CN110535702B - Alarm information processing method and device - Google Patents
Alarm information processing method and device Download PDFInfo
- Publication number
- CN110535702B CN110535702B CN201910817936.6A CN201910817936A CN110535702B CN 110535702 B CN110535702 B CN 110535702B CN 201910817936 A CN201910817936 A CN 201910817936A CN 110535702 B CN110535702 B CN 110535702B
- Authority
- CN
- China
- Prior art keywords
- source
- address
- threat
- alarm
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0609—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0627—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time by acting on the notification or alarm source
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a method and a device for processing alarm information, wherein the method comprises the following steps: extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated; acquiring an alarm type rating value reflecting the occurrence frequency of the alarm type, a threat source rating value reflecting whether a threat source of the alarm information appears for the first time and an IP address information rating value reflecting the associated threat degree of the IP address information within a preset time period; and performing weighted summation based on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information based on the alarm information threat level. By applying the scheme provided by the application, the response speed of the threat event can be improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing alarm information.
Background
Under the trend of increasing network flow, network attacks are also more and more complex, in the prior art, in order to cope with various increasingly complex network attacks, network security detection devices such as intrusion detection devices, firewall devices, terminal detection and response devices and the like are generally used for monitoring networks, terminals and the like in real time, abnormal conditions such as the network attacks and the like are output in the form of alarm information and are provided for network security operation and maintenance personnel, however, the adoption of the mode for detecting the network security leads the security detection devices to generate a large amount of alarm information due to false alarm of the detection devices, different detection strategies and the like, the network security operation and maintenance personnel cannot rapidly locate real network threat events from a large amount of alarm information including false alarm within limited time, and the response efficiency of the threat events is reduced.
Disclosure of Invention
The embodiment of the application provides an alarm information processing method and device, which are used for solving the problem that in the prior art, when a network generates a large amount of alarm information, network security operation and maintenance personnel and security researchers cannot rapidly position real network threat events based on a large amount of alarm information.
In a first aspect, a method for processing alarm information is provided, including:
extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
acquiring an alarm type rating value reflecting the occurrence frequency of the alarm type, a threat source rating value reflecting whether a threat source of the alarm information appears for the first time or not and an IP address information rating value reflecting the associated threat degree of the IP address information; wherein the information pair of the alarm type and the source IP address combination is the threat source;
and performing weighted summation based on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information based on the alarm information threat level.
The alarm information processing method provided by the application can realize that sequencing is carried out according to the severity of the threat of the alarm information when a large amount of alarm information is generated within a period of time, and the ordered alarm information displayed after sequencing can enable operation and maintenance security personnel to quickly locate the real threat event in the network, thereby improving the working efficiency of the security operation and maintenance personnel and security research personnel and reducing the response period of the threat event.
Optionally, the obtaining the alarm information type score includes:
searching a corresponding relation table of the alarm types and the alarm type rating numerical values based on the extracted alarm types to determine the alarm type rating numerical values;
the corresponding relation table of the alarm types and the rating numerical values calculates the rating numerical values of the alarm types representing the occurrence frequency of the alarm information types based on the number of different source IP addresses in a historical threat source library and the number of source IP addresses associated with the alarm types to determine;
the historical threat source library is threat source information in a preset time period.
The method comprises the steps of determining the occurrence frequency of each alarm type by acquiring the number of different source IP addresses in a historical threat source library and the total number of source IP addresses associated with a certain alarm type, and determining a rating numerical value indicating the threat degree associated with alarm information from the aspect of the occurrence frequency of each alarm type.
Optionally, the obtaining the rating value of the IP address information includes:
determining a point set and an edge set based on the source IP address, the destination IP address and the source IP address and the destination IP address in the alarm information in a preset time period, wherein elements of the point set are different source IP addresses and different destination IP addresses, and elements of the edge set are different pairs of the source IP address and the destination IP address;
determining an association map representing the corresponding relation between the source IP address and the destination IP address based on the point set and the edge set;
based on the association map and all initialized IP address grade scores, calculating the grade scores of all IP addresses in an iterative mode, and determining the average value of the grade scores of the source IP address and the target IP address as the grade numerical value of the IP address information, wherein the grade numerical value of the IP address information represents the number of alarm events related to the IP address.
Optionally, obtaining the threat source rating value includes:
judging whether the threat source belongs to the historical threat source;
if the threat source belongs to the historical threat source, setting the threat source rating value as a first value; if the threat source does not belong to the historical threat source, setting the threat source rating value as a second value;
wherein the first value is greater than the second value.
In a second aspect, an alarm information processing apparatus is provided, the apparatus including:
an extraction module: the system comprises a server, a server and a server, wherein the server is used for extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
an acquisition module: the system comprises a processor, a threat source module, a threat level module and a server, wherein the threat level module is used for acquiring an alarm type rating value reflecting the occurrence frequency of the alarm type, a threat source rating value reflecting whether a threat source of the alarm information appears for the first time and an IP address information rating value reflecting the associated threat degree of the IP address information; wherein the information pair of the alarm type and the source IP address combination is the threat source;
a sorting module: and the system is used for carrying out weighted summation on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information on the basis of the alarm information threat level.
Optionally, the obtaining module is specifically configured to:
searching a corresponding relation table of the alarm types and the alarm type rating numerical values based on the extracted alarm types to determine the alarm type rating numerical values;
the corresponding relation table of the alarm types and the rating numerical values calculates the rating numerical values of the alarm types representing the occurrence frequency of the alarm information types based on the number of different source IP addresses in a historical threat source library and the number of source IP addresses associated with the alarm types to determine;
the historical threat source library is threat source information in a preset time period.
Optionally, the obtaining module is specifically configured to:
determining a point set and an edge set based on the source IP address, the destination IP address and the source IP address and the destination IP address in the alarm information in a preset time period, wherein elements of the point set are different source IP addresses and different destination IP addresses, and elements of the edge set are different pairs of the source IP address and the destination IP address;
determining an association map of the corresponding relation between the source IP address and the destination IP address based on the point set and the edge set;
based on the association map and all initialized IP address grade scores, calculating the grade scores of all IP addresses in an iterative mode, and determining the average value of the grade scores of the source IP address and the destination IP address as the grade numerical value of the IP address information, wherein the grade numerical value of the IP address information represents the number of alarm events related to the IP address.
Optionally, the obtaining module is specifically configured to: judging whether the threat source belongs to the historical threat source; if the threat source belongs to the historical threat source, setting the threat source rating numerical value as a first numerical value; if the threat source does not belong to the historical threat source, setting the threat source rating numerical value as a second numerical value; wherein the first value is greater than the second value.
In a third aspect, an embodiment of the present application further provides a computer storage medium, including:
the computer readable storage medium comprises a computer program which, when run on a computer, causes the computer to perform the method of the first aspect of the above-described methods.
In a fourth aspect, an embodiment of the present application further provides a computer program product including instructions, including:
when run on a computer, the instructions cause the computer to perform the method of the first aspect of the above method.
Drawings
Fig. 1 is a schematic flow chart of an alarm information processing method according to an embodiment of the present application;
FIG. 2 is a flowchart of a rating value of an IP address information of an acquired warning message according to an embodiment of the present application;
fig. 3 is a schematic diagram of an alarm information processing apparatus according to an embodiment of the present application.
Detailed Description
In the prior art, a large number of detection devices and a large amount of detection data can generate a large amount of alarm information, and network security operation and maintenance personnel and security researchers cannot rapidly position real network threat events based on a large amount of alarm information. The embodiments of the present application provide the following solutions.
In order to solve the above problems, the embodiments of the present invention have the following general ideas:
extracting the alarm type information, the source IP address information and the destination IP address of each piece of generated alarm information, combining the alarm type and the source IP address into an information pair, namely determining a threat source, determining an alarm type rating value in a table look-up manner, determining the threat source rating value and the IP address information rating value reflecting the associated threat degree of the IP address information by using a preset rule, determining the threat level of the alarm information based on the three determined rating values related to the threat degree of the alarm information, and sequencing the alarm information according to the determined threat level of the alarm information.
The alarm information processing method can realize that sequencing is carried out according to the severity of the threat of the alarm information when a large amount of alarm information is generated within a period of time, and the sequenced alarm information displayed can enable safety operation and maintenance personnel and safety research personnel to quickly locate the real threat event in the network, thereby improving the working efficiency of the operation and maintenance safety personnel.
As shown in fig. 1, a method for processing alarm information provided in an embodiment of the present application includes the following steps:
step 101: extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
when the network is abnormal and attacked, the safety detection device can generate an analysis result of the network flow, namely alarm information, wherein the safety detection device can be intrusion detection device, user entity behavior analysis device, firewall device, terminal detection and response device and the like, the generated alarm information can contain fields of a timestamp, a source IP address, a destination IP address, an alarm type and the like of the network flow, and the source IP address, the destination IP address and the alarm type information in each piece of alarm information to be sequenced are firstly extracted when the alarm information is sequenced.
Specifically, the system operation and maintenance security personnel can preset according to business requirements, and after the time period is determined, the alarm information in a specified period is collected as the alarm information to be sorted.
After the alarm information to be sorted is determined and the relevant required information is extracted, the following step 102 is performed.
Step 102: acquiring an alarm type rating value reflecting the occurrence frequency of the alarm type, a threat source rating value reflecting whether a threat source of the alarm information appears for the first time or not and an IP address information rating value reflecting the associated threat degree of the IP address information;
the method for obtaining the rating value of the alarm information type comprises the following steps: and searching a corresponding relation table of the alarm information type and the alarm information type rating value based on the extracted alarm information type, and determining the alarm information type rating value based on the corresponding relation in the table.
Further, before determining the corresponding relationship table between the alarm information type and the alarm information type rating value, a historical threat source needs to be determined, and the threat source is defined as a source IP (source IP) address and alarm type information pair. And if the two fields of the two alarms are the same, the two alarm information belong to the same threat source; and if at least one of the two fields is different, the two pieces of alarm information are considered as different threat sources. When the historical threat source is obtained, firstly, historical alarm information data is determined, if alarm information generated in a preset time period is historical alarm information, if the preset time period is 7 days, the alarm information data of the previous 7 days is used as a historical alarm information base, and the needed historical threat source is determined based on the historical alarm information base.
After a historical threat source is determined, based on the number of different source IP addresses in a historical threat source library and the number of extracted source IP addresses associated with the alarm types, calculating a rating value of each alarm information type by using an Inverse IP Correlation Frequency algorithm (IICF) to establish a corresponding relation table of the alarm information types and the rating values;
determining the rating value of the alarm information type, firstly counting the total number N of different IP in the historical threat source libraryip(ii) a For each alarm type M, counting the number of threat sources with the alarm type M, namely the number N of source IP addresses associated with the alarm typemIn the process of calculating the frequency, different total IP numbers N are usedipAs a numerator, the number N of the source IP addresses associated with the alarm typemAs the denominator. The number N of the source IP addresses associated with the alarm typemIn the case of 0 being possible, the denominator is increased by 1. At the same time, to prevent the number N of the source IP addresses associated with the alarm typemWith different total number of IPs NipWhen equal, the denominator value exceeds the denominator value, so the numerator value is incremented by 1. The rating value of the alarm information type is:
IICF(M)=log((Nip+1)/(Nm+1))+1
the rating value of each alarm information type is determined by the calculation method, and a corresponding relation table is established. In the embodiment of the application, each alarm information type rating value reflects the frequency of an alarm information type appearing in all IP addresses, if one alarm information type appears in association with a source IP address with a large number, the possibility that the alarm information is an information description type alarm or a false alarm is high, the threat degree is low, and the rating value corresponding to the alarm information is low; and if one alarm information type is associated with fewer source IPs, the higher the threat degree of the alarm information is, the higher the rating value corresponding to the alarm information is.
The method is used for establishing a corresponding relation table of the alarm information type and the alarm information type rating numerical value, and searching the corresponding relation table of the alarm information type and the alarm information type rating numerical value after extracting the alarm information type, so that the alarm information type rating numerical value can be determined.
Further, as shown in fig. 2, the process of obtaining the rating value of the IP address information of each alarm information in the alarm information to be sorted is as follows:
the first step is as follows: and constructing a correlation map. Firstly, a point set and an edge set are determined based on a source IP address and a destination IP address of extracted alarm information and a source IP address and a destination IP address of the alarm information in a preset time period, wherein elements in the point set in the embodiment of the application are different source IP addresses and destination IP addresses, elements in the edge set are source IP address and destination IP address pairs, and one edge is formed by one source IP address and one destination IP address and serves as one element of the edge set. Secondly, determining an association map representing the corresponding relation between each source IP address and each destination IP address based on the point set and the edge set; and the element in each edge set in the associated map is a connecting line between a point of a source IP address and a corresponding destination IP address, and the direction of the connecting line is that the source IP address points to the destination IP address.
Based on the IP association map, an IP address grade scoring value PRI is initialized for all the IP address points, and the latest PR values of all the IP address points are updated by iterative calculation of a PageRank algorithm. And when the iteration calculation turns exceed the preset times or the PageRank algorithm automatically converges, recording the obtained PR value of each node as an IP address information rating value, and finally taking the average value of the rating values of the source IP address and the target IP address as the rating value of the IP address information.
And obtaining a critical grade value of the threat degree associated with the IP address associated with the alarm information through a PageRank algorithm. And the higher the score value is, the more alarm events associated with the IP address associated with the alarm information in the near term are indicated, that is, the alarm information corresponding to the IP address needs to be focused by operation and maintenance personnel.
Further, the step of obtaining the threat source rating value comprises the following specific steps:
judging whether the threat source belongs to the historical threat source; a rating value for each threat source is determined based on a predetermined library of historical threat sources. Namely, it is determined whether the threat source is a historical threat source or a newly-added threat source, where the newly-added threat source represents a newly-added source of a threat event in a network environment and can reflect a dynamic event in the network, for example, a newly-added infected network host tries to infect other hosts, a newly-added host attacked by an attacker, and the attacker may try to attack other hosts or network facilities by using these hosts as a jumper, resulting in a large number of network failures. Therefore, the newly added threat source can quickly locate the dynamic change of the network threat event.
Therefore, if the threat source belongs to the historical threat source, setting the threat source rating value as a first value; if the threat source does not belong to the historical threat source, setting a threat source rating numerical value as a second numerical value, wherein if the threat source of the alarm is a newly-added threat source, the determined threat source rating numerical value is S1, and if the threat source of the alarm is the historical threat source, the determined threat source rating numerical value is S2; in the embodiment of the present application, S1 is greater than S2, for example, when S1 is 2, S2 is 0.1.
After the alarm type rating value, the threat source rating value, and the IP address information rating value are obtained, the following step 103 is performed.
Step 103: and performing weighted summation on the alarm type rating numerical value, the threat source rating numerical value and the IP address information rating numerical value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information on the basis of the determined alarm information threat level.
Before the alarm information is sorted based on the alarm type rating numerical value, the threat source rating numerical value and the IP address information rating numerical value, a preset algorithm is used for respectively normalizing all types of rating numerical values to be between 0 and 1, the preset algorithm can be a Min-max standardization method (Min-max normalization), and the normalization of all rating numerical values can prevent a certain rating numerical value from being too large to cause large deviation of the final calculation grade value and improve the accuracy of grade value calculation; after all the rating values are normalized, determining a rating value by using a weighted sum algorithm based on the normalized alarm type rating values, threat source rating values and IP address information rating values, and further determining the level of the alarm information threat according to the rating value.
As shown in fig. 3, based on the foregoing method, an embodiment of the present application further provides an alarm information processing apparatus, where the apparatus includes:
the extraction module 301: the system comprises a server, a server and a server, wherein the server is used for extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
the obtaining module 302: the system comprises a processor, a threat source module, a threat level module and a server, wherein the threat level module is used for acquiring an alarm type rating value reflecting the occurrence frequency of the alarm type, a threat source rating value reflecting whether a threat source of the alarm information appears for the first time and an IP address information rating value reflecting the associated threat degree of the IP address information; wherein the information pair of the alarm type and the source IP address combination is the threat source;
the sorting module 303: and the system is used for carrying out weighted summation on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information on the basis of the alarm information threat level.
Optionally, the obtaining module 302 is specifically configured to:
searching a corresponding relation table of the alarm types and the alarm type rating numerical values based on the extracted alarm types to determine the alarm type rating numerical values;
the corresponding relation table of the alarm types and the rating values is determined by calculating the rating values of the alarm types representing the occurrence frequency of the alarm information types based on the number of different source IP addresses in a historical threat source library and the number of source IP addresses associated with the alarm types;
the historical threat source library is threat source information in a preset time period.
Optionally, the obtaining module 302 is specifically configured to:
determining a point set and an edge set based on the source IP address, the destination IP address and the source IP address and the destination IP address in the alarm information in a preset time period, wherein elements of the point set are different source IP addresses and different destination IP addresses, and elements of the edge set are different pairs of the source IP address and the destination IP address;
determining an association map of the corresponding relation between the source IP address and the destination IP address based on the point set and the edge set;
based on the association map and all initialized IP address grade scores, calculating the grade scores of all IP addresses in an iterative mode, and determining the average value of the grade scores of the source IP address and the target IP address as the grade numerical value of the IP address information, wherein the grade numerical value of the IP address information represents the number of alarm events related to the IP address.
Optionally, the obtaining module 302 is specifically configured to: judging whether the threat source belongs to the historical threat source; if the threat source belongs to the historical threat source, setting the threat source rating value as a first value; if the threat source does not belong to the historical threat source, setting the threat source rating value as a second value; wherein the first value is greater than the second value.
An embodiment of the present application further provides a computer storage medium, including:
the computer-readable storage medium comprises a computer program which, when run on a computer, causes the computer to perform the method described in fig. 1.
Embodiments of the present application further provide a computer program product including instructions, including:
when run on a computer, cause the computer to perform the method described in figure 1. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (7)
1. An alarm information processing method, characterized in that the method comprises:
extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
based on the alarm type, searching a corresponding relation table of the alarm type and an alarm type rating value, and determining an alarm type rating value reflecting the occurrence frequency of the alarm type; the corresponding relation table of the alarm types and the alarm type rating values is calculated based on the number of different source IP addresses in a historical threat source library and the number of source IP addresses associated with the alarm types, and is used for representing the occurrence frequency of each alarm type, the alarm types are associated with the source IP addresses with the larger number, the lower the threat degree is, the lower the alarm type rating values are correspondingly, and the historical threat source library is threat source information in a preset time period;
acquiring a threat source rating value reflecting whether the threat source of the alarm information appears for the first time and an IP address information rating value reflecting the associated threat degree of the IP address information; wherein the information pair of the alarm type and the source IP address combination is the threat source;
and performing weighted summation based on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information based on the alarm information threat level.
2. The method of claim 1, wherein said obtaining the IP address information rating value comprises:
determining a point set and an edge set based on the source IP address, the destination IP address and the source IP address and the destination IP address in the alarm information in a preset time period, wherein elements of the point set are different source IP addresses and different destination IP addresses, and elements of the edge set are different pairs of the source IP address and the destination IP address;
determining an association map representing the corresponding relation between the source IP address and the destination IP address based on the point set and the edge set;
initializing all IP address grade grading values based on the association map, calculating the grade grading values of all IP addresses in an iterative mode, and determining the average value of the source IP address grade grading values and the target IP address grade grading values as the grade numerical value of the IP address information, wherein the grade numerical value of the IP address information represents the number of alarm events related to the IP address.
3. The method of claim 1, wherein obtaining the threat source rating value comprises:
judging whether the threat source belongs to the historical threat source;
if the threat source belongs to the historical threat source, setting the threat source rating value as a first value; if the threat source does not belong to the historical threat source, setting the threat source rating value as a second value;
wherein the second value is greater than the first value.
4. An alarm information processing apparatus, characterized in that the apparatus comprises:
an extraction module: the system comprises a server, a server and a server, wherein the server is used for extracting the alarm type, the source IP address and the destination IP address of the alarm information to be evaluated;
an acquisition module: the alarm type rating table is used for searching a corresponding relation table between the alarm type and the alarm type rating value based on the alarm type and determining the alarm type rating value reflecting the occurrence frequency of the alarm type; the corresponding relation table of the alarm types and the alarm type rating values is calculated based on the number of different source IP addresses in a historical threat source library and the number of source IP addresses associated with the alarm types, and is used for representing the occurrence frequency of each alarm type, the alarm types are associated with the source IP addresses with the larger number, the lower the threat degree is, the lower the alarm type rating values are correspondingly, and the historical threat source library is threat source information in a preset time period;
the acquisition module is further configured to: acquiring a threat source rating value reflecting whether the threat source of the alarm information appears for the first time and an IP address information rating value reflecting the associated threat degree of the IP address information; wherein the information pair of the alarm type and the source IP address combination is the threat source;
a sorting module: and the system is used for carrying out weighted summation on the alarm type rating value, the threat source rating value and the IP address information rating value to determine an alarm information threat level representing the threat degree of the alarm information, and sequencing the alarm information on the basis of the alarm information threat level.
5. The apparatus of claim 4, wherein the acquisition module is specifically configured to:
determining a point set and an edge set based on the source IP address, the destination IP address and the source IP address and the destination IP address in the alarm information in a preset time period, wherein elements of the point set are different source IP addresses and different destination IP addresses, and elements of the edge set are different pairs of the source IP address and the destination IP address;
determining an association map of the corresponding relation between the source IP address and the destination IP address based on the point set and the edge set;
initializing all IP address grade grading values based on the association map, calculating the grade grading values of all IP addresses in an iterative mode, and determining the average value of the source IP address grade grading values and the target IP address grade grading values as the grade numerical value of the IP address information, wherein the grade numerical value of the IP address information represents the number of alarm events related to the IP address.
6. The apparatus of claim 4, wherein the acquisition module is specifically configured to: judging whether the threat source belongs to the historical threat source; if the threat source belongs to the historical threat source, setting the threat source rating value as a first value; if the threat source does not belong to the historical threat source, setting the threat source rating value as a second value; wherein the second value is greater than the first value.
7. A computer storage medium, characterized in that it comprises a computer program which, when run on a computer, causes the computer to perform the method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910817936.6A CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910817936.6A CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110535702A CN110535702A (en) | 2019-12-03 |
| CN110535702B true CN110535702B (en) | 2022-07-12 |
Family
ID=68665672
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910817936.6A Active CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110535702B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147300B (en) * | 2019-12-26 | 2022-04-29 | 绿盟科技集团股份有限公司 | Network security alarm confidence evaluation method and device |
| CN111224988A (en) * | 2020-01-08 | 2020-06-02 | 国网陕西省电力公司信息通信公司 | Network security information filtering method |
| CN111475804B (en) * | 2020-03-05 | 2023-10-24 | 杭州未名信科科技有限公司 | Alarm prediction method and system |
| CN113542200B (en) * | 2020-04-20 | 2023-03-24 | 中国电信股份有限公司 | Risk control method, risk control device and storage medium |
| CN115428398A (en) * | 2020-07-02 | 2022-12-02 | 深圳市欢太科技有限公司 | Server threat assessment method and related product |
| CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
| CN112615888B (en) * | 2020-12-30 | 2022-08-12 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
| CN113691498B (en) * | 2021-07-23 | 2023-03-14 | 全球能源互联网研究院有限公司 | Electric power internet of things terminal safety state evaluation method and device and storage medium |
| CN113515433B (en) * | 2021-07-28 | 2023-08-15 | 中移(杭州)信息技术有限公司 | Alarm log processing method, device, equipment and storage medium |
| CN113794727B (en) * | 2021-09-16 | 2023-09-08 | 山石网科通信技术股份有限公司 | Threat information feature library generation method, threat information feature library generation device, storage medium and processor |
| CN114124552B (en) * | 2021-11-29 | 2024-06-11 | 恒安嘉新(北京)科技股份公司 | Threat level acquisition method, device and storage medium for network attack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
| CN106713049A (en) * | 2017-02-04 | 2017-05-24 | 杭州迪普科技股份有限公司 | Alarm method and device of monitor |
| CN108073611A (en) * | 2016-11-14 | 2018-05-25 | 国网江苏省电力公司镇江供电公司 | The filter method and device of a kind of warning information |
| CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809627A (en) * | 2015-04-23 | 2015-07-29 | 腾讯科技(深圳)有限公司 | Information processing method and device |
-
2019
- 2019-08-30 CN CN201910817936.6A patent/CN110535702B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
| CN108073611A (en) * | 2016-11-14 | 2018-05-25 | 国网江苏省电力公司镇江供电公司 | The filter method and device of a kind of warning information |
| CN106713049A (en) * | 2017-02-04 | 2017-05-24 | 杭州迪普科技股份有限公司 | Alarm method and device of monitor |
| CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110535702A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535702B (en) | Alarm information processing method and device | |
| CN107395608B (en) | Network access abnormity detection method and device | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN111600897B (en) | Network security event grade evaluation method, equipment and related equipment | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN112671767A (en) | Security event early warning method and device based on alarm data analysis | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN112019523A (en) | Network auditing method and device for industrial control system | |
| CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN116614287A (en) | Network security event evaluation processing method, device, equipment and medium | |
| CN114363212B (en) | Equipment detection method, device, equipment and storage medium | |
| CN115664868B (en) | Security level determination method, device, electronic equipment and storage medium | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| CN116389148A (en) | Network security situation prediction system based on artificial intelligence | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN113542200B (en) | Risk control method, risk control device and storage medium | |
| CN114726623A (en) | Advanced threat attack evaluation method and device, electronic equipment and storage medium | |
| CN112511568A (en) | Correlation analysis method, device and storage medium for network security event | |
| CN113127855A (en) | Safety protection system and method | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN115842711A (en) | Method and device for generating alarm event, storage medium and electronic equipment | |
| CN117220911B (en) | Industrial control safety audit system based on protocol depth analysis | |
| CN116980468B (en) | Asset discovery and management method, device, equipment and medium in industrial control environment | |
| CN117708808A (en) | Security event recognition method, apparatus, and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |