CN112202867A - Workflow node disposal method and system applied to network security environment - Google Patents
Workflow node disposal method and system applied to network security environment Download PDFInfo
- Publication number
- CN112202867A CN112202867A CN202011030185.2A CN202011030185A CN112202867A CN 112202867 A CN112202867 A CN 112202867A CN 202011030185 A CN202011030185 A CN 202011030185A CN 112202867 A CN112202867 A CN 112202867A
- Authority
- CN
- China
- Prior art keywords
- flow
- recommended
- resource library
- candidate
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Hardware Design (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a workflow node disposal method and a system applied to a network security environment, which delete the processes which do not meet the process matching degree in a process resource library from the process resource library to construct a candidate process set, and finds the flows satisfying the given flow matching degree with the recommended flow p in the candidate flow set, extracts the flow path taking the ending node of the flow p as the starting node from each found flow as the recommended flow path to form the recommended flow path set, thereby realizing the disposal of workflow nodes, meeting the diversity of the flow, being suitable for complex and diversified flow scenes, and through the breadth-first search algorithm, the execution efficiency is high, the intelligent matching is realized, the flow does not need to be solidified and realized in a complicated manner, and the automatic matching and dynamic adjustment efficiency of the event handling flow nodes is greatly improved. The present invention is not limited to current network security environments and can be abstractly used in more generalized scenarios.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and a system for processing workflow nodes in a network security environment.
Background
Big data in a network security environment has great data type diversity, such as hundreds of security events of different subclasses under the major categories of virus checking and killing, identity authentication, operation and maintenance monitoring and the like, and the diverse security event processing closes the flow, so different disposal schemes are inevitably used, and further, personnel of various roles of different units and different departments are involved.
The number of traditional business processes may be large, but most of the business processes are single in scene and type, the whole business processes are not complex, most of the nodes and the hierarchies are fixed or not changed greatly, for example, several fixed roles are configured, the processes flow in the middle period, the diversity is not too much, and therefore, the process configuration modes which can be referred to in the industry at present are not too many.
Disclosure of Invention
The invention aims to provide a workflow node disposal method and a workflow node disposal system applied to a network security environment, which aim to solve the problem of low efficiency of event disposal of workflow nodes in the prior art and improve the efficiency of automatic matching and dynamic adjustment of event disposal process nodes.
To achieve the above technical object, the present invention provides a workflow node handling method applied to a network security environment, the method including the operations of:
s1, recording process data and constructing a process resource library;
s2, deleting the processes which do not meet the process matching degree with the recommended process p from the process resource library, wherein the rest process resource library forms a candidate process set;
and S3, finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting the flow path which takes the ending node of the flow p as the starting node from each found flow as the recommended flow path to form the recommended flow path set.
Preferably, the step S2 is as follows:
traversing each process q in the process resource library, and searching the breadth-first search sequence depth H in the process resource libraryqBreadth-first search sequence depth H less than recommended flow ppThe process of (1) is eliminated;
number of nodes NqNumber of nodes N less than recommended procedure ppThe process of (1) is eliminated;
the node difference sets of the process p and the process q are diffset, and the number of the node difference sets is more than a threshold value Hp*(1-θRH) Is excluded from the flow path ofRHMatching a threshold value of depth for the flow;
and adding the excluded processes into a candidate process set.
Preferably, the step S3 is specifically:
traversing each flow q in the candidate flow set, and constructing a flow matrix according to the breadth-first search sequences of the two flows;
calculating the matrix path distance of each group of flow matrixes;
when the distance of the matrix path is larger than the flow matching precision threshold thetaDAnd adding the nodes into the recommended flow path set.
Preferably, the flow matrix is:
wherein psi (p)i,qj) As a comparison function of sequence elements:
the invention also provides a workflow node disposal system applied to a network security environment, which comprises:
the process resource library construction module is used for inputting process data and constructing a process resource library;
the candidate process set building module is used for deleting the processes which do not meet the process matching degree with the recommended process p from the process resource library, and the rest process resource library part forms a candidate process set;
and the recommended flow path set building module is used for finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting the flow path which takes the end node of the flow p as the initial node from each found flow as the recommended flow path to form the recommended flow path set.
Preferably, the candidate process set is a process resource library excluding breadth-first search sequence depth HqBreadth-first search sequence depth H less than recommended flow ppFlow and number of nodes NqNumber of nodes N less than recommended procedure ppAnd the number of node difference sets is greater than a threshold value Hp*(1-θRH) The section after the flow of (1).
Preferably, each flow q in the candidate flow set is constructed as a flow matrix according to the breadth-first search sequences of the two flows, and the path distance in the matrix is greater than the flow matching precision threshold θDThe nodes of (a) constitute a set of recommended flow paths.
Preferably, the flow matrix is:
wherein psi (p)i,qj) As a comparison function of sequence elements:
the effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
compared with the prior art, the method and the device have the advantages that the processes which do not meet the process matching degree in the process resource library are deleted from the process resource library, the candidate process set is constructed, the processes which meet the given process matching degree with the recommended process p are found in the candidate process set, the process path which takes the end node of the process p as the starting node is extracted from each found process and serves as the recommended process path, and the recommended process path set is formed, so that the disposal of the workflow nodes is realized. The present invention is not limited to current network security environments and can be abstractly used in more generalized scenarios.
Drawings
Fig. 1 is a flowchart of a workflow node handling method applied to a network security environment according to an embodiment of the present invention;
fig. 2 is a block diagram of a workflow node handling system applied to a network security environment provided in an embodiment of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The following describes a workflow node handling method and system applied to a network security environment according to an embodiment of the present invention in detail with reference to the accompanying drawings.
As shown in fig. 1, an embodiment of the present invention discloses a method for handling a workflow node applied to a network security environment, where the method includes the following operations:
inputting process data and constructing a process resource library;
deleting the flows which do not meet the matching degree of the recommended flows p from the flow resource library, wherein the rest flow resource library part forms a candidate flow set;
and finding the flows meeting the given flow matching degree with the recommended flow p from the candidate flow set, and extracting a flow path taking the end node of the flow p as the initial node from each found flow as a recommended flow path to form a recommended flow path set.
In the preprocessing process, a process resource library is constructed through a breadth-first search algorithm, manual identification and data entry are adopted, and the process resource library is kept unchanged under the condition that no new process is added, which is equivalent to an initialization process.
According to the recommended flow p, the flow resource library and the threshold theta of the flow matching depthRHAcquiring a single process p in the process resource library, wherein the breadth of the process p is prior to the depth H of the search sequencepBreadth-first search sequence depth H of flow qqNumber of nodes N of flow ppNumber of nodes N of flow qq。
Constructing a candidate process set, deleting processes which cannot meet the process matching degree from the process resource library, and forming the candidate process set by the finally remaining process resource library part, wherein the steps are as follows:
traversing each process q in the process resource library, and searching the breadth-first search sequence depth H in the process resource libraryqBreadth-first search sequence depth H less than recommended flow ppThe process of (1) is eliminated;
number of nodes NqNumber of nodes N less than recommended procedure ppThe process of (1) is eliminated;
the node difference sets of the process p and the process q are diffset, and the number of the node difference sets is more than a threshold value Hp*(1-θRH) The process of (1) is eliminated;
and adding the excluded processes into a candidate process set.
And constructing a recommended flow path set, finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting a flow path which takes the end node of the flow p as the initial node from each found flow as the recommended flow path.
Let S (P) be { p1,p2,L,pmAnd s (q) ═ q1,q2,L,qnAnd represents a set of two flows respectively, representing a breadth-first search criterion sequence. The comparison function for the sequence elements is:
the flow matrix is normalized to:
according to the recommended process p, the candidate process set CPS and the process matching depth threshold thetaRHThreshold of flow matching accuracy θDThe candidate process sets a single process q, and the breadth-first search sequence B of the process qqBreadth-first search sequence B of Process pp。
Traversing each flow q in the candidate flow set, and constructing a flow matrix according to the breadth-first search sequences of the two flows;
calculating the matrix path distance of each group of flow matrixes;
when the distance of the matrix path is larger than the flow matching precision threshold thetaDAnd adding the nodes into the recommended flow path set.
At the time of threshold setting, when the flow matching depth threshold θ is setRHAnd a flow matching accuracy threshold thetaDIf the set value is 1, the recommendation is accurate, and if the set value is not 1, the recommendation is fuzzy.
The method and the device have the advantages that the processes which do not meet the process matching degree in the process resource library are deleted from the process resource library, the candidate process set is constructed, the processes which meet the given process matching degree with the recommended process p are found in the candidate process set, the process path which takes the end node of the process p as the initial node is extracted from each found process and serves as the recommended process path, the recommended process path set is formed, and therefore the treatment of the workflow nodes is achieved. The present invention is not limited to current network security environments and can be abstractly used in more generalized scenarios.
As shown in fig. 2, an embodiment of the present invention further discloses a workflow node handling system applied to a network security environment, where the system includes:
the process resource library construction module is used for inputting process data and constructing a process resource library;
the candidate process set building module is used for deleting the processes which do not meet the process matching degree with the recommended process p from the process resource library, and the rest process resource library part forms a candidate process set;
and the recommended flow path set building module is used for finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting the flow path which takes the end node of the flow p as the initial node from each found flow as the recommended flow path to form the recommended flow path set.
In the preprocessing process, a process resource library is constructed through a breadth-first search algorithm, manual identification and data entry are adopted, and the process resource library is kept unchanged under the condition that no new process is added, which is equivalent to an initialization process.
According to the recommended flow p, the flow resource library and the threshold theta of the flow matching depthRHAcquiring a single process p in the process resource library, wherein the breadth of the process p is prior to the depth H of the search sequencepBreadth-first search sequence depth H of flow qqNumber of nodes N of flow ppNumber of nodes N of flow qq。
Constructing a candidate process set, deleting processes which cannot meet the process matching degree from the process resource library, and forming the candidate process set by the finally remaining process resource library part, wherein the steps are as follows:
traversing each process q in the process resource library, and searching the breadth-first search sequence depth H in the process resource libraryqBreadth-first search sequence depth H less than recommended flow ppThe process of (1) is eliminated;
number of nodes NqNumber of nodes N less than recommended procedure ppThe process of (1) is eliminated;
the node difference sets of the process p and the process q are diffset, and the number of the node difference sets is more than a threshold value Hp*(1-θRH) The process of (1) is eliminated;
and adding the excluded processes into a candidate process set.
And constructing a recommended flow path set, finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting a flow path which takes the end node of the flow p as the initial node from each found flow as the recommended flow path.
Let S (P) be { p1,p2,L,pmAnd s (q) ═ q1,q2,L,qnAnd represents a set of two flows respectively, representing a breadth-first search criterion sequence. The comparison function for the sequence elements is:
the flow matrix is normalized to:
according to the recommended process p, the candidate process set CPS and the process matching depth threshold thetaRHThreshold of flow matching accuracy θDThe candidate process sets a single process q, and the breadth-first search sequence B of the process qqBreadth-first search sequence B of Process pp。
Traversing each flow q in the candidate flow set, and constructing a flow matrix according to the breadth-first search sequences of the two flows;
calculating the matrix path distance of each group of flow matrixes;
when the distance of the matrix path is larger than the flow matching precision threshold thetaDAnd adding the nodes into the recommended flow path set.
At the time of threshold setting, when the flow matching depth threshold θ is setRHAnd a flow matching accuracy threshold thetaDIf the set value is 1, the recommendation is accurate, and if the set value is not 1, the recommendation is fuzzy.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A method of workflow node handling for application in a network security environment, the method comprising the operations of:
s1, recording process data and constructing a process resource library;
s2, deleting the processes which do not meet the process matching degree with the recommended process p from the process resource library, wherein the rest process resource library forms a candidate process set;
and S3, finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting the flow path which takes the ending node of the flow p as the starting node from each found flow as the recommended flow path to form the recommended flow path set.
2. The method for handling workflow nodes applied to network security environment according to claim 1, wherein the step S2 is as follows:
traversing each process q in the process resource library, and searching the breadth-first search sequence depth H in the process resource libraryqBreadth-first search sequence depth H less than recommended flow ppThe process of (1) is eliminated;
number of nodes NqNumber of nodes N less than recommended procedure ppThe process of (1) is eliminated;
the node difference sets of the process p and the process q are diffset, and the number of the node difference sets is more than a threshold value Hp*(1-θRH) Is excluded from the flow path ofRHMatching a threshold value of depth for the flow;
and adding the excluded processes into a candidate process set.
3. The method for handling workflow nodes applied to a network security environment according to claim 1, wherein the step S3 is specifically as follows:
traversing each flow q in the candidate flow set, and constructing a flow matrix according to the breadth-first search sequences of the two flows;
calculating the matrix path distance of each group of flow matrixes;
when the distance of the matrix path is larger than the flow matching precision threshold thetaDAnd adding the nodes into the recommended flow path set.
5. a workflow node disposal system for application in a network security environment, the system comprising:
the process resource library construction module is used for inputting process data and constructing a process resource library;
the candidate process set building module is used for deleting the processes which do not meet the process matching degree with the recommended process p from the process resource library, and the rest process resource library part forms a candidate process set;
and the recommended flow path set building module is used for finding the flows which meet the given flow matching degree with the recommended flow p from the candidate flow set, and extracting the flow path which takes the end node of the flow p as the initial node from each found flow as the recommended flow path to form the recommended flow path set.
6. The system as claimed in claim 5, wherein the candidate process set is a process resource library excluding breadth-first search sequence depth HqBreadth-first search sequence depth H less than recommended flow ppFlow and number of nodes NqNumber of nodes N less than recommended procedure ppAnd the number of node difference sets is greater than a threshold value Hp*(1-θRH) The section after the flow of (1).
7. Workflow node handling system applied to a network security environment according to claim 5Each flow q in the candidate flow set is constructed as a flow matrix according to the breadth-first search sequences of the two flows, and the distance of the paths in the matrix is greater than a flow matching precision threshold thetaDThe nodes of (a) constitute a set of recommended flow paths.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011030185.2A CN112202867A (en) | 2020-09-27 | 2020-09-27 | Workflow node disposal method and system applied to network security environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011030185.2A CN112202867A (en) | 2020-09-27 | 2020-09-27 | Workflow node disposal method and system applied to network security environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112202867A true CN112202867A (en) | 2021-01-08 |
Family
ID=74007356
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011030185.2A Withdrawn CN112202867A (en) | 2020-09-27 | 2020-09-27 | Workflow node disposal method and system applied to network security environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112202867A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112785194A (en) * | 2021-02-04 | 2021-05-11 | 中国地质大学(北京) | Workflow recommendation method and device, readable storage medium and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110246483A1 (en) * | 2006-03-21 | 2011-10-06 | 21St Century Technologies, Inc. | Pattern Detection and Recommendation |
CN103400227A (en) * | 2013-08-05 | 2013-11-20 | 浙江大学 | Graph mining and graph distance-based flow recommendation method |
CN111062757A (en) * | 2019-12-17 | 2020-04-24 | 山大地纬软件股份有限公司 | Information recommendation method and system based on multi-path optimization matching |
-
2020
- 2020-09-27 CN CN202011030185.2A patent/CN112202867A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110246483A1 (en) * | 2006-03-21 | 2011-10-06 | 21St Century Technologies, Inc. | Pattern Detection and Recommendation |
CN103400227A (en) * | 2013-08-05 | 2013-11-20 | 浙江大学 | Graph mining and graph distance-based flow recommendation method |
CN111062757A (en) * | 2019-12-17 | 2020-04-24 | 山大地纬软件股份有限公司 | Information recommendation method and system based on multi-path optimization matching |
Non-Patent Citations (1)
Title |
---|
叶岩明等: ""基于流程规整矩阵的流程推荐技术"", 《计算机集成制造***》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112785194A (en) * | 2021-02-04 | 2021-05-11 | 中国地质大学(北京) | Workflow recommendation method and device, readable storage medium and electronic equipment |
CN112785194B (en) * | 2021-02-04 | 2024-01-26 | 中国地质大学(北京) | Workflow recommendation method and device, readable storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20240163684A1 (en) | Method and System for Constructing and Analyzing Knowledge Graph of Wireless Communication Network Protocol, and Device and Medium | |
CN110046297B (en) | Operation and maintenance violation identification method and device and storage medium | |
CN109150859B (en) | Botnet detection method based on network traffic flow direction similarity | |
CN114915478A (en) | Multi-Agent-based network attack scene identification method for intelligent park industrial control system based on distributed correlation analysis | |
CN109446816A (en) | A kind of user behavior analysis method based on big data platform audit log | |
CN111709022B (en) | Hybrid alarm association method based on AP clustering and causal relationship | |
CN115378733A (en) | Multi-step attack scene construction method and system based on dynamic graph embedding | |
CN110333990B (en) | Data processing method and device | |
CN112202867A (en) | Workflow node disposal method and system applied to network security environment | |
CN116668082A (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
CN112887323B (en) | Network protocol association and identification method for industrial internet boundary security | |
Yang et al. | Deep learning-based reverse method of binary protocol | |
CN116545733A (en) | Power grid intrusion detection method and system | |
CN114661658B (en) | Data analysis method and system applied to remote video conference | |
CN107622201B (en) | A kind of Android platform clone's application program rapid detection method of anti-reinforcing | |
CN116418565A (en) | Domain name detection method based on attribute heterograph neural network | |
Ju et al. | A robust approach to adversarial attack on tabular data for classification algorithm testing | |
CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
CN111586052B (en) | Multi-level-based crowd sourcing contract abnormal transaction identification method and identification system | |
CN112118259B (en) | Unauthorized vulnerability detection method based on classification model of lifting tree | |
CN110781309A (en) | Entity parallel relation similarity calculation method based on pattern matching | |
Mařík | Threshold Selection Based on Extreme Value Theory | |
CN114553580B (en) | Network attack detection method and device based on rule generalization and attack reconstruction | |
CN111125699B (en) | Malicious program visual detection method based on deep learning | |
CN114037004A (en) | IP network attack group classification method based on behavior sequence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210108 |