CN114186227A - Method, device and storage medium for converting safety alarm into safety event - Google Patents

Abstract

The invention discloses a method, a device and a storage medium for converting a safety alarm into a safety event, wherein the method comprises the following steps: acquiring first alarm data; extracting or creating an event ID of first alarm data by using an alarm merging strategy so as to classify the first alarm data belonging to the same event ID to obtain second alarm data; performing custom assignment on the second alarm data by using an event output strategy to obtain third alarm data; and grouping the event information strategy and the third alarm data to obtain a security event. The invention can flexibly configure event strategy flow, extract or create event ID of alarm data by using event strategy, classify the first alarm data belonging to the same event ID, and carry out custom assignment and grouping on the classified alarm data to generate related safety event. By means of the method of warehousing and merging the alarm data, the alarm storm is eliminated, and the analysis and response cost of the threat is reduced.

Description

Method, device and storage medium for converting safety alarm into safety event

Technical Field

The invention relates to the technical field of network security, in particular to a method, a device and a storage medium for converting security alarm into security event.

Background

Currently, in a safety protection system, enterprises and units mostly use a way of stacking safety equipment, and in the daily safety operation process, the enterprises and the units completely rely on the safety equipment to alarm. However, in actual operation, although the names of the security devices are different or the names of generated alarms are different, data generated based on detection of features and behaviors are mostly used in practice. Therefore, it is common to see the same asset in a real world environment, containing a large number of repeated alerts.

Due to the fact that the assets are various, a large number of alarms can be generated, the characteristics are short intervals and large number, the alarms cannot be distinguished by means of manpower alone, and the alarms belong to repeated behaviors of one or more attackers or are repeated alarms of the same type generated by a plurality of safety devices.

The current safety operation platform has certain limitation, only four or more alarms with the same characteristics, such as a homologous address, a same destination address, a same name, a same threat level and the like, can be merged, and other alarm information can only be read dispersedly. When a large amount of alarms are faced, an analyst is difficult to grasp the key points, and only a large amount of time and energy are spent to do investigation, analysis and judgment, so that a large amount of repetitive work and time cost waste are caused.

Because the platform can not provide required requirements for analysts quickly and manpower can not identify the quantity and the type of the attacked assets quickly, the current processing mode is to pay attention to the alarms with high threat level and to leave the alarms with medium and low threat level. However, a great deal of hidden dangers can be reserved for the system by the processing mode, and the system can be attacked only when the system is abnormal.

In the related art, the invention patent application with application number 200910091833.2 discloses an alarm notification system and method for cluster monitoring, the system is provided with an alarm receiving device for receiving alarm information from a cluster system; the sending strategy management device is used for maintaining a sending strategy, matching the received alarm information with the maintained sending strategy and finding out the sending strategy matched with the alarm information; and the alarm information sending device is used for sending the alarm information according to the sending strategy matched with the alarm information. The received alarm information is matched with the maintained sending strategy, the sending strategy matched with the alarm information is found, and the alarm information is sent according to the sending strategy matched with the alarm information, so that the logic of which alarm is sent to which person in which mode can be well controlled. The alert notification system does not merge the alerts, which does not substantially eliminate the alert storm.

Disclosure of Invention

The invention aims to solve the technical problem of how to eliminate the alarm storm and reduce the analysis and response cost of the threat.

The invention solves the technical problems through the following technical means:

in one aspect, an embodiment of the present invention provides a method for converting a security alarm into a security event, where the method is used to convert an alarm into a security event by using at least one preset event policy, where the event policy includes an alarm merge policy, an event output policy, and an event information policy, and the method includes:

acquiring first alarm data;

extracting or creating an event ID of the first alarm data by using an alarm merging strategy so as to classify the first alarm data belonging to the same event ID to obtain second alarm data;

performing custom assignment on the second alarm data by using an event output strategy to obtain third alarm data;

and grouping the third alarm data by using an event information strategy to obtain a security event.

The invention can flexibly configure event strategy flow, extract or create event ID of alarm data by using event strategy, classify the first alarm data belonging to the same event ID, and perform custom assignment and grouping on the classified alarm data to generate related security events. By means of the method of warehousing and merging the alarm data, the alarm storm is eliminated, and the analysis and response cost of the threat is reduced.

Further, the extracting or creating the event ID of the first alarm data by using the alarm merging policy includes:

determining whether a target event ID exists based on an alarm field value in the first alarm data, wherein the target event ID is generated based on alarm data with the same alarm field value;

if so, extracting the target event ID as the event ID of the first alarm data;

and if not, creating a new event ID as the event ID of the first alarm data.

Further, the determining whether a target event ID exists based on the alarm field value in the first alarm data includes:

according to the alarm field value in the first alarm data, determining a self-defined alarm field belonging to the same category as the first alarm data in a predefined grouping condition;

searching historical alarm data in a time window according to the custom alarm field;

judging whether the historical alarm data generates a historical event ID or not;

if yes, determining the historical event ID as the target event ID;

if not, determining that the target event ID does not exist.

Further, the creating a new event ID as the event ID of the first alarm data includes:

judging whether the times of the alarm field value in the first alarm data is matched with the times of the statistic field;

if so, creating the new event ID as the event ID of the first alarm data;

if not, the flow is determined to be finished.

Further, the performing a custom assignment on the second alarm data by using the event output policy to obtain third alarm data includes:

sampling alarm field values of all data in the second alarm data to obtain sampled fields;

and performing custom assignment on the second alarm data based on the information contained in the sampling field to obtain third alarm data.

Further, the method further comprises:

and displaying the third alarm data according to a set display format.

Further, after the acquiring the first alarm data, the method further includes:

judging whether the first alarm data meets the necessary conditions of the event strategy;

if so, processing the first alarm data by using the event strategy matched with the first alarm data;

if not, the flow is determined to be finished.

Further, the method further comprises:

judging whether an alarm field value which is matched and consistent with the alarm field value in the filtering list exists in the first alarm data;

if yes, determining that the process is finished;

if not, determining that the low first alarm data is effective alarm data;

and extracting or creating the event ID of the effective alarm data by using the alarm merging strategy.

In a second aspect, an embodiment of the present invention provides an apparatus for converting a security alarm into a security event, where the apparatus includes:

the acquisition module is used for acquiring first alarm data;

and at least one policy module comprising:

the alarm merging unit is used for extracting or creating an event ID of the first alarm data so as to classify the first alarm data belonging to the same event ID to obtain second alarm data;

the event output unit is used for carrying out user-defined assignment on the second alarm data to obtain third alarm data;

and the event information unit is used for grouping the third alarm data to obtain a safety event.

In a third aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the method described above.

The invention has the advantages that:

(1) the event strategy process can be flexibly configured, the event strategy is utilized to extract or create the event ID of the alarm data, the first alarm data belonging to the same event ID are classified, the classified alarm data are subjected to custom assignment and grouping, and the related security event is generated. By means of the method of warehousing and merging the alarm data, the alarm storm is eliminated, and the analysis and response cost of the threat is reduced.

(2) In the process of obtaining or creating the event ID, the time window is adopted to set the time limit of the alarm data matching and the time limit of the event strategy, and the effectiveness of the event ID creation is ensured.

(3) By displaying the alarm data after grouping and merging, an analyst is helped to effectively trace back the alarm, the attack state is determined, the attack accuracy is improved, and no excessive requirement is made on real-time data or historical data.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

FIG. 1 is a flow diagram of a method for converting a security alert to a security event in one embodiment of the invention;

FIG. 2 is a schematic diagram of the subdivision step of step S20;

FIG. 3 is a diagram of an event policy architecture in accordance with an embodiment of the present invention;

FIG. 4 is an overall flow diagram of a method for converting a security alert to a security event in one embodiment of the present invention;

FIG. 5 is a block diagram of an apparatus for converting a security alert to a security event in accordance with an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

As shown in fig. 1, a first embodiment of the present invention discloses a method for converting a security alarm into a security event, which is used for converting an alarm into a security event by using at least one preset event policy, where the event policy includes an alarm merge policy, an event output policy, and an event information policy, and includes the following steps:

and S10, acquiring first alarm data.

It should be noted that the first alarm data acquired in this embodiment may be alarm data generated based on the security device itself or the security operation platform rule engine, or alarm data generated by other data sources, which is not specifically limited in this embodiment.

S20, extracting or creating the event ID of the first alarm data by using an alarm merging strategy, so as to classify the first alarm data belonging to the same event ID to obtain second alarm data.

It should be noted that, if the alarm data of the same type as the first alarm data is acquired before and the alarm data is converted into an event, that is, an event ID currently exists, the event ID is directly extracted as the event ID of the first alarm data. And if the event ID does not exist currently, the event ID corresponding to the first alarm data needs to be created again. By classifying the alarm data belonging to the same event ID, the alarm storm is effectively eliminated.

And S30, carrying out user-defined assignment on the second alarm data by using the event output strategy to obtain third alarm data.

The self-defined assignment refers to renaming the classified alarm data in a user-defined naming mode according to fields contained in the classified alarm data.

And S40, grouping the third alarm data by using an event information strategy to obtain a security event.

It should be noted that, in this embodiment, the third alarm data is grouped according to a user-defined grouping manner, and generally, the grouping manner may adopt a manner of performing grouping ordering on an alarm name, a source address, a destination address, a threat level, a user name, and a domain name, for example. For general attack events, grouping can be performed according to grouping modes of alarm names, source addresses, destination addresses and threat levels. For the attack event of the intranet user concerned, the attack event can be grouped according to the grouping mode of an alarm name, a threat level and a user name. The event policy in this embodiment provides a flexible grouping manner, and may group the alarm data according to different requirements of the user.

The embodiment can flexibly configure the event policy process, extract or create the event ID of the alarm data by using the event policy, classify the first alarm data belonging to the same event ID, perform custom assignment and grouping on the classified alarm data, and generate the related security event. By means of the method of warehousing and merging the alarm data, the alarm storm is eliminated, and the analysis and response cost of the threat is reduced. Meanwhile, in the threat analysis process, an effective threat evidence chain can be provided, so that an analyst can be helped to quickly discriminate asset threat data, the threat potential is reduced, and the efficiency of safe operation is improved.

As shown in fig. 2 to 3, in some embodiments, the step S20 includes the following steps:

s201, determining whether a target event ID exists based on the alarm field value in the first alarm data, wherein the target event ID is generated based on the alarm data with the same alarm field value, if so, executing a step S202, otherwise, executing a step S203.

S202, extracting the target event ID as the event ID of the first alarm data.

S203, creating a new event ID as the event ID of the first alarm data.

S204, classifying the first alarm data belonging to the same event ID to obtain second alarm data.

It should be noted that in this embodiment, the same event ID is used for merging the alarm data belonging to the same class, that is, the event ID is used for classifying the first alarm data, the event ID is used as a unique data aggregate stored in the first alarm data storage device, the repeated behaviors belonging to one or more attackers and the repeated alarms belonging to the same class generated by the multiple security devices are merged, so that a required requirement can be quickly provided for an analyst, and the analysis and response cost of the threat can be reduced.

In some embodiments, the step S201 includes the steps of:

and S2011, according to the alarm field value in the first alarm data, determining a self-defined alarm field belonging to the same category as the first alarm data in a predefined grouping condition.

The predefined grouping condition refers to a main basis for grouping similar alarm data meeting necessary conditions, specifically to fields and field values of the alarm data and intervention event search.

S2012, according to the self-defined alarm field, searching the historical alarm data in the time window.

And the time window is the time efficiency matched with the set alarm data and the time efficiency of the event strategy. And limiting the time of the searching process by setting a time window, and determining that the event ID needs to be created again if the target event ID is not searched after the time window is exceeded.

By setting the time window, multiple presentations of similar alarms or repeated alarms within a period of time can be avoided, thereby increasing the workload of analysis and disposal of safety analysts. The size and the size of the set time window will affect the number of generated security events, which are proportional to each other. Therefore, the invention effectively inhibits the alarm storm, reduces the disposal cost and increases the safe operation efficiency by controlling the size of the time window.

And S2013, judging whether the historical alarm data generate a historical event ID, if so, executing step 2014, and otherwise, executing step 2015.

S2014, determining the historical event ID as the target event ID.

S2015, determining that the target event ID does not exist.

In some embodiments, the step S203 includes the steps of:

s2031, determining whether the number of times of the alarm field value and the statistical field in the first alarm data is matched, if yes, performing step S2032, and if no, performing step S2033.

It should be noted that the alarm field value is matched with the number of times of the statistical field, so as to screen out alarms meeting a certain behavior threshold, that is, to meet the threshold, and then generate a security event related to the alarm. The setting is favorable for reducing false alarm, simultaneously reduces the attention to the alarm with lower emergency degree, reduces the operation cost and increases the disposal efficiency.

S2032, creating the new event ID as the event ID of the first alarm data.

And S2033, determining the flow to be finished.

In some embodiments, the step S30 includes the following steps:

s301, sampling alarm field values of all data in the second alarm data to obtain sampling fields.

S302, performing user-defined assignment on the second alarm data based on the information contained in the sampling field to obtain third alarm data.

It should be noted that the step of performing the custom assignment on the second alarm data is to perform a canonicalization process on the alarm data, so as to effectively convert the security alarm data into the security event data.

It should be noted that, in this embodiment, before the second alarm data is output, the field of the second alarm data is reassigned, for example, the attacker and the victim are assigned, the sampling field is the alarm field of the second alarm data, and in the security event, the field that generally contains the source address may be determined as the attacker and the field that contains the destination address may be determined as the victim. But when a specific user name is violently cracked, the user name containing the determination is determined as a specific victim, so that the security operator can customize the assignment.

In some embodiments, the method further comprises the steps of:

and displaying the third alarm data according to a set display format.

It should be noted that, the display content of the alarm data in this embodiment includes, but is not limited to: event name, event ID, event policy name, event level, attacker, victim, start time, update time, event policy classification, responsible person, handling status, threat status, notification status, merge alarm and ATT & CK, etc.

It should be understood that those skilled in the art may set different presentation formats according to actual service requirements, and the embodiment is not limited in particular.

Where the start time is the time when the event ID was created. The update time is the occurrence time of the last alarm data under the warehousing event ID. The query conditions include comparison class, attribution class, regular class, existence class, set class, time class conditions and the like. The handling state is used for marking the handling operation of the security event when the client handles the security event, and the handling state comprises the following steps: pending, handled, delayed handling, ignored, etc. The threat state refers to that when a client handles a security event, the result of the security event is marked, and the threat state is divided into: attack success, attack failure, false alarm, unknown, etc. The event grade refers to the safety event grade which can be set by a client, and provides guidance for the client to the attention degree of event handling, and the event classification is from low to high, namely general, larger, important, extra-large and the like.

By setting the query condition as a means for matching and screening alarm data, alarm data satisfying the characteristics of the event can be screened out.

In some embodiments, after the step S10, the following steps are further included:

judging whether the first alarm data meets the necessary conditions of the event strategy;

if so, processing the first alarm data by using the event strategy matched with the first alarm data;

if not, the flow is determined to be finished.

It should be noted that, in this embodiment, event policies of different numbers may be set according to actual service requirements, when first alarm data is obtained, event policies of the first alarm data are matched according to the sequence of occurrence times of the first alarm data, and when a necessary condition preset by an event policy is met, the data is classified and merged by using the event policy matched with the first alarm data.

Specifically, in the event policy design process of the present embodiment, as shown in fig. 4, a user can flexibly configure an event policy based on this.

It should be understood that the requirement described in this embodiment may be set in a customized manner according to specific service requirements, such as specific requirements of the alarm fields, such as source address information, destination address information, and the like.

In some embodiments, the method further comprises the steps of:

judging whether an alarm field value which is matched and consistent with the alarm field value in the filtering list exists in the first alarm data;

if yes, determining that the process is finished;

if not, determining that the low first alarm data is effective alarm data;

and extracting or creating the event ID of the effective alarm data by using the alarm merging strategy.

It should be noted that the filtering list is a pre-created information group list, and the alarm fields meeting the filtering condition are stored, so as to filter the associated alarms which do not need to be concerned or are definitely false alarms, and before classifying the first alarm data, it is determined whether a value of a certain alarm field exists in the alarm data in the filtering list, if so, the first alarm data is filtered, the process is ended, otherwise, the first alarm data is determined to be valid alarm data, and then classification processing is performed, so as to ensure the accuracy of alarm data processing.

The embodiment can adopt a real-time or off-line mode, and extracts, matches, filters and groups the field of the acquired first alarm data, outputs and samples, merges in a warehouse, processes the self-defined notification and the like, so that the whole attack timeline is completely displayed, and in the process of threat analysis by an analyst, the alarm data meeting the security incident are comprehensively displayed, an effective threat evidence chain is provided, the analyst can visually see the threat faced by the asset, the analyst can effectively trace back the alarm and determine the attack state, an auxiliary analysis and research important evidence is provided for the security operator, and the rapid analysis and research and judgment are facilitated.

As shown in fig. 5, a second embodiment of the present invention discloses an apparatus for converting a security alarm into a security event, the apparatus comprising:

the acquiring module 10 is used for acquiring first alarm data;

and at least one policy module 20 comprising:

an alarm merging unit 21, configured to extract or create an event ID of the first alarm data, so as to classify the first alarm data belonging to the same event ID to obtain second alarm data;

the event output unit 22 is configured to perform custom assignment on the second alarm data to obtain third alarm data;

and an event information unit 23, configured to group the third alarm data to obtain a security event.

It should be noted that, in this embodiment, the third alarm data is grouped according to a user-defined grouping manner, and generally, the grouping manner may adopt a manner of performing grouping ordering on an alarm name, a source address, a destination address, a threat level, a user name, and a domain name, for example. For general attack events, grouping can be performed according to grouping modes of alarm names, source addresses, destination addresses and threat levels. For the attack event of the intranet user concerned, the attack event can be grouped according to the grouping mode of an alarm name, a threat level and a user name. The event policy in this embodiment provides a flexible grouping manner, and may group the alarm data according to different requirements of the user.

The embodiment can flexibly configure the event policy process, extract or create the event ID of the alarm data by using the event policy, classify the first alarm data belonging to the same event ID, perform custom assignment and grouping on the classified alarm data, and generate the related security event. By means of the method of warehousing and merging the alarm data, the alarm storm is eliminated, and the analysis and response cost of the threat is reduced. Meanwhile, in the threat analysis process, an effective threat evidence chain can be provided, so that an analyst can be helped to quickly discriminate asset threat data, the threat potential is reduced, and the efficiency of safe operation is improved.

In some embodiments, the alarm merging unit 21 includes:

the judging unit is used for determining whether a target event ID exists or not based on the alarm field value in the first alarm data, and the target event ID is generated based on the alarm data with the same alarm field value;

an extracting unit, configured to extract the target event ID as an event ID of the first alarm data when the output result of the determining unit is yes;

the creating unit is used for creating a new event ID as the event ID of the first alarm data when the output result of the judging unit is negative;

and the classification unit is used for classifying the first alarm data belonging to the same event ID to obtain second alarm data.

It should be noted that in this embodiment, the same event ID is used for merging the alarm data belonging to the same class, that is, the event ID is used for classifying the first alarm data, the event ID is used as a unique data aggregate stored in the first alarm data storage device, the repeated behaviors belonging to one or more attackers and the repeated alarms belonging to the same class generated by the multiple security devices are merged, so that a required requirement can be quickly provided for an analyst, and the analysis and response cost of the threat can be reduced.

In some embodiments, the determining unit is specifically configured to:

and according to the alarm field value in the first alarm data, determining a self-defined alarm field belonging to the same category as the first alarm data in a predefined grouping condition.

And searching historical alarm data in a time window according to the custom alarm field.

And judging whether the historical alarm data generates a historical event ID, if so, determining that the historical event ID is the target event ID, and if not, determining that the target event ID does not exist.

It should be noted that the predefined grouping condition refers to a main basis for grouping similar alarm data satisfying the requirement, specifically, a field and a field value of the alarm data, and an intervention event search.

And the time window is the time efficiency matched with the set alarm data and the time efficiency of the event strategy. And limiting the time of the searching process by setting a time window, and determining that the event ID needs to be created again if the target event ID is not searched after the time window is exceeded.

By setting the time window, multiple presentations of similar alarms or repeated alarms within a period of time can be avoided, thereby increasing the workload of analysis and disposal of safety analysts. The size and the size of the set time window will affect the number of generated security events, which are proportional to each other. Therefore, the invention effectively inhibits the alarm storm, reduces the disposal cost and increases the safe operation efficiency by controlling the size of the time window.

In some embodiments, the event output unit 22 includes:

and the sampling unit is used for sampling the alarm field value of each data in the second alarm data to obtain a sampling field.

And the assignment unit is used for carrying out custom assignment on the second alarm data based on the information contained in the sampling field to obtain third alarm data.

It should be noted that the step of performing the custom assignment on the second alarm data is to perform a canonicalization process on the alarm data, so as to effectively convert the security alarm data into the security event data.

It should be noted that, in this embodiment, before the second alarm data is output, the field of the second alarm data is reassigned, for example, the attacker and the victim are assigned, the sampling field is the alarm field of the second alarm data, and in the security event, the field that generally contains the source address may be determined as the attacker and the field that contains the destination address may be determined as the victim. But when a specific user name is violently cracked, the user name containing the determination is determined as a specific victim, so that the security operator can customize the assignment.

In some embodiments, the apparatus further comprises:

and the display module is used for displaying the third alarm data according to a set display format.

It should be noted that, the display content of the alarm data in this embodiment includes, but is not limited to: event name, event ID, event policy name, event level, attacker, victim, start time, update time, event policy classification, responsible person, handling status, threat status, notification status, merge alarm and ATT & CK, etc.

It should be understood that those skilled in the art may set different presentation formats according to actual service requirements, and the embodiment is not limited in particular.

In some embodiments, the apparatus further includes a first determining module, specifically configured to:

judging whether the first alarm data meets the necessary conditions of the event strategy;

if so, processing the first alarm data by using the event strategy matched with the first alarm data;

if not, the flow is determined to be finished.

It should be noted that, in this embodiment, event policies of different numbers may be set according to actual service requirements, when first alarm data is obtained, event policies of the first alarm data are matched according to the sequence of occurrence times of the first alarm data, and when a necessary condition preset by an event policy is met, the data is classified and merged by using the event policy matched with the first alarm data.

In some embodiments, the apparatus further includes a second determining module, specifically configured to:

judging whether an alarm field value which is matched and consistent with the alarm field value in the filtering list exists in the first alarm data;

if yes, determining that the process is finished;

if not, determining that the low first alarm data is effective alarm data;

and extracting or creating the event ID of the effective alarm data by using the alarm merging strategy.

It should be noted that the filtering list is a pre-created information group list, and stores alarm fields meeting the filtering condition, before classifying the first alarm data, it is determined whether a value of a certain alarm field exists in the alarm data in the filtering list, if so, the first alarm data is filtered, the process is ended, otherwise, the first alarm data is determined to be valid alarm data, and then the classification processing is performed, so as to ensure the accuracy of alarm data processing.

A third embodiment of the invention discloses a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method as described above.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, such as an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (10)

1. A method for converting a security alarm into a security event, wherein the method is configured to convert the alarm into the security event by using at least one preset event policy, and the event policy includes an alarm merge policy, an event output policy, and an event information policy, and the method includes:

acquiring first alarm data;

extracting or creating an event ID of the first alarm data by using an alarm merging strategy so as to classify the first alarm data belonging to the same event ID to obtain second alarm data;

performing custom assignment on the second alarm data by using an event output strategy to obtain third alarm data;

and grouping the third alarm data by using an event information strategy to obtain a security event.

2. The method for converting a security alarm into a security event according to claim 1, wherein the extracting or creating the event ID of the first alarm data by using the alarm merging policy comprises:

determining whether a target event ID exists based on an alarm field value in the first alarm data, wherein the target event ID is generated based on alarm data with the same alarm field value;

if so, extracting the target event ID as the event ID of the first alarm data;

and if not, creating a new event ID as the event ID of the first alarm data.

3. The method for converting a security alert to a security event of claim 2, wherein determining whether a target event ID exists based on an alert field value in the first alert data comprises:

according to the alarm field value in the first alarm data, determining a self-defined alarm field belonging to the same category as the first alarm data in a predefined grouping condition;

searching historical alarm data in a time window according to the custom alarm field;

judging whether the historical alarm data generates a historical event ID or not;

if yes, determining the historical event ID as the target event ID;

if not, determining that the target event ID does not exist.

4. The method for converting a security alert to a security event of claim 2, wherein the creating a new event ID as the event ID of the first alert data comprises:

judging whether the times of the alarm field value in the first alarm data is matched with the times of the statistic field;

if so, creating the new event ID as the event ID of the first alarm data;

if not, the flow is determined to be finished.

5. The method for converting security alarm into security event according to claim 1, wherein the performing a custom assignment on the second alarm data by using an event output policy to obtain third alarm data comprises:

sampling alarm field values of all data in the second alarm data to obtain sampled fields;

and performing custom assignment on the second alarm data based on the information contained in the sampling field to obtain third alarm data.

6. The method of converting a security alert into a security event of claim 1, the method further comprising:

and displaying the third alarm data according to a set display format.

7. The method for converting a security alert into a security event of claim 1, further comprising, after the obtaining the first alert data:

judging whether the first alarm data meets the necessary conditions of the event strategy;

if so, processing the first alarm data by using the event strategy matched with the first alarm data;

if not, the flow is determined to be finished.

8. The method of converting a security alert into a security event of claim 7, the method further comprising:

judging whether an alarm field value which is matched and consistent with the alarm field value in the filtering list exists in the first alarm data;

if yes, determining that the process is finished;

if not, determining that the low first alarm data is effective alarm data;

and extracting or creating the event ID of the effective alarm data by using the alarm merging strategy.

9. An apparatus for converting a security alert into a security event, the apparatus comprising:

the acquisition module is used for acquiring first alarm data;

and at least one policy module comprising:

the alarm merging unit is used for extracting or creating an event ID of the first alarm data so as to classify the first alarm data belonging to the same event ID to obtain second alarm data;

the event output unit is used for carrying out user-defined assignment on the second alarm data to obtain third alarm data;

and the event information unit is used for grouping the third alarm data to obtain a safety event.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-8.

Images