CN113836371A - Security event display method and device - Google Patents
Security event display method and device Download PDFInfo
- Publication number
- CN113836371A CN113836371A CN202111138394.3A CN202111138394A CN113836371A CN 113836371 A CN113836371 A CN 113836371A CN 202111138394 A CN202111138394 A CN 202111138394A CN 113836371 A CN113836371 A CN 113836371A
- Authority
- CN
- China
- Prior art keywords
- displayed
- security event
- security
- event
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/9038—Presentation of query results
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/904—Browsing; Visualisation therefor
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The embodiment of the application provides a method and a device for displaying a security event, which relate to the technical field of networks, and the method comprises the following steps: acquiring each security event to be displayed; determining an initial display sequence of each to-be-displayed security event in a security event list; aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed to obtain the optimized display sequence of the security event to be displayed in the security event list; and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence. Thus, the processing efficiency of the security event can be improved.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a method and an apparatus for displaying a security event.
Background
With the rapid development of network technology, the attacking means and attacking tools of malicious attackers are more and more abundant, resulting in frequent network attacks. The user can process the security event caused by the network attack through the network security device and the platform for managing the security event.
For example, the network security device may determine a security event to be processed according to the traffic, and then the security event management platform may display the security event to be processed to the user. And the user can process each safety event according to the information displayed by the safety event management platform.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for displaying a security event, which can effectively guide a user to preferentially process a security event to be displayed that meets behavior characteristics of the user, and improve processing efficiency of the security event. The specific technical scheme is as follows:
in a first aspect, to achieve the above object, an embodiment of the present application discloses a method for displaying a security event, where the method includes:
acquiring each security event to be displayed;
determining an initial display sequence of each to-be-displayed security event in a security event list;
aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed to obtain the optimized display sequence of the security event to be displayed in the security event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence.
Optionally, the adjusting, for each to-be-displayed security event, the initial display order of the to-be-displayed security event based on the host attention index of the to-be-displayed security event and the type attention index of the to-be-displayed security event to obtain the optimized display order of the to-be-displayed security event in the security event list includes:
aiming at each safety event to be displayed, acquiring an initial display sequence value representing the initial display sequence of the safety event to be displayed;
and calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
Optionally, before the adjusting, for each to-be-displayed security event, the initial display order of the to-be-displayed security event based on the host attention index of the to-be-displayed security event and the type attention index of the to-be-displayed security event to obtain the optimized display order of the to-be-displayed security event in the security event list, the method further includes:
for each security event to be displayed, if the source host equipment and the destination host equipment of the security event to be displayed are both internal host equipment, determining that the host concerned by the security event to be displayed is the source host equipment;
and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
Optionally, the determining an initial display order of the security events to be displayed in the security event list includes:
acquiring current hot safety events;
for each safety event to be displayed, determining a hot safety event matched with the safety event to be displayed from all the hot safety events;
and determining the initial display sequence of the security events to be displayed in the security event list according to the loss degree caused by the matched hot security events.
Optionally, the determining an initial display order of the security events to be displayed in the security event list includes:
determining the initial display sequence of each to-be-displayed safety event in the safety event list according to the sequence of occurrence time;
or the like, or, alternatively,
and determining the initial display sequence of the security events to be displayed in the security event list according to the sequence of the threat degrees from high to low.
In a second aspect, in order to achieve the above object, an embodiment of the present application discloses a security event display apparatus, including:
the security event to be displayed acquisition module is used for acquiring each security event to be displayed;
the initial display sequence determining module is used for determining the initial display sequence of each to-be-displayed safety event in the safety event list;
the optimized display sequence determining module is used for adjusting the initial display sequence of the to-be-displayed safety events based on the host attention index of the to-be-displayed safety events and the type attention index of the to-be-displayed safety events aiming at each to-be-displayed safety event to obtain the optimized display sequence of the to-be-displayed safety events in the safety event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
and the display module is used for displaying each safety event to be displayed in the safety event list according to the obtained optimized display sequence.
Optionally, the optimized display order determining module includes:
the initial display sequence value acquisition submodule is used for acquiring an initial display sequence value which represents the initial display sequence of each security event to be displayed;
and the optimized display sequence determining submodule is used for calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
Optionally, the apparatus further comprises:
a host determination module, configured to, for each to-be-displayed security event, adjust an initial display order of the to-be-displayed security event based on a host attention index of the to-be-displayed security event and a type attention index of the to-be-displayed security event, and determine, for each to-be-displayed security event, that a host concerned by the to-be-displayed security event is the source host device if both the source host device and the destination host device of the to-be-displayed security event are internal host devices before obtaining an optimized display order of the to-be-displayed security event in the security event list;
and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
Optionally, the initial display order determining module includes:
the hot safety event acquisition submodule is used for acquiring current hot safety events;
the matching submodule is used for determining a hot safety event matched with each safety event to be displayed from all the hot safety events aiming at each safety event to be displayed;
and the initial display sequence determining submodule is used for determining the initial display sequence of the to-be-displayed safety event in the safety event list according to the loss degree caused by the matched hot safety event.
Optionally, the initial display order determining module is specifically configured to determine an initial display order of each to-be-displayed security event in the security event list according to a sequence of occurrence times;
or the like, or, alternatively,
and determining the initial display sequence of the security events to be displayed in the security event list according to the sequence of the threat degrees from high to low.
In another aspect of this application, in order to achieve the above object, an embodiment of this application further discloses an electronic device, where the electronic device includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method for displaying a security event according to the first aspect when executing the program stored in the memory.
In yet another aspect of this application implementation, there is further provided a computer-readable storage medium having a computer program stored therein, where the computer program, when executed by a processor, implements the security event display method according to the first aspect.
In another aspect of this embodiment, a computer program product containing instructions is provided, which when executed on a computer, causes the computer to execute the security event display method according to the first aspect.
The embodiment of the application has the following beneficial effects:
according to the security event display method provided by the embodiment of the application, each security event to be displayed is acquired; determining an initial display sequence of each to-be-displayed security event in a security event list; aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed to obtain the optimized display sequence of the security event to be displayed in a security event list; the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed; and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence.
Based on the processing, the initial display sequence of the security events to be displayed can be optimized by combining the event types of the processed security events and the concerned host computer, so that an optimized display sequence is obtained. The processed security events can reflect the behavior characteristics of the security events processed by the user, so that the security events to be displayed are displayed based on the optimized display sequence, the user can be effectively guided to process the security events to be displayed according with the behavior characteristics of the user in a priority mode, and the processing efficiency of the security events is improved.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and it is also obvious for a person skilled in the art to obtain other embodiments according to the drawings.
Fig. 1 is a flowchart of a security event display method according to an embodiment of the present application;
fig. 2 is a flowchart of another security event display method provided in an embodiment of the present application;
fig. 3 is a flowchart of another security event display method provided in an embodiment of the present application;
fig. 4 is a structural diagram of a security event display device according to an embodiment of the present application;
fig. 5 is a structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the description herein are intended to be within the scope of the present disclosure.
The embodiment of the application provides a security event display method, which can be applied to electronic equipment, wherein the electronic equipment can be a platform for managing security events. For example, the electronic device may communicate with the network security device to display the security event determined by the network security device.
Referring to fig. 1, fig. 1 is a flowchart of a security event display method provided in an embodiment of the present application, where the method may include the following steps:
s101: and acquiring each security event to be displayed.
S102: and determining the initial display sequence of each to-be-displayed security event in the security event list.
S103: and aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed, so as to obtain the optimized display sequence of the security event to be displayed in the security event list.
The host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: based on the number of processed security events that are of the same event type as the security event to be displayed.
S104: and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence.
The security event display method provided by the embodiment of the application can optimize the initial display sequence of the security events to be displayed by combining the event types of the processed security events and the concerned host to obtain the optimized display sequence. The processed security events can reflect the behavior characteristics of the security events processed by the user, so that the security events to be displayed are displayed based on the optimized display sequence, the user can be effectively guided to process the security events to be displayed according with the behavior characteristics of the user in a priority mode, and the processing efficiency of the security events is improved.
For step S101, each security event to be displayed, that is, the security event that the electronic device needs to display currently. After the electronic device displays the security events, the user may choose to process the displayed security events, or may choose to ignore the displayed security events. For example, for some false-positive security events, the user may choose to ignore and not process.
With respect to step S102, the initial display order represents an initial display order of each security event to be displayed in the security event list. In one embodiment, the step S102 may include the following steps:
determining the initial display sequence of each security event to be displayed in the security event list according to the sequence of occurrence time; or, determining the initial display sequence of the security events to be displayed in the security event list according to the sequence from high threat degree to low threat degree.
In one implementation, in the initial display order, the security event to be displayed with an earlier occurrence time is located before the security event to be displayed with a later occurrence time in the security event list.
Based on the processing, the user can be guided to process the early-occurring security event to be displayed preferentially so as to ensure the timeliness of the security event processing.
In another implementation, according to the initial display order, in the security event list, the security event to be displayed with a higher threat degree is located before the security event to be displayed with a lower threat degree.
The threat level of the security event may be determined based on the event type of the security event and the network behavior of the attacked host in the security event (e.g., requesting a mine excavation task, or scanning files of the host), among other things.
In one implementation, the event type of the security event may be represented by a type of a virus that triggers the security event, and accordingly, the event type of the security event may include: a "Lessovirus" triggered security event, a "mine excavation virus" triggered security event, etc.
Specifically, the threat level of each event type may be preset by a technician, or the threat level of each network behavior may be preset. For example, the threat level may be represented by a numerical value (which may be referred to as a threat level value), with a greater threat level value indicating a higher threat level. Different event types correspond to different threat level values, and different network behaviors correspond to different threat level values.
Based on the processing, the user can be guided to process the security event to be displayed with higher threat degree in a priority mode, so that the loss caused by the security event is reduced.
In one implementation, the event types of the security events to be displayed may be counted, and the initial display order may be determined according to the statistical result.
For example, the security events to be displayed are grouped according to event types to obtain a plurality of security event groups. According to the initial display sequence, in the safety event list, the safety event to be displayed in the safety event group with more safety events is positioned before the safety event to be displayed in the safety event group with less safety events.
Based on the processing, the user can be guided to process the to-be-displayed safety events of the event types with high occurrence frequency in a priority mode, so that the loss caused by the safety events is reduced.
In another implementation, the initial display order may also be determined based on a hot security event. Referring to fig. 2, on the basis of fig. 1, the step S102 includes the following steps:
s1021: and acquiring current hot safety events.
S1022: and for each safety event to be displayed, determining the hot safety event matched with the safety event to be displayed from all the hot safety events.
S1023: and determining the initial display sequence of the security events to be displayed in the security event list according to the loss degree caused by the matched hot security events.
In an embodiment of the present application, the hot security event includes: the detection of the hot security events within a certain area range (for example, security events with high loss in the global range) can be realized. Such security events may change over time.
For example, event information for a hot security event can be found in table (1).
Watch (1)
| Name (R) | Degree of hot spots | The related industries | Event-related attributes |
| Lessovirus (Lessovirus) | Top1 | Medical treatment | Domain name A, IP1 |
| Ore digging virus | Top2 | Education | Domain name B, IP2 |
Each row in Table (1) represents a hot security event. There is also a relative ordering between the hot security events, i.e. expressed by the respective hot spot levels. The degree of hotspots may be determined based on the degree of loss caused by the hot security event, i.e., the greater the degree of loss caused, the higher the degree of hotspots. The industry represents the business industry for which the host computer of the virus attack that triggered the hot security event is responsible. The domain name corresponding to one hot safety event represents the domain name of the remote control end of the hot safety event, and the IP corresponding to one hot safety event represents the IP address of the remote control end of the hot safety event.
In one implementation, for each security event to be displayed, a hot security event matching the security event to be displayed may be determined based on one or more types of event information.
For example, if matching is performed based on domain names, if a domain name corresponding to a security event to be displayed is domain name a, it may be determined that a hot security event with a hotspot degree Top1 in table (1) matches the security event to be displayed.
For another example, if matching is performed based on the domain name and the industry to which the domain name corresponds, and the industry to which the domain name corresponds is education, it may be determined that the popular security event with the hotspot degree Top2 in table (2) matches the security event to be displayed.
After the matched hot security events are determined, an initial display sequence of the security events to be displayed may be determined based on the hot spot degree of the matched hot security events. The hot spot degree is determined based on the loss degree, that is, the initial display order of the security events to be displayed in the security event list is determined according to the loss degree caused by the matched hot security events.
For example, according to the initial display order, in the security event list, the security event to be displayed, which matches the hot security event with a higher degree of caused loss, is located before the security event to be displayed, which matches the hot security event with a lower degree of caused loss.
Based on the processing, the user can be guided to process the security event to be displayed with a larger loss degree caused by the priority processing so as to reduce the loss caused by the security event.
The method provided by the embodiment of the application can determine the optimized display sequence by combining the external hot security events, so that the security events to be displayed are displayed to the user, the user can be effectively guided to process the security events, and the user is prevented from blindly processing the security events without targets. In addition, as the hot security events change along with time, the display sequence of the security events to be displayed can be dynamically adjusted.
In one embodiment, referring to fig. 3, on the basis of fig. 1, the step S103 includes the following steps:
s1031: for each security event to be displayed, an initial display sequence value representing an initial display sequence of the security event to be displayed is acquired.
S1032: and calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
In one embodiment, the initial display order may be represented by a numerical value (i.e., an initial display order value). For example, according to the initial display order, the earlier a to-be-displayed security event is in the security event list, the larger the initial display order value of the to-be-displayed security event is.
In one implementation, after the initial display order is determined, the initial display order may be specifically quantized, that is, an initial display order value of each to-be-displayed security event is determined.
Further, for each security event to be displayed, a weighted sum of the initial display sequence value, the host attention index, and the type attention index of the security event to be displayed may be calculated as an optimized display sequence value. And comparing the optimized sequence values of the safety events to be displayed, so that the display sequence (namely the optimized display sequence) of the optimized safety events to be displayed can be determined. For example, according to the optimized display order, the larger the optimized display order value of a security event to be displayed in the security event list, the earlier the security event to be displayed is.
The host attention index can reflect security events that are prioritized by the user from the dimension of the host that caused the security event. The larger the host attention index corresponding to one security event to be displayed is, the more the user tends to preferentially process the security event caused by the host, and correspondingly, the larger the determined optimized display sequence value is, the user can be guided to preferentially process the security event to be displayed, and the user can be effectively guided to preferentially process the security event to be displayed which accords with the behavior characteristics of the user.
The type attention index can embody the safety event preferentially processed by the user from the dimension of the event type. The larger the type attention index corresponding to one to-be-displayed security event is, the more the user tends to preferentially process the security event of the event type of the to-be-displayed security event, and correspondingly, the larger the determined optimized display sequence value is, the user can be guided to preferentially process the to-be-displayed security event, and the user can be effectively guided to preferentially process the to-be-displayed security event which accords with the behavior characteristics of the user.
The method provided by the real-time embodiment of the application can determine the optimized display sequence by combining the security events processed by the user, so that the security events to be displayed are displayed to the user, the user can be effectively guided to process the security events, and the user is prevented from blindly processing the security events without targets. In addition, as the processed security events of the user change along with the time, the display sequence of the security events to be displayed can be dynamically adjusted.
In an embodiment, before the step S103, the method may further include the steps of:
for each security event to be displayed, if the source host equipment and the destination host equipment of the security event to be displayed are both internal host equipment, determining that the host concerned by the security event to be displayed is the source host equipment; and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
In the embodiment of the present application, the source host device of the security event is also an attacker, and the destination host device is also an attacker.
If the source host device and the destination host device are both internal host devices, it indicates that the to-be-displayed security event represents an attack initiated between the internal host devices, the main factor causing the to-be-displayed security event is an internal attacker (for example, the attacker is hijacked), that is, the internal attacker causes the to-be-displayed security event, and thus, the source host device is determined to be the host concerned by the to-be-displayed security event.
If the source host device is an external host device and the destination host device is an internal host device, it indicates that the to-be-displayed security event represents an attack initiated from the outside to the inside, the main factor causing the to-be-displayed security event is an internal attacked party (for example, the attacked party has a bug), that is, the internal attacked party causes the to-be-displayed security event, and thus, the destination host device is determined to be the host concerned by the to-be-displayed security event.
It is understood that the determination of the manner in which the host concerned with the security event is processed is related to the determination of the type of the manner in which the host concerned with the security event is to be displayed.
Based on the same inventive concept, an embodiment of the present application further provides a security event display apparatus, referring to fig. 4, where fig. 4 is a structural diagram of the security event display apparatus provided in the embodiment of the present application, including:
a to-be-displayed security event acquiring module 401, configured to acquire each to-be-displayed security event;
an initial display order determining module 402, configured to determine an initial display order of the security events to be displayed in the security event list;
an optimized display order determining module 403, configured to, for each to-be-displayed security event, adjust an initial display order of the to-be-displayed security event based on a host attention index of the to-be-displayed security event and a type attention index of the to-be-displayed security event, so as to obtain an optimized display order of the to-be-displayed security event in the security event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
a display module 404, configured to display each to-be-displayed security event in the security event list according to the obtained optimized display order.
Optionally, the optimized display order determining module 403 includes:
the initial display sequence value acquisition submodule is used for acquiring an initial display sequence value which represents the initial display sequence of each security event to be displayed;
and the optimized display sequence determining submodule is used for calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
Optionally, the apparatus further comprises:
a host determination module, configured to, for each to-be-displayed security event, adjust an initial display order of the to-be-displayed security event based on a host attention index of the to-be-displayed security event and a type attention index of the to-be-displayed security event, and determine, for each to-be-displayed security event, that a host concerned by the to-be-displayed security event is the source host device if both the source host device and the destination host device of the to-be-displayed security event are internal host devices before obtaining an optimized display order of the to-be-displayed security event in the security event list;
and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
Optionally, the initial display order determining module 402 includes:
the hot safety event acquisition submodule is used for acquiring current hot safety events;
the matching submodule is used for determining a hot safety event matched with each safety event to be displayed from all the hot safety events aiming at each safety event to be displayed;
and the initial display sequence determining submodule is used for determining the initial display sequence of the to-be-displayed safety event in the safety event list according to the loss degree caused by the matched hot safety event.
Optionally, the initial display order determining module is specifically configured to determine an initial display order of each to-be-displayed security event in the security event list according to a sequence of occurrence times;
or the like, or, alternatively,
and determining the initial display sequence of the security events to be displayed in the security event list according to the sequence of the threat degrees from high to low.
The embodiment of the present application further provides an electronic device, as shown in fig. 5, which includes a processor 501, a communication interface 502, a memory 503 and a communication bus 504, wherein the processor 501, the communication interface 502 and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501, when executing the program stored in the memory 503, implements the following steps:
acquiring each security event to be displayed;
determining an initial display sequence of each to-be-displayed security event in a security event list;
aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed to obtain the optimized display sequence of the security event to be displayed in the security event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above-mentioned security event display methods.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the security event display methods of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some of the description of the method embodiments.
The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (10)
1. A method for displaying security events, the method comprising:
acquiring each security event to be displayed;
determining an initial display sequence of each to-be-displayed security event in a security event list;
aiming at each security event to be displayed, adjusting the initial display sequence of the security event to be displayed based on the host attention index of the security event to be displayed and the type attention index of the security event to be displayed to obtain the optimized display sequence of the security event to be displayed in the security event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
and displaying each security event to be displayed in the security event list according to the obtained optimized display sequence.
2. The method according to claim 1, wherein the adjusting an initial display order of the to-be-displayed security events based on the host attention index of the to-be-displayed security events and the type attention index of the to-be-displayed security events for each to-be-displayed security event to obtain an optimized display order of the to-be-displayed security events in the security event list comprises:
aiming at each safety event to be displayed, acquiring an initial display sequence value representing the initial display sequence of the safety event to be displayed;
and calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
3. The method according to claim 1, wherein before the adjusting, for each to-be-displayed security event, the initial display order of the to-be-displayed security event based on the host attention index of the to-be-displayed security event and the type attention index of the to-be-displayed security event to obtain the optimized display order of the to-be-displayed security event in the security event list, the method further comprises:
for each security event to be displayed, if the source host equipment and the destination host equipment of the security event to be displayed are both internal host equipment, determining that the host concerned by the security event to be displayed is the source host equipment;
and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
4. The method according to claim 1, wherein the determining an initial display order of the security events to be displayed in the security event list comprises:
acquiring current hot safety events;
for each safety event to be displayed, determining a hot safety event matched with the safety event to be displayed from all the hot safety events;
and determining the initial display sequence of the security events to be displayed in the security event list according to the loss degree caused by the matched hot security events.
5. The method according to claim 1, wherein the determining an initial display order of the security events to be displayed in the security event list comprises:
determining the initial display sequence of each to-be-displayed safety event in the safety event list according to the sequence of occurrence time;
or the like, or, alternatively,
and determining the initial display sequence of the security events to be displayed in the security event list according to the sequence of the threat degrees from high to low.
6. A security event display apparatus, the apparatus comprising:
the security event to be displayed acquisition module is used for acquiring each security event to be displayed;
the initial display sequence determining module is used for determining the initial display sequence of each to-be-displayed safety event in the safety event list;
the optimized display sequence determining module is used for adjusting the initial display sequence of the to-be-displayed safety events based on the host attention index of the to-be-displayed safety events and the type attention index of the to-be-displayed safety events aiming at each to-be-displayed safety event to obtain the optimized display sequence of the to-be-displayed safety events in the safety event list;
the host attention index of the security event to be displayed is as follows: determined based on the same number of processed security events as the host to display security event attention; the host concerned by the security event to be displayed represents the host causing the security event to be displayed; the type attention index of the security event to be displayed is as follows: determined based on the number of processed security events that are of the same event type as the security event to be displayed;
and the display module is used for displaying each safety event to be displayed in the safety event list according to the obtained optimized display sequence.
7. The apparatus of claim 6, wherein the optimized display order determining module comprises:
the initial display sequence value acquisition submodule is used for acquiring an initial display sequence value which represents the initial display sequence of each security event to be displayed;
and the optimized display sequence determining submodule is used for calculating the initial display sequence value of the to-be-displayed security event, the host attention index of the to-be-displayed security event and the weighted sum of the type attention indexes of the to-be-displayed security event to obtain an optimized display sequence value representing the optimized display sequence of the to-be-displayed security event in the security event list.
8. The apparatus of claim 6, further comprising:
a host determination module, configured to, for each to-be-displayed security event, adjust an initial display order of the to-be-displayed security event based on a host attention index of the to-be-displayed security event and a type attention index of the to-be-displayed security event, and determine, for each to-be-displayed security event, that a host concerned by the to-be-displayed security event is the source host device if both the source host device and the destination host device of the to-be-displayed security event are internal host devices before obtaining an optimized display order of the to-be-displayed security event in the security event list;
and if the source host equipment of the security event to be displayed is external host equipment and the target host equipment is internal host equipment, determining that the host concerned by the security event to be displayed is the target host equipment.
9. The apparatus of claim 6, wherein the initial display order determining module comprises:
the hot safety event acquisition submodule is used for acquiring current hot safety events;
the matching submodule is used for determining a hot safety event matched with each safety event to be displayed from all the hot safety events aiming at each safety event to be displayed;
and the initial display sequence determining submodule is used for determining the initial display sequence of the to-be-displayed safety event in the safety event list according to the loss degree caused by the matched hot safety event.
10. The device according to claim 6, wherein the initial display order determining module is specifically configured to determine an initial display order of the security events to be displayed in the security event list according to a sequence of occurrence times;
or the like, or, alternatively,
and determining the initial display sequence of the security events to be displayed in the security event list according to the sequence of the threat degrees from high to low.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111138394.3A CN113836371A (en) | 2021-09-27 | 2021-09-27 | Security event display method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111138394.3A CN113836371A (en) | 2021-09-27 | 2021-09-27 | Security event display method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113836371A true CN113836371A (en) | 2021-12-24 |
Family
ID=78970687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111138394.3A Pending CN113836371A (en) | 2021-09-27 | 2021-09-27 | Security event display method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113836371A (en) |
-
2021
- 2021-09-27 CN CN202111138394.3A patent/CN113836371A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9531746B2 (en) | Generating accurate preemptive security device policy tuning recommendations | |
| US10547618B2 (en) | Method and apparatus for setting access privilege, server and storage medium | |
| US20160241576A1 (en) | Detection of anomalous network activity | |
| CN110572409B (en) | Industrial Internet security risk prediction method, device, equipment and storage medium | |
| CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
| CN107819743B (en) | Resource access control method and terminal equipment | |
| US10104112B2 (en) | Rating threat submitter | |
| CN110198313A (en) | A kind of method and device of strategy generating | |
| CN109450969B (en) | Method and device for acquiring data from third-party data source server and server | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| CN114124552A (en) | Network attack threat level obtaining method, device and storage medium | |
| CN112395630A (en) | Data encryption method and device based on information security, terminal equipment and medium | |
| CN112765502B (en) | Malicious access detection method, device, electronic equipment and storage medium | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN110381114B (en) | Interface request parameter processing method and device, terminal equipment and medium | |
| CN109976828B (en) | Method and device for configuring file | |
| CN113836371A (en) | Security event display method and device | |
| CN110768865A (en) | Deep packet inspection engine activation method and device and electronic equipment | |
| CN113489738B (en) | Method, device, equipment and medium for processing violations of broadband account | |
| CN114221807A (en) | Access request processing method and device, monitoring equipment and storage medium | |
| CN114598509B (en) | Method and device for determining vulnerability result | |
| CN111614675B (en) | Request execution method, device, system and medium | |
| CN112637110B (en) | Method for detecting password, password detection device and storage medium | |
| CN112667730B (en) | External data verification method, system, equipment and storage medium | |
| CN113660277B (en) | Crawler-resisting method based on multiplexing embedded point information and processing terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |