2011-10-05 노기섭 Distributed Denial of Service Attack Detection Method Using Fast Information Entropy and Active Moving Average Detector
US20130296724A1 (en) * 2010-11-22 2013-11-07 Balachandra R. Deshpande Method and Apparatus For Early Warning of Critical Care Patient Hemodynamic Instability
US20190171823A1 (en) * 2017-12-06 2019-06-06 Cisco Technology, Inc. Key threat prediction

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张羽;郭春;申国伟;平源;: "一种基于信息熵的IDS告警预处理方法", 计算机与现代化, no. 05, 15 May 2020 (2020-05-15), pages 2 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134159A (en) * 2022-07-06 2022-09-30 辽宁振兴银行股份有限公司 Safety alarm analysis optimization method
CN115134159B (en) * 2022-07-06 2024-04-12 辽宁振兴银行股份有限公司 Safety alarm analysis optimization method
CN115549953A (en) * 2022-08-15 2022-12-30 国家管网集团北方管道有限责任公司 A network security alarm method and system

Also Published As

Publication number Publication date
CN114301758B (en) 2024-12-13

Similar Documents

Publication Publication Date Title
US20220263860A1 (en) Advanced cybersecurity threat hunting using behavioral and deep analytics
US9444836B2 (en) Modeling and outlier detection in threat management system data
CN104243236B (en) Method, system and server for analyzing operation and maintenance alarm data of monitoring system
Joshi et al. A review of network traffic analysis and prediction techniques
US20140230062A1 (en) Detecting network intrusion and anomaly incidents
CN111740950A (en) A DDoS attack detection and defense method in SDN environment
WO2017218636A1 (en) System and method for automated network monitoring and detection of network anomalies
CN113015167B (en) Encrypted flow data detection method, system, electronic device and storage medium
CN114301758A (en) Alarm processing method, system, device and storage medium
KR20230031889A (en) Anomaly detection in network topology
CN110389873A (en) A method and device for judging server resource usage
WO2015154484A1 (en) Traffic data classification method and device
CN110825545A (en) Anomaly detection method and system for cloud service platform
Geldenhuys et al. Dependable iot data stream processing for monitoring and control of urban infrastructures
TW202001611A (en) Reliability evaluating method for multi-state flow network and system thereof
CN116527286A (en) Method, apparatus, electronic device and medium for detecting anomalies in a network
CN107332802A (en) A kind of firewall policy monitoring method and device
CN115589310A (en) Attack detection method, device and related equipment
Solaimani et al. Real-time anomaly detection over VMware performance data using storm
CN115225308B (en) Attack partner identification method for large-scale group attack flow and related equipment
WO2023143264A1 (en) Data compression method and apparatus
US11636004B1 (en) Method, electronic device, and computer program product for training failure analysis model
Sundararajan et al. A tri-modular framework to minimize smart grid cyber-attack cognitive gap in utility control centers
CN114265749B (en) Data processing method, device, electronic device and medium for cluster edge node
WO2024088025A1 (en) Automated 5gc network element management method and apparatus based on multi-dimensional data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant