[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN116248381A - Alarm aggregation method and device, electronic equipment and storage medium - Google Patents

Alarm aggregation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116248381A
CN116248381A CN202310128611.3A CN202310128611A CN116248381A CN 116248381 A CN116248381 A CN 116248381A CN 202310128611 A CN202310128611 A CN 202310128611A CN 116248381 A CN116248381 A CN 116248381A
Authority
CN
China
Prior art keywords
alarm
logs
fingerprint information
attack
attack result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310128611.3A
Other languages
Chinese (zh)
Inventor
李伟杰
计东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202310128611.3A priority Critical patent/CN116248381A/en
Publication of CN116248381A publication Critical patent/CN116248381A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an alarm aggregation method, an alarm aggregation device, electronic equipment and a storage medium, which relate to the field of network security, wherein the method comprises the following steps: acquiring a plurality of alarm logs from the same alarm source, and determining fingerprint information and attack result grades corresponding to the alarm logs; fingerprint information corresponds to network assets attacked by the attack behavior recorded by the alarm log; comparing and verifying the fingerprint information with appointed fingerprint information corresponding to preset successful attack behaviors, and when the fingerprint information is determined to not pass the comparison and verification, downregulating an attack result level corresponding to an alarm log containing the fingerprint information; when the comparison verification of all the alarm logs is completed, the alarm logs with the attack result level being greater than or equal to a preset threshold value are aggregated; the high-value alarm logs can be screened out from the alarm logs, and the high-value alarm logs are preferentially aggregated, so that the high-value alarm logs are prevented from being submerged in a large number of alarms, and operators can conveniently find and handle high-risk attacks in time.

Description

Alarm aggregation method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to an alarm aggregation method, an alarm aggregation device, an electronic device, and a storage medium.
Background
Detecting and early warning of potential network attacks is a conventional function of network security devices. In the related technology, when the network environment where the network security equipment is located is complex, the equipment can generate a large number of alarms, and high-value alarms are easily submerged, so that operators are not facilitated to discover and handle high-risk attacks in time.
Disclosure of Invention
The invention aims to provide an alarm aggregation method, an alarm aggregation device, electronic equipment and a storage medium, which can screen high-value alarm logs from a plurality of alarm logs by utilizing fingerprint information and preferentially aggregate the high-value alarm logs, so that the high-value alarm logs can be prevented from being submerged in a large number of alarms.
In order to solve the technical problems, the invention provides an alarm aggregation method, which comprises the following steps:
acquiring a plurality of alarm logs from the same alarm source, and determining fingerprint information and attack result level corresponding to each alarm log; the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm log;
comparing and verifying the fingerprint information with specified fingerprint information corresponding to preset successful attack behaviors, and when determining that the fingerprint information fails the comparison and verification, downregulating an attack result level corresponding to an alarm log containing the fingerprint information;
and when the comparison verification of all the alarm logs is completed, aggregating the alarm logs with the attack result level being greater than or equal to a preset threshold value.
Optionally, the aggregating the alarm logs with the attack result level greater than or equal to a preset threshold includes:
setting the alarm logs with the attack result level greater than or equal to the preset threshold value as logs to be aggregated;
determining a target rule triggered by the logs to be aggregated, and judging whether the number of alarm logs which trigger the target rule in the current period is smaller than a preset number;
if so, aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, triggering the target rule every first preset time;
if not, aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, triggering the target rule every second preset time; the first preset time is longer than the first preset time.
Optionally, before aggregating the alarm logs with the attack result level greater than or equal to a preset threshold, the method further includes:
when the alarm logs with the attack result level being greater than or equal to a preset threshold value are determined to exist, aggregating the alarm logs with the attack result level being greater than or equal to the preset threshold value, and discarding the alarm logs with the attack result level being less than the preset threshold value;
and when the alarm logs with the attack result level being greater than or equal to the preset threshold value are determined to be absent, aggregating the alarm logs with the attack result level being smaller than the preset threshold value.
Optionally, the determining the attack result level of each alarm log record includes:
and determining the attack result grade corresponding to the alarm log according to the attack result recorded by the alarm log.
Optionally, the alarm log further records a risk level corresponding to the target rule triggered by the attack behavior, and after the alarm log with the attack result level greater than or equal to a preset threshold value is aggregated, the method further includes:
and outputting the alarm log with the highest risk level from the alarm logs with the attack result level larger than or equal to a preset threshold value.
Optionally, the fingerprint information and the specified fingerprint information are both multi-level fingerprints, and the comparing and verifying the fingerprint information with the specified fingerprint information corresponding to the preset successful attack behavior includes:
sequentially comparing and verifying all levels of fingerprints in the fingerprint information with specified fingerprints of corresponding levels in the specified fingerprint information;
if the primary fingerprints in the fingerprint information are different from the primary designated fingerprints in the designated fingerprint information or the fingerprints at all levels in the fingerprint information are the same as the designated fingerprints at the corresponding levels in the designated fingerprint information, determining that the fingerprint information passes the comparison verification;
and if the primary fingerprint is determined to be the same as the primary designated fingerprint, and fingerprints which are different from designated fingerprints of corresponding levels in the designated fingerprint information exist in all levels of the remaining fingerprints in the fingerprint information, determining that the fingerprint information fails the comparison verification.
The invention also provides an alarm aggregation device, which comprises:
the acquisition module is used for acquiring a plurality of alarm logs from the same alarm source and determining fingerprint information and attack result levels corresponding to the alarm logs; the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm log;
the fingerprint comparison module is used for comparing and verifying the fingerprint information with the designated fingerprint information corresponding to the preset successful attack behavior, and when the fingerprint information is determined to not pass the comparison and verification, the attack result level corresponding to the alarm log containing the fingerprint information is adjusted down;
and the aggregation module is used for aggregating the alarm logs with the attack result level being greater than or equal to a preset threshold value when the comparison and verification of all the alarm logs are completed.
Optionally, the aggregation module includes:
the setting submodule is used for setting the alarm log with the attack result level being greater than or equal to the preset threshold value as a log to be aggregated;
the judging sub-module is used for determining the target rule triggered by the logs to be aggregated and judging whether the number of the alarm logs which trigger the target rule in the current period is smaller than a preset number;
the first aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, triggering the target rule every a first preset time if the logs to be aggregated are the same;
the second aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, triggering the target rule every second preset time if not; the first preset time is longer than the first preset time.
The present invention also provides an electronic device including:
a memory for storing a computer program;
and a processor for implementing the steps of the alert aggregation method as described above when executing the computer program.
The present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the alert aggregation method as described above.
The invention provides an alarm aggregation method, which comprises the following steps: acquiring a plurality of alarm logs from the same alarm source, and determining fingerprint information and attack result level corresponding to each alarm log; the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm log; comparing and verifying the fingerprint information with specified fingerprint information corresponding to preset successful attack behaviors, and when determining that the fingerprint information fails the comparison and verification, downregulating an attack result level corresponding to an alarm log containing the fingerprint information; and when the comparison verification of all the alarm logs is completed, aggregating the alarm logs with the attack result level being greater than or equal to a preset threshold value.
After a plurality of alarm logs from the same alarm source are obtained, fingerprint information and attack result levels corresponding to the logs can be determined, wherein the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm logs, namely, the network assets attacked by the attack behaviors are marked with corresponding fingerprints, and the attack result levels reflect the hazard degree of the alarm logs; then, the invention can compare and verify the fingerprint information with the execution fingerprint information corresponding to the preset successful attack behavior, and when the fingerprint information is determined to not pass the comparison and verification, the attack result level corresponding to the alarm log containing the fingerprint information is adjusted down, namely when the attack behavior risk corresponding to the alarm log is determined to be lower, the attack result level corresponding to the behavior is adjusted down; finally, after comparison and verification of all alarm logs are completed, the alarm logs with the attack result level larger than or equal to a preset threshold value can be aggregated, namely, high-value alarm logs can be screened out from a plurality of alarm logs, and the high-value alarm logs are preferentially aggregated, so that the high-value alarm logs are prevented from being submerged in a large number of alarms, and operators can find and handle high-risk attacks in time conveniently. The invention also provides an alarm aggregation device, electronic equipment and a storage medium, which have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an alarm aggregation method according to an embodiment of the present invention;
FIG. 2 is a flowchart of fingerprint comparison verification according to an embodiment of the present invention;
fig. 3 is a block diagram of an alarm aggregation device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the related technology, when the network environment where the network security equipment is located is complex, the equipment can generate a large number of alarms, and high-value alarms are easily submerged, so that operators are not facilitated to discover and handle high-risk attacks in time. In view of this, the present invention can provide an alarm aggregation method, which can screen out high-value alarm logs from a plurality of alarm logs by using fingerprint information, and preferentially aggregate the high-value alarm logs, so as to avoid the high-value alarm logs from being submerged in a large number of alarms. Referring to fig. 1, fig. 1 is a flowchart of an alarm aggregation method according to an embodiment of the present invention, where the method may include:
s101, acquiring a plurality of alarm logs from the same alarm source, and determining fingerprint information and attack result levels corresponding to the alarm logs; the fingerprint information corresponds to network assets attacked by the attack behavior of the alarm log record.
The alarm source is attack detection equipment in the network environment, and can detect the attack behaviors in the network environment and generate corresponding alarm information. The alarm information is usually recorded with attack results, which may be, for example, attack success, attempt attack and attack failure, wherein the attempt attack is between attack success and attack failure, and is mainly performed by heuristic operations, such as intranet detection, before the network attack is performed. It can be understood that, among the three attack results, the risk of the successful attack result is the highest, and important attention is required; the risk of trying to attack the result is inferior; while the risk of attack failure results is minimal. That is, each of the above three attack results corresponds to a specific level of risk level, which may also be referred to as an attack result level in the embodiment of the present invention. As such, after the alarm log is obtained, the embodiment of the invention can determine the corresponding attack result level according to the recorded attack result.
Based on this, determining the attack result level of each alarm log record may include:
step 11: and determining the corresponding attack result level of the alarm log according to the attack result recorded by the alarm log.
Further, since the purpose of the embodiment of the present invention is to screen out high-value alarm logs, the embodiment of the present invention preferably aggregates alarm logs with an attack result level higher than a preset threshold, for example, preferentially aggregates alarm logs with an attack success result and an attack attempt result. However, the alarm log with the result of the attempted attack contains a lot of noise, for example, the alarm log which is not successful in the attack but is judged to be the attempted attack is included, so that the problem that the alarm log is still large in quantity after aggregation is easily caused. Therefore, the embodiment of the invention can inhibit the alarm, thereby reducing the alarm quantity. In particular, embodiments of the present invention may set fingerprints in a network environment, such as may be set on individual network assets. Further, if an alert source detects an attack on a particular network asset, the fingerprint of that network asset may be marked in the corresponding alert log. Then, the embodiment of the invention can also preset the appointed fingerprint information corresponding to the successful attack behavior, namely marking the network assets which are only successfully attacked by the attack behavior. In this way, after the alarm log is obtained, the recorded fingerprint information of the alarm log can be compared and verified with the appointed fingerprint information corresponding to the preset successful attack behavior, and when the comparison and verification are confirmed to pass, the attack behavior corresponding to the alarm log is judged to belong to high-risk attack, and the original attack result is kept; and when the comparison verification is determined to be failed, judging that the attack behavior corresponding to the alarm log is not successful, and further, adjusting the corresponding attack result level of the alarm log downwards, if the attack result in the alarm log is modified to be failed in attack, thereby reducing the aggregation amount of the alarm log. It should be noted that, the embodiment of the invention is not limited to the configuration situation of the fingerprint on each network asset, nor is it limited to the specific mode that the alarm source marks the fingerprint for the alarm log, and the configuration can be set according to the actual application requirement.
S102, comparing and verifying the fingerprint information with the designated fingerprint information corresponding to the preset successful attack behavior, and when the fingerprint information is determined to not pass the comparison and verification, downregulating the attack result level corresponding to the alarm log containing the fingerprint information.
As described above, when it is determined that the fingerprint information of the alarm log fails the comparison verification, the level of the attack result corresponding to the alarm log can be adjusted down, so that the alarm aggregation amount can be reduced, and the high-value alarm log can be highlighted.
Further, in order to facilitate fingerprint comparison, fingerprint information in the embodiment of the present invention, namely, the marked fingerprint information in the alarm log and the designated fingerprint information corresponding to the preset successful attack behavior are both multi-level fingerprints. For example, if a network asset is a component in a system, the multi-level fingerprint may be: the first fingerprint corresponds to the system and the second fingerprint corresponds to the network asset. Thus, fingerprint matching efficiency can be improved. Of course, it can be understood that the level of the multi-level fingerprint can be larger than two levels, and the multi-level fingerprint can be specifically set according to practical application requirements. For easy understanding, the embodiment of the invention will introduce a specific implementation case of comparison verification based on a two-layer fingerprint structure.
Based on the above, the fingerprint information and the specified fingerprint information are both multi-level fingerprints, and the fingerprint information is compared with the specified fingerprint information corresponding to the preset successful attack behavior for verification, which comprises the following steps:
step 21: sequentially comparing and verifying all levels of fingerprints in the fingerprint information with the specified fingerprints of the corresponding levels in the specified fingerprint information;
step 22: if the first-level fingerprint in the fingerprint information is different from the first-level designated fingerprint in the designated fingerprint information or the fingerprints of all levels in the fingerprint information are the same as the designated fingerprints of the corresponding levels in the designated fingerprint information, determining that the fingerprint information passes comparison verification;
step 23: if the primary fingerprint is determined to be the same as the primary designated fingerprint, and fingerprints which are different from the designated fingerprints of the corresponding levels in the designated fingerprint information exist in the remaining all levels of fingerprints in the fingerprint information, determining that the fingerprint information fails comparison verification.
Referring to fig. 2, fig. 2 is a flowchart of fingerprint comparison verification according to an embodiment of the present invention. Therefore, the embodiment of the invention can compare the first-level fingerprint in the fingerprint information with the first-level designated fingerprint in the designated fingerprint information, and does not modify the attack result in the alarm log if different; if the two fingerprints are the same, the two fingerprints are compared according to the existence of the two fingerprints in the fingerprint information, or the fingerprint names are compared, and the process is similar. After the comparison, the embodiment of the invention can greatly reduce the alarm log quantity of the attempted attack and can simplify the high-value alarm log, thereby being beneficial to highlighting the high-value alarm.
S103, when comparison verification of all alarm logs is completed, the alarm logs with the attack result level being greater than or equal to a preset threshold value are aggregated.
After the comparison and verification are completed, the alarm logs with the attack result level being greater than or equal to the preset threshold can be aggregated preferentially, wherein the preset threshold can be set according to the actual application requirements. For example, when the level of the attack result is classified into a high level, a medium level, and a low level, and corresponds to the success of the attack, the attempt of the attack, and the failure of the attack, respectively, the preset threshold may be set to the second level, that is, only the alarm logs of the success of the attack and the attempt of the attack are aggregated. Of course, it can be understood that if, after the comparison verification is completed, there are an alarm log satisfying the aggregation condition and a low-level alarm log not satisfying the aggregation condition, the alarm logs satisfying the condition may be aggregated, and the alarm log not satisfying the aggregation condition may be discarded; of course, if only alarm logs with low attack result level remain after the comparison verification is completed, these alarm logs may be aggregated for reference since they may reflect attack conditions in the network environment.
Based on this, before aggregating the alarm logs with the attack result level greater than or equal to the preset threshold value, the method may further include:
step 31: when the alarm logs with the attack result level being greater than or equal to the preset threshold value are determined to exist, aggregating the alarm logs with the attack result level being greater than or equal to the preset threshold value, and discarding the alarm logs with the attack result level being less than the preset threshold value;
step 32: and when the alarm logs with the attack result level being greater than or equal to the preset threshold value are determined to be absent, aggregating the alarm logs with the attack result level being less than the preset threshold value.
Finally, after the aggregation of the alarm logs is completed, the alarm logs with high risk can be output so as to promote timely processing of operation and maintenance personnel. Specifically, the alarm log may also record a risk level, where the risk level is a risk level (gid) corresponding to a target rule triggered by an attack behavior corresponding to the alarm log, and the risk level is marked when the rule is written, and a specific vulnerability, such as a CVE number, is highest in high class, common, general, high-risk, and second, unusual, is lowest. Furthermore, after the alarm logs are aggregated, the alarm log with the highest risk level can be output according to the corresponding risk level.
Based on the above, the alarm log also records a risk level corresponding to the target rule triggered by the attack behavior, and after the alarm log with the attack result level greater than or equal to the preset threshold value is aggregated, the method further comprises the following steps:
step 41: and outputting the alarm log with the highest risk level from the alarm logs with the attack result level larger than or equal to the preset threshold value.
Based on the above embodiment, after a plurality of alarm logs from the same alarm source are obtained, fingerprint information and attack result levels corresponding to the logs can be determined, wherein the fingerprint information corresponds to network assets attacked by the attack behavior recorded by the alarm logs, namely, the network assets attacked by the attack behavior are marked with corresponding fingerprints, and the attack result levels reflect the hazard degree of the alarm logs; then, the invention can compare and verify the fingerprint information with the execution fingerprint information corresponding to the preset successful attack behavior, and when the fingerprint information is determined to not pass the comparison and verification, the attack result level corresponding to the alarm log containing the fingerprint information is adjusted down, namely when the attack behavior risk corresponding to the alarm log is determined to be lower, the attack result level corresponding to the behavior is adjusted down; finally, after comparison and verification of all alarm logs are completed, the alarm logs with the attack result level larger than or equal to a preset threshold value can be aggregated, namely, high-value alarm logs can be screened out from a plurality of alarm logs, and the high-value alarm logs are preferentially aggregated, so that the high-value alarm logs are prevented from being submerged in a large number of alarms, and operators can find and handle high-risk attacks in time conveniently.
Based on the above embodiments, the following describes the aggregation manner of the alarm logs in detail. In one possible case, aggregating the alarm logs with the attack result level greater than or equal to the preset threshold value may include:
s201, setting an alarm log with the attack result level being greater than or equal to a preset threshold value as a log to be aggregated.
S202, determining target rules to be triggered by the logs to be aggregated, and judging whether the number of alarm logs of the triggered target rules in the current period is smaller than a preset number; if yes, go to step S203; if not, the process proceeds to step S204.
Note that, the embodiment of the present invention is not limited to the merging period corresponding to each target rule, and may be 24 hours, for example. It should be noted that during one merge period, each target rule will gradually increase the merge strength in steps, limiting the amount of alert log, and restoring the initial merge strength during the next merge period.
Furthermore, the plurality of alarm logs which are about to have the same information are aggregated into a total alarm log, so that the alarm log quantity can be further reduced, and the operation and maintenance personnel can conveniently review the alarm log. The embodiment of the invention is not limited to aggregating the alarm logs based on which information, for example, the alarm logs can be aggregated according to the target rule (such as rule ID), the alarm information (such as alarm result) and the network communication information (such as source port, target port, source IP and target IP) triggered by the alarm logs. Further, as described above, in order to limit the amount of the alarm logs as much as possible, the merging strength corresponding to each target rule is gradually enhanced, for example, only the alarm logs generated in each first preset time (for example, 30 s) are aggregated; when the alarm log quantity triggered by the target rule in the merging period is determined to be greater than or equal to the preset quantity (such as 10 ten thousand), the alarm logs generated in the second preset time (such as one hour) are aggregated, so that the effect of reducing the alarm log quantity is achieved.
And S203, if so, aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, of the trigger target rule at intervals of the first preset time.
S204, if not, aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, of the trigger target rule every second preset time; the first preset time is greater than the first preset time.
It should be noted that, the embodiment of the present invention is not limited to specific values of the first preset time and the second preset time, and may be set according to actual application requirements.
The following describes an alarm aggregation device, an electronic device, and a storage medium provided by embodiments of the present invention, where the alarm aggregation device, the electronic device, and the storage medium described below may be referred to correspondingly with the alarm aggregation method described above.
Referring to fig. 3, fig. 3 is a block diagram of an alarm aggregation device according to an embodiment of the present invention, where the alarm aggregation device may include:
the acquisition module 301 is configured to acquire a plurality of alarm logs from the same alarm source, and determine fingerprint information and attack result levels corresponding to the alarm logs; fingerprint information corresponds to network assets attacked by the attack behavior recorded by the alarm log;
the fingerprint comparison module 302 is configured to compare and verify fingerprint information with specified fingerprint information corresponding to a preset successful attack behavior, and when it is determined that the fingerprint information fails the comparison and verification, downregulate an attack result level corresponding to an alarm log containing the fingerprint information;
and the aggregation module 303 is configured to aggregate the alarm logs with the attack result level greater than or equal to the preset threshold value when the comparison and verification of all the alarm logs are completed.
Optionally, the aggregation module 303 includes:
the setting submodule is used for setting the alarm log with the attack result level larger than or equal to a preset threshold value as a log to be aggregated;
the judging sub-module is used for determining target rules triggered by logs to be aggregated and judging whether the number of alarm logs of the triggered target rules in the current period is smaller than a preset number or not;
the first aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, of the trigger target rule at intervals of the first preset time if the trigger target rule is positive;
the second aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, of the trigger target rule every second preset time if not; the first preset time is greater than the first preset time.
Optionally, the aggregation module 303 may further include:
the first aggregation sub-module is used for aggregating the alarm logs with the attack result level being greater than or equal to the preset threshold value and discarding the alarm logs with the attack result level being less than the preset threshold value when the alarm logs with the attack result level being greater than or equal to the preset threshold value are determined to exist;
and the second aggregation sub-module is used for aggregating the alarm logs with the attack result level smaller than the preset threshold value when the alarm logs with the attack result level larger than or equal to the preset threshold value are determined to be not exist.
Optionally, the acquiring module 301 includes:
and the attack result level determining sub-module is used for determining the attack result level corresponding to the alarm log according to the attack result recorded by the alarm log.
Optionally, the alarm log further records a risk level corresponding to the target rule triggered by the attack behavior, and the device may further include:
and the output module is used for outputting the alarm log with the highest risk level from the alarm logs with the attack result level larger than or equal to the preset threshold value.
Optionally, the fingerprint information and the designated fingerprint information are multi-level fingerprints, and the fingerprint comparison module 302 may include:
the comparison and verification sub-module is used for sequentially comparing and verifying all levels of fingerprints in the fingerprint information with the specified fingerprints of the corresponding levels in the specified fingerprint information;
the first judging sub-module is used for determining that the fingerprint information passes comparison verification if the first-level fingerprint in the fingerprint information is different from the first-level appointed fingerprint in the appointed fingerprint information or the fingerprints of all levels in the fingerprint information are the same as the appointed fingerprints of the corresponding levels in the appointed fingerprint information;
and the second judging sub-module is used for determining that the fingerprint information fails comparison verification if the first-level fingerprint is identical to the first-level designated fingerprint and fingerprints which are different from the designated fingerprints of the corresponding levels in the designated fingerprint information exist in the remaining all levels of fingerprints in the fingerprint information.
The embodiment of the invention also provides electronic equipment, which comprises:
a memory for storing a computer program;
and a processor for implementing the steps of the alarm aggregation method as described above when executing the computer program.
Since the embodiment of the electronic device portion corresponds to the embodiment of the alert aggregation method portion, the embodiment of the electronic device portion is referred to the description of the embodiment of the alert aggregation method portion, and is not repeated herein.
The embodiment of the invention also provides a storage medium, and a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the alarm aggregation method in any embodiment are realized.
Since the embodiments of the storage medium portion and the embodiments of the alert aggregation method portion correspond to each other, the embodiments of the storage medium portion are referred to for description of the embodiments of the alert aggregation method portion, and are not repeated herein.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, the device, the electronic equipment and the storage medium for alarm aggregation provided by the invention are described in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.

Claims (10)

1. An alert aggregation method, comprising:
acquiring a plurality of alarm logs from the same alarm source, and determining fingerprint information and attack result level corresponding to each alarm log; the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm log;
comparing and verifying the fingerprint information with specified fingerprint information corresponding to preset successful attack behaviors, and when determining that the fingerprint information fails the comparison and verification, downregulating an attack result level corresponding to an alarm log containing the fingerprint information;
and when the comparison verification of all the alarm logs is completed, aggregating the alarm logs with the attack result level being greater than or equal to a preset threshold value.
2. The alert aggregation method according to claim 1, wherein aggregating the alert logs with the attack result level greater than or equal to a preset threshold value comprises:
setting the alarm logs with the attack result level greater than or equal to the preset threshold value as logs to be aggregated;
determining a target rule triggered by the logs to be aggregated, and judging whether the number of alarm logs which trigger the target rule in the current period is smaller than a preset number;
if so, aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, triggering the target rule every first preset time;
if not, aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, triggering the target rule every second preset time; the first preset time is longer than the first preset time.
3. The alert aggregation method according to claim 1, further comprising, before aggregating the alert logs having the attack result level greater than or equal to a preset threshold:
when the alarm logs with the attack result level being greater than or equal to a preset threshold value are determined to exist, aggregating the alarm logs with the attack result level being greater than or equal to the preset threshold value, and discarding the alarm logs with the attack result level being less than the preset threshold value;
and when the alarm logs with the attack result level being greater than or equal to the preset threshold value are determined to be absent, aggregating the alarm logs with the attack result level being smaller than the preset threshold value.
4. The alert aggregation method of claim 1, wherein the determining the attack result level of each of the alert log records comprises:
and determining the attack result grade corresponding to the alarm log according to the attack result recorded by the alarm log.
5. The alarm aggregation method according to claim 1, wherein the alarm log further records a risk level corresponding to the target rule triggered by the attack behavior, and after aggregating the alarm logs with the attack result level greater than or equal to a preset threshold, the method further comprises:
and outputting the alarm log with the highest risk level from the alarm logs with the attack result level larger than or equal to a preset threshold value.
6. The alarm aggregation method according to any one of claims 1 to 5, wherein the fingerprint information and the specified fingerprint information are both multi-level fingerprints, and the comparing and verifying the fingerprint information with the specified fingerprint information corresponding to a preset successful attack behavior includes:
sequentially comparing and verifying all levels of fingerprints in the fingerprint information with specified fingerprints of corresponding levels in the specified fingerprint information;
if the primary fingerprints in the fingerprint information are different from the primary designated fingerprints in the designated fingerprint information or the fingerprints at all levels in the fingerprint information are the same as the designated fingerprints at the corresponding levels in the designated fingerprint information, determining that the fingerprint information passes the comparison verification;
and if the primary fingerprint is determined to be the same as the primary designated fingerprint, and fingerprints which are different from designated fingerprints of corresponding levels in the designated fingerprint information exist in all levels of the remaining fingerprints in the fingerprint information, determining that the fingerprint information fails the comparison verification.
7. An alert aggregation apparatus, comprising:
the acquisition module is used for acquiring a plurality of alarm logs from the same alarm source and determining fingerprint information and attack result levels corresponding to the alarm logs; the fingerprint information corresponds to network assets attacked by the attack behaviors recorded by the alarm log;
the fingerprint comparison module is used for comparing and verifying the fingerprint information with the designated fingerprint information corresponding to the preset successful attack behavior, and when the fingerprint information is determined to not pass the comparison and verification, the attack result level corresponding to the alarm log containing the fingerprint information is adjusted down;
and the aggregation module is used for aggregating the alarm logs with the attack result level being greater than or equal to a preset threshold value when the comparison and verification of all the alarm logs are completed.
8. The alert aggregation apparatus of claim 7, wherein the aggregation module comprises:
the setting submodule is used for setting the alarm log with the attack result level being greater than or equal to the preset threshold value as a log to be aggregated;
the judging sub-module is used for determining the target rule triggered by the logs to be aggregated and judging whether the number of the alarm logs which trigger the target rule in the current period is smaller than a preset number;
the first aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the first preset time and have the same alarm information and network communication information, triggering the target rule every a first preset time if the logs to be aggregated are the same;
the second aggregation sub-module is used for aggregating logs to be aggregated, which are generated in the second preset time and have the same alarm information and network communication information, triggering the target rule every second preset time if not; the first preset time is longer than the first preset time.
9. An electronic device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the alert aggregation method according to any one of claims 1 to 6 when executing the computer program.
10. A storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the alert aggregation method according to any one of claims 1 to 6.
CN202310128611.3A 2023-02-17 2023-02-17 Alarm aggregation method and device, electronic equipment and storage medium Pending CN116248381A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310128611.3A CN116248381A (en) 2023-02-17 2023-02-17 Alarm aggregation method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310128611.3A CN116248381A (en) 2023-02-17 2023-02-17 Alarm aggregation method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116248381A true CN116248381A (en) 2023-06-09

Family

ID=86625678

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310128611.3A Pending CN116248381A (en) 2023-02-17 2023-02-17 Alarm aggregation method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116248381A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117376037A (en) * 2023-12-08 2024-01-09 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117376037A (en) * 2023-12-08 2024-01-09 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets
CN117376037B (en) * 2023-12-08 2024-02-23 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets

Similar Documents

Publication Publication Date Title
CN108881265B (en) Network attack detection method and system based on artificial intelligence
US8549645B2 (en) System and method for detection of denial of service attacks
CN110602135B (en) Network attack processing method and device and electronic equipment
CN116319099A (en) Multi-terminal financial data management method and system
CN112749097B (en) Performance evaluation method and device for fuzzy test tool
CN115550049A (en) Vulnerability detection method and system for Internet of things equipment
CN116248381A (en) Alarm aggregation method and device, electronic equipment and storage medium
CN110191097B (en) Method, system, equipment and storage medium for detecting security of login page
CN113132316A (en) Web attack detection method and device, electronic equipment and storage medium
CN113315785B (en) Alarm reduction method, device, equipment and computer readable storage medium
CN113378161A (en) Security detection method, device, equipment and storage medium
CN112600828A (en) Attack detection and protection method and device for power control system based on data message
CN116846644A (en) Unauthorized access detection method and device
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality
CN115664931A (en) Alarm data association method, device, storage medium and equipment
CN114567482A (en) Alarm classification method and device, electronic equipment and storage medium
CN113315784A (en) Security event processing method, device, equipment and medium
CN117221009B (en) Network security situation prediction method, device, server and storage medium
CN114186225B (en) Database detection method and device, electronic equipment and storage medium
CN118487872B (en) Nuclear power industry-oriented network abnormal behavior detection and analysis method
CN115967542B (en) Intrusion detection method, device, equipment and medium based on human factor
RU2800739C1 (en) System and method for determining the level of danger of information security events
CN117914582A (en) Method, device, equipment and storage medium for detecting process hollowing attack
CN117792768A (en) Vulnerability identification and decision tree construction method, device, equipment and medium
CN117319007A (en) Alarm result correction method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination