CN113377623B - Automatic generation method and device of alarm rules and electronic equipment - Google Patents
Automatic generation method and device of alarm rules and electronic equipment Download PDFInfo
- Publication number
- CN113377623B CN113377623B CN202110748149.8A CN202110748149A CN113377623B CN 113377623 B CN113377623 B CN 113377623B CN 202110748149 A CN202110748149 A CN 202110748149A CN 113377623 B CN113377623 B CN 113377623B
- Authority
- CN
- China
- Prior art keywords
- target
- nodes
- association
- user
- alarm rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000004458 analytical method Methods 0.000 claims abstract description 33
- 238000012216 screening Methods 0.000 claims abstract description 24
- 230000015654 memory Effects 0.000 claims description 17
- 238000001914 filtration Methods 0.000 claims description 13
- 230000002452 interceptive effect Effects 0.000 claims description 13
- 238000002955 isolation Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 239000000243 solution Substances 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000000059 patterning Methods 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides an automatic generation method, device and electronic equipment of an alarm rule, comprising the following steps: screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group; positioning a target relationship link in the relationship link group displayed in a graphical manner; and automatically generating alarm rules according to the target relation link. According to the method, the alarm rule which is automatically and reversely generated according to the target relation link which reflects the association characteristic of the target equipment log is generated, so that the analysis threshold of technicians is reduced, time is saved, the obtained alarm rule is more accurate and has good effectiveness, and the technical problems that the existing alarm rule generation method has high requirements on the technicians, consumes long time, and has poor accuracy and is not effective enough are solved.
Description
Technical Field
The present invention relates to the field of network information security technologies, and in particular, to an automatic generation method and apparatus for an alarm rule, and an electronic device.
Background
With the rapid development of internet technology, the internet has spread over the aspects of people's life, and the development of cloud technology has further advanced society into an explosive information age. While enjoying the benefits of the Internet, we are also faced with a number of challenges in network information security. For example, phishing caused by personal information disclosure, rampant of the lux virus, password disclosure of a transaction account number and the like, various information technology security problems are increasingly highlighted, and as the number of network security event bursts is increased, the influence and caused loss of the event are also increased, and the significance of security detection is also becoming more important.
Based on the above, a plurality of safety early warning mechanisms obtained by adopting a rule warning mode appear, and the specific processes are as follows: the method comprises the steps that an analyst presets alarm rules of certain specific scenes in advance, then, an equipment log triggers the alarm rules to generate safety events, the analyst analyzes the generated safety events and the equipment log related to the safety events, if the obtained safety events do not meet the expectations of the analyst, the analyst adjusts and corrects the alarm rules, the process is repeatedly executed until the obtained safety events meet the expectations of the analyst, the alarm rules are not adjusted, and finally, the safety events are responded to targeted precaution actions to achieve the purpose of safety precaution or early warning, so that risks and losses caused by the safety events are effectively avoided or reduced.
In the process of generating the alarm rules, the analyst needs to have abundant safety response experience, and can be proficiently and accurately configured with various trigger rules, because the effectiveness core of the early warning depends on the effectiveness of the configuration of the early warning rules, the effectiveness of the early warning rules needs to be corrected by adjusting the triggered safety event reversely for many times besides a certain expertise of the analyst, the consumed time is long, and in addition, if the initial alarm rules do not cover the potential safety event, the potential safety event cannot be perceived, that is, the finally obtained alarm rules are poor in accuracy and poor in effectiveness.
In summary, the existing alarm rule generation method has high requirements on technicians, long time consumption and poor accuracy of the obtained alarm rule, and is not effective enough.
Disclosure of Invention
In view of the above, the present invention aims to provide an automatic generation method, an apparatus and an electronic device for an alarm rule, so as to solve the technical problems that the existing alarm rule generation method has high requirements on technicians, consumes long time, and has poor accuracy of the obtained alarm rule, which is not effective enough.
In a first aspect, an embodiment of the present invention provides an automatic generation method of an alarm rule, including:
Screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group;
Positioning a target relationship link in the relationship link group which is graphically displayed;
and automatically generating an alarm rule according to the target relation link.
Further, screening the obtained device log to obtain a target device log with preset association characteristics, including:
Acquiring the preset association characteristic;
and screening the equipment logs according to the preset association characteristics to obtain the target equipment logs.
Further, graphically displaying the associated features contained in the target device log includes:
Acquiring associated features contained in the target equipment log;
and taking each association characteristic as a node, establishing association relations among the nodes, generating statistical information matched with the association relations, and further obtaining the relationship link group displayed graphically.
Further, locating the target relationship link in the relationship link group includes:
and positioning the target relationship link in the relationship link group by adopting an interactive focusing analysis method.
Further, the interactive focus analysis method includes at least one of: double-click isolation mode focusing, frame selection filtering focusing, feature dimension expansion and statistical information analysis;
The double-click isolation mode focuses on removing nodes irrelevant to the double-click nodes of the user according to the double-click nodes of the user;
the frame selection filtering focusing is to remove/reserve nodes except the user frame selected nodes according to the user frame selected nodes;
The feature dimension increase expansion is to add new nodes according to the associated features selected to be added by the user;
And the statistical information analysis is to display the related statistical information according to the node or the association relation selected by the user.
Further, after automatically generating the alert rule, the method further comprises:
And storing the generated alarm rule into a rule base, and storing the target relation link in a picture form as a history trigger event corresponding to the alarm rule.
Further, after automatically generating the alert rule, the method further comprises:
and adjusting the alarm rule according to the setting of the user.
In a second aspect, an embodiment of the present invention further provides an automatic generating device for an alarm rule, including:
The screening and graphical display unit is used for screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, displaying the association characteristics contained in the target equipment logs in a graphical mode, and obtaining a graphically displayed relationship link group;
The positioning unit is used for positioning the target relationship link in the relationship link group which is graphically displayed;
and the generating unit is used for automatically generating an alarm rule according to the target relation link.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method according to any one of the first aspects when the processor executes the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing machine-executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any one of the first aspects.
In an embodiment of the present invention, an automatic generation method of an alarm rule is provided, including: screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group; positioning a target relationship link in the relationship link group displayed in a graphical manner; and automatically generating alarm rules according to the target relation link. As can be seen from the above description, the automatic generation method of the alarm rule according to the embodiment of the present invention is automatically and reversely generated according to the target relationship link which reflects the association characteristics of the target device log, so as to reduce the analysis threshold of the technician, save time, obtain more accurate alarm rules, and have good effectiveness, and alleviate the technical problems that the existing alarm rule generation method has high requirements on the technician, long time consumption, and poor accuracy of the obtained alarm rules, and is not effective enough.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an automatic generation method of an alarm rule according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a graphically displayed relationship link population provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of an automatic generation device of an alarm rule according to an embodiment of the present invention;
Fig. 4 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
At present, when an alarm rule is generated, an analyst presets alarm rules of a certain specific scene in advance, then, an equipment log triggers the alarm rules to generate a safety event, and then, the analyst analyzes the generated safety event and the equipment log related to the safety event, if the obtained safety event does not accord with the expectation of the analyst, the analyst adjusts and corrects the alarm rules, and repeatedly executes the process until the obtained safety event accords with the expectation of the analyst, and the alarm rules are not adjusted any more, so that the alarm rule meeting the expectation is obtained.
The process requires analysis personnel to have abundant safety response experience, and the time consumed by correction and adjustment of the alarm rules is long, so that the finally obtained alarm rules have poor accuracy and poor effectiveness.
Based on the above, the embodiment provides an automatic generation method of the alarm rule, which automatically and reversely generates the alarm rule according to the target relation link reflecting the association characteristic of the target equipment log, reduces the analysis threshold of technicians, saves time, and has more accurate obtained alarm rule and good effectiveness.
Embodiments of the present invention are further described below with reference to the accompanying drawings.
Embodiment one:
according to an embodiment of the present invention, there is provided an embodiment of an automatic generation method of an alarm rule, it should be noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order different from that herein.
FIG. 1 is a flowchart of a method for automatically generating alert rules according to an embodiment of the present invention, as shown in FIG. 1, the method comprising the steps of:
Step S102, screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group;
the method can be applied to a data processing platform, in practical application, a web page of the data processing platform is provided, and a user can freely set preset association characteristics in the page. And then, the data processing platform screens the obtained device logs (namely big data) according to the preset association characteristics to obtain target device logs with the preset association characteristics, and further displays the association characteristics contained in the target device logs in a graphical mode to obtain a graphically displayed relationship link group.
This process is described in detail below and is not described in detail here.
Step S104, positioning a target relationship link in the relationship link group displayed in a graphical manner;
In the relationship link group displayed in a graphical manner, a technician can conveniently observe and position a target relationship link focused by the technician, and the target relationship link can be positioned quickly and conveniently by combining the function buttons provided by the platform, wherein the target relationship link is actually a potential threat focused by the technician, and the positioning process is described in detail below.
And S106, automatically generating an alarm rule according to the target relation link.
In an embodiment of the present invention, an automatic generation method of an alarm rule is provided, including: screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group; positioning a target relationship link in the relationship link group displayed in a graphical manner; and automatically generating alarm rules according to the target relation link. As can be seen from the above description, the automatic generation method of the alarm rule according to the embodiment of the present invention is automatically and reversely generated according to the target relationship link which reflects the association characteristics of the target device log, so as to reduce the analysis threshold of the technician, save time, obtain more accurate alarm rules, and have good effectiveness, and alleviate the technical problems that the existing alarm rule generation method has high requirements on the technician, long time consumption, and poor accuracy of the obtained alarm rules, and is not effective enough.
The foregoing briefly describes the method for automatically generating alert rules of the present invention, and detailed descriptions are provided below with respect to specific details thereof.
In an optional embodiment of the present invention, the method for screening the obtained device log to obtain the target device log with the preset association feature specifically includes:
(1) Acquiring preset association characteristics;
(2) And screening the equipment logs according to the preset association characteristics to obtain target equipment logs.
In order to better understand the method of the present invention, the following describes an automatic generation method of an alarm rule of the present invention, taking an example of automatically generating an alarm rule of hacking attack:
When a technician sets a preset association feature, the preset association feature can be an attacker, a victim and an attack feature, then the data processing platform screens the device logs through the preset association feature, performs a number of clusters (the number of clusters refers to the number of times that the attacker initiates an X attack on the victim), and finally displays the target device logs conforming to the preset association feature in a web interaction page in a form of a relationship link, as shown in fig. 2.
In fig. 2, the left side shows a group formed by a plurality of association relations, the right side shows statistical information, the thickness of the left side pointing line indicates the number of association relations (for example, the host E initiates 1 Sql injection to F), and the left side in fig. 2 shows two groups, from which it can be clearly seen: host E initiates Sql injection attack to host F, host A initiates XSS and malicious login attack to B, and initiates malicious login attack to C, in addition, it can be clearly seen that A and E are attackers, and A initiates security attacks of different types to multiple hosts, which is a major concern for technicians.
Through the visualized relation link, the technician can intuitively focus on key information, such as which hosts are mutually related, how many different types of attacks are initiated, which hosts are frequently initiated by an attacker, and the like.
Because the magnitude of the analysis data tends to be very large, the generated population is quite complex, and the first sense of the technician may not be able to locate the target relationship link, and further focusing analysis denoising is needed. In an alternative embodiment of the present invention, locating a target relationship link in a relationship link population includes: and positioning the target relationship link in the relationship link group by adopting an interactive focusing analysis method.
Specifically, the interactive focus analysis method includes at least one of the following: double-click isolation mode focusing, frame selection filtering focusing, feature dimension expansion and statistical information analysis;
The double-click isolation mode focuses on nodes which are irrelevant to the double-click nodes of the user according to the double-click nodes of the user;
Frame selection filtering focusing is to remove/reserve nodes except the user frame selected nodes according to the user frame selected nodes;
The feature dimension increase expansion is to add new nodes according to the associated features selected to be added by the user;
And the statistical information analysis is to display the related statistical information according to the node or the association relation selected by the user.
The following describes the interactive focus analysis method in detail, taking the relationship link group in fig. 2 as an example:
a technician double-clicking on any node in fig. 2 with a mouse may quickly enter isolated mode focus, where only the associated nodes associated with the double-clicked node are shown. As shown in FIG. 2, when node A is double-clicked, node E, F, sql is filtered out, node B is double-clicked again, only A, B, XSS nodes are reserved at the moment, four nodes are maliciously logged in, and through the step-by-step drilling, the target relation links focused by technicians can be obtained through layer-by-layer progression.
The frame selection filtering focusing is another interactive focusing analysis method, and a technician can perform two operations of preserving and filtering nodes in the frame selection range through the frame selection operation, so that other unnecessary nodes can be removed (namely noise reduction).
The method can be realized by adopting the method of feature dimension increase and expansion when the current feature information is insufficient for positioning the event property of the target relation link or the feature information of the target relation link needs to be enriched. If locating a initiates malicious login to B, a technician needs to know from which port a permeates, at this time, port features can be added to display associated port information, so that information dimension is enriched, and accuracy of locating a target relationship link (i.e. locating a potential threat) is increased. In addition, the technician can also comprehensively analyze the statistical information on the right side, specifically, the statistical information contains the information of all the relationship links on the left side, and the TOP ranking is adopted, which can be updated in real time along with the operation of the technician on the relationship links on the left side.
If the target relationship link is not located, the target relationship link is relocated in the relationship link group by an interactive focus analysis method.
After the target relation link is located, a technician can generate an alarm rule conforming to the security event represented by the current target relation link by one key, and after the alarm rule is automatically generated, the method further comprises the steps of: and saving the generated alarm rules to a rule base, and saving the target relation link as a historical trigger event corresponding to the alarm rules in a picture form as a rule backtracking for subsequent technicians.
For example, the target relationship link is an attack link of E versus F initiating Sql, the generated alarm rule is attacker=e, victim=f, attack feature=sql.
In an alternative embodiment of the present invention, after automatically generating the alert rule, the method further comprises: and adjusting the alarm rule according to the setting of the user. That is, the technician can freely adjust the generated alarm rule, expand or converge the triggering range of the alarm rule, thereby improving the adaptability of the alarm rule.
The automatic generation method of the alarm rule of the invention screens out the data group with multidimensional characteristics from big data, visually displays the association relation of the data in a certain characteristic association relation by a node clustering graphical mode, adopts a double-click isolation mode focusing, a frame selection filtering focusing, characteristic dimension increasing expansion, statistical information analysis and other man-machine interaction modes to further drill and analyze on the basis, thereby achieving the purpose of quick positioning of potential safety threat (namely a target relationship link). After the analysis is finished, the corresponding alarm rule can be reversely generated, and the alarm rule can be subjected to condition expansion or convergence, so that the purposes of reducing the threshold of configuring the alarm rule, improving the rule effectiveness and shortening the alarm rule generation time are achieved.
Embodiment two:
The embodiment of the invention also provides an automatic generation device of the alarm rule, which is mainly used for executing the automatic generation method of the alarm rule provided in the first embodiment of the invention, and the automatic generation device of the alarm rule provided in the first embodiment of the invention is specifically introduced below.
Fig. 3 is a schematic diagram of an apparatus for automatically generating an alarm rule according to an embodiment of the present invention, as shown in fig. 3, the apparatus mainly includes: a screening and patterning display unit 10, a positioning unit 20 and a generating unit 30, wherein:
The screening and graphical display unit is used for screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, displaying the association characteristics contained in the target equipment logs in a graphical mode, and obtaining a graphically displayed relationship link group;
the positioning unit is used for positioning the target relationship link in the relationship link group which is graphically displayed;
and the generating unit is used for automatically generating an alarm rule according to the target relation link.
In an embodiment of the present invention, an automatic generation device for an alarm rule is provided, including: screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group; positioning a target relationship link in the relationship link group displayed in a graphical manner; and automatically generating alarm rules according to the target relation link. As can be seen from the above description, the automatic generation device of the alarm rule according to the embodiment of the present invention is automatically and reversely generated according to the target relationship link which embodies the association features of the target device log, so as to reduce the analysis threshold of the technician, save time, obtain more accurate alarm rules, and have good effectiveness, and alleviate the technical problems that the existing alarm rule generation method has high requirements on the technician, long time consumption, and poor accuracy of the obtained alarm rules, and is not effective enough.
Optionally, the screening and graphical display unit is further configured to: acquiring preset association characteristics; and screening the equipment logs according to the preset association characteristics to obtain target equipment logs.
Optionally, the screening and graphical display unit is further configured to: acquiring associated features contained in a target equipment log; and taking each association characteristic as a node, establishing association relation among the nodes, generating statistical information matched with the association relation, and further obtaining a relationship link group which is graphically displayed.
Optionally, the positioning unit is further configured to: and positioning the target relationship link in the relationship link group by adopting an interactive focusing analysis method.
Optionally, the interactive focus analysis method comprises at least one of: double-click isolation mode focusing, frame selection filtering focusing, feature dimension expansion and statistical information analysis;
The double-click isolation mode focuses on nodes which are irrelevant to the double-click nodes of the user according to the double-click nodes of the user;
Frame selection filtering focusing is to remove/reserve nodes except the user frame selected nodes according to the user frame selected nodes;
The feature dimension increase expansion is to add new nodes according to the associated features selected to be added by the user;
And the statistical information analysis is to display the related statistical information according to the node or the association relation selected by the user.
Optionally, the device is further configured to: and storing the generated alarm rules into a rule base, and storing the target relation link as a historical trigger event corresponding to the alarm rules in a picture form.
Optionally, the device is further configured to: and adjusting the alarm rule according to the setting of the user.
The device provided by the embodiment of the present invention has the same implementation principle and technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment is not mentioned.
As shown in fig. 4, an electronic device 600 provided in an embodiment of the present application includes: the alarm rule generation system comprises a processor 601, a memory 602 and a bus, wherein the memory 602 stores machine-readable instructions executable by the processor 601, and when the electronic device is running, the processor 601 communicates with the memory 602 through the bus, and the processor 601 executes the machine-readable instructions to execute the steps of the automatic alarm rule generation method.
Specifically, the above-mentioned memory 602 and the processor 601 can be general-purpose memories and processors, and are not particularly limited herein, and the above-mentioned automatic generation method of the alarm rule can be executed when the processor 601 runs a computer program stored in the memory 602.
The processor 601 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 601 or instructions in the form of software. The processor 601 may be a general-purpose processor, including a central processing unit (Central Processing Unit, abbreviated as CPU), a network processor (Network Processor, abbreviated as NP), and the like; but may also be a digital signal processor (DIGITAL SIGNAL Processing, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 602, and the processor 601 reads information in the memory 602 and performs the steps of the above method in combination with its hardware.
Corresponding to the above automatic generation method of the alarm rule, the embodiment of the present application further provides a computer readable storage medium storing machine executable instructions, where the computer executable instructions, when invoked and executed by a processor, cause the processor to execute the steps of the above automatic generation method of the alarm rule.
The automatic generation device of the alarm rule provided by the embodiment of the application can be specific hardware on equipment or software or firmware installed on the equipment, and the like. The device provided by the embodiment of the present application has the same implementation principle and technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment is not mentioned. It will be clear to those skilled in the art that, for convenience and brevity, the specific operation of the system, apparatus and unit described above may refer to the corresponding process in the above method embodiment, which is not described in detail herein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
As another example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments provided in the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the vehicle marking method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk, or an optical disk, etc., which can store program codes.
It should be noted that: like reference numerals and letters in the following figures denote like items, and thus once an item is defined in one figure, no further definition or explanation of it is required in the following figures, and furthermore, the terms "first," "second," "third," etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above examples are only specific embodiments of the present application, and are not intended to limit the scope of the present application, but it should be understood by those skilled in the art that the present application is not limited thereto, and that the present application is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit of the corresponding technical solutions. Are intended to be encompassed within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (7)
1. An automatic generation method of an alarm rule is characterized by comprising the following steps:
Screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, and displaying the association characteristics contained in the target equipment logs in a graphical mode to obtain a graphically displayed relationship link group;
Positioning a target relationship link in the graphically displayed relationship link population by adopting an interactive focus analysis method, wherein the interactive focus analysis method comprises at least one of the following steps: double-click isolation mode focusing, frame selection filtering focusing, feature dimension expansion and statistical information analysis;
Automatically generating an alarm rule according to the target relation link;
the method for graphically displaying the associated features contained in the target equipment log comprises the following steps:
Acquiring associated features contained in the target equipment log;
Establishing association relations among the nodes by taking each association feature as a node, generating statistical information matched with the association relations, and further obtaining the relationship link group displayed graphically;
The double-click isolation mode focuses on removing nodes irrelevant to the double-click nodes of the user according to the double-click nodes of the user;
the frame selection filtering focusing is to remove/reserve nodes except the user frame selected nodes according to the user frame selected nodes;
The feature dimension increase expansion is to add new nodes according to the associated features selected to be added by the user;
And the statistical information analysis is to display the related statistical information according to the node or the association relation selected by the user.
2. The method of claim 1, wherein screening the obtained device log for a target device log having a preset association feature comprises:
Acquiring the preset association characteristic;
and screening the equipment logs according to the preset association characteristics to obtain the target equipment logs.
3. The method of claim 1, wherein after automatically generating the alert rule, the method further comprises:
And storing the generated alarm rule into a rule base, and storing the target relation link in a picture form as a history trigger event corresponding to the alarm rule.
4. The method of claim 1, wherein after automatically generating the alert rule, the method further comprises:
and adjusting the alarm rule according to the setting of the user.
5. An automatic generation device of an alarm rule, comprising:
The screening and graphical display unit is used for screening the obtained equipment logs to obtain target equipment logs with preset association characteristics, displaying the association characteristics contained in the target equipment logs in a graphical mode, and obtaining a graphically displayed relationship link group;
A positioning unit, configured to position a target relationship link in the graphically displayed relationship link group by using an interactive focus analysis method, where the interactive focus analysis method includes at least one of: double-click isolation mode focusing, frame selection filtering focusing, feature dimension expansion and statistical information analysis;
The generating unit is used for automatically generating an alarm rule according to the target relation link;
The screening and graphical display unit is further configured to: acquiring associated features contained in the target equipment log; establishing association relations among the nodes by taking each association feature as a node, generating statistical information matched with the association relations, and further obtaining the relationship link group displayed graphically;
The double-click isolation mode focuses on removing nodes irrelevant to the double-click nodes of the user according to the double-click nodes of the user;
the frame selection filtering focusing is to remove/reserve nodes except the user frame selected nodes according to the user frame selected nodes;
The feature dimension increase expansion is to add new nodes according to the associated features selected to be added by the user;
And the statistical information analysis is to display the related statistical information according to the node or the association relation selected by the user.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of the preceding claims 1 to 4 when the computer program is executed.
7. A computer readable storage medium storing machine executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any one of the preceding claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110748149.8A CN113377623B (en) | 2021-07-02 | 2021-07-02 | Automatic generation method and device of alarm rules and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110748149.8A CN113377623B (en) | 2021-07-02 | 2021-07-02 | Automatic generation method and device of alarm rules and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113377623A CN113377623A (en) | 2021-09-10 |
| CN113377623B true CN113377623B (en) | 2024-05-28 |
Family
ID=77580509
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110748149.8A Active CN113377623B (en) | 2021-07-02 | 2021-07-02 | Automatic generation method and device of alarm rules and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113377623B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7272625B1 (en) * | 1997-03-10 | 2007-09-18 | Sonicwall, Inc. | Generalized policy server |
| WO2013166784A1 (en) * | 2012-05-11 | 2013-11-14 | 中兴通讯股份有限公司 | Device and method for automatically performing configuration management by policy |
| CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
| CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
| CN109189736A (en) * | 2018-08-01 | 2019-01-11 | 中国联合网络通信集团有限公司 | A kind of generation method and device of alarm association rule |
| CN109450671A (en) * | 2018-10-22 | 2019-03-08 | 北京安信天行科技有限公司 | A kind of log multiple groups close alarm classifying method and system |
| CN109815346A (en) * | 2019-02-26 | 2019-05-28 | 浪潮软件集团有限公司 | A kind of method for visualizing and device being associated with map |
| CN110209518A (en) * | 2019-04-26 | 2019-09-06 | 福州慧校通教育信息技术有限公司 | A kind of multi-data source daily record data, which is concentrated, collects storage method and device |
| CN110336375A (en) * | 2019-06-26 | 2019-10-15 | 国网江苏省电力有限公司 | A kind of processing method and system of power system monitor warning information |
| CN110674358A (en) * | 2019-08-29 | 2020-01-10 | 平安科技(深圳)有限公司 | Enterprise information comparison analysis method and device, computer equipment and storage medium |
| CN110807105A (en) * | 2020-01-07 | 2020-02-18 | 成都数联铭品科技有限公司 | Data storage method based on knowledge graph and construction method of knowledge graph |
| CN111046112A (en) * | 2019-11-22 | 2020-04-21 | 精硕科技(北京)股份有限公司 | Method and device for displaying class knowledge graph and electronic equipment |
| CN111726248A (en) * | 2020-05-29 | 2020-09-29 | 北京宝兰德软件股份有限公司 | Alarm root cause positioning method and device |
| CN112287183A (en) * | 2020-10-30 | 2021-01-29 | 北京字节跳动网络技术有限公司 | Link topology graph display method and device and computer storage medium |
| CN112702215A (en) * | 2021-03-04 | 2021-04-23 | 新华三人工智能科技有限公司 | Alarm association rule matching priority ordering method, device and storage medium |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11586972B2 (en) * | 2018-11-19 | 2023-02-21 | International Business Machines Corporation | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs |
-
2021
- 2021-07-02 CN CN202110748149.8A patent/CN113377623B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7272625B1 (en) * | 1997-03-10 | 2007-09-18 | Sonicwall, Inc. | Generalized policy server |
| WO2013166784A1 (en) * | 2012-05-11 | 2013-11-14 | 中兴通讯股份有限公司 | Device and method for automatically performing configuration management by policy |
| CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
| CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
| CN109189736A (en) * | 2018-08-01 | 2019-01-11 | 中国联合网络通信集团有限公司 | A kind of generation method and device of alarm association rule |
| CN109450671A (en) * | 2018-10-22 | 2019-03-08 | 北京安信天行科技有限公司 | A kind of log multiple groups close alarm classifying method and system |
| CN109815346A (en) * | 2019-02-26 | 2019-05-28 | 浪潮软件集团有限公司 | A kind of method for visualizing and device being associated with map |
| CN110209518A (en) * | 2019-04-26 | 2019-09-06 | 福州慧校通教育信息技术有限公司 | A kind of multi-data source daily record data, which is concentrated, collects storage method and device |
| CN110336375A (en) * | 2019-06-26 | 2019-10-15 | 国网江苏省电力有限公司 | A kind of processing method and system of power system monitor warning information |
| CN110674358A (en) * | 2019-08-29 | 2020-01-10 | 平安科技(深圳)有限公司 | Enterprise information comparison analysis method and device, computer equipment and storage medium |
| CN111046112A (en) * | 2019-11-22 | 2020-04-21 | 精硕科技(北京)股份有限公司 | Method and device for displaying class knowledge graph and electronic equipment |
| CN110807105A (en) * | 2020-01-07 | 2020-02-18 | 成都数联铭品科技有限公司 | Data storage method based on knowledge graph and construction method of knowledge graph |
| CN111726248A (en) * | 2020-05-29 | 2020-09-29 | 北京宝兰德软件股份有限公司 | Alarm root cause positioning method and device |
| CN112287183A (en) * | 2020-10-30 | 2021-01-29 | 北京字节跳动网络技术有限公司 | Link topology graph display method and device and computer storage medium |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN112702215A (en) * | 2021-03-04 | 2021-04-23 | 新华三人工智能科技有限公司 | Alarm association rule matching priority ordering method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113377623A (en) | 2021-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7495460B2 (en) | Session Security Split and Application Profiler | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US11487880B2 (en) | Inferring security incidents from observational data | |
| US20160055334A1 (en) | Method and apparatus for detecting a multi-stage event | |
| US20160164916A1 (en) | Automated responses to security threats | |
| US20100325685A1 (en) | Security Integration System and Device | |
| CN109327449B (en) | Attack path restoration method, electronic device and computer readable storage medium | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| TW201428532A (en) | Cloud system for threat protection and protection method using for the same | |
| US20170308688A1 (en) | Analysis apparatus, analysis system, analysis method, and analysis program | |
| CN110868418A (en) | Threat information generation method and device | |
| JP2024536226A (en) | SYSTEM AND METHOD FOR DETECTING MALICIOUS HANDS-ON KEYBOARD ACTIVITY VIA MACHINE LEARNING | |
| CN114020735A (en) | Method, device and equipment for reducing noise of safety alarm log and storage medium | |
| CN112769833A (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| CN111988322B (en) | Attack event display system | |
| CN113645181B (en) | Distributed protocol attack detection method and system based on isolated forest | |
| CN113377623B (en) | Automatic generation method and device of alarm rules and electronic equipment | |
| CN112804204B (en) | Intelligent network safety system based on big data analysis | |
| CN103916376A (en) | Cloud system with attract defending mechanism and defending method thereof | |
| CN111786940A (en) | Data processing method and device | |
| CN110460558B (en) | Method and system for discovering attack model based on visualization | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114238279A (en) | Database security protection method, device, system, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |