CN109450671A - A kind of log multiple groups close alarm classifying method and system - Google Patents
A kind of log multiple groups close alarm classifying method and system Download PDFInfo
- Publication number
- CN109450671A CN109450671A CN201811226511.XA CN201811226511A CN109450671A CN 109450671 A CN109450671 A CN 109450671A CN 201811226511 A CN201811226511 A CN 201811226511A CN 109450671 A CN109450671 A CN 109450671A
- Authority
- CN
- China
- Prior art keywords
- log
- queue
- rule numbers
- alarm
- logs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/064—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of log multiple groups to close alarm classifying method and system.The method obtains multiple target original logs first;And multiple target original logs are filtered using preset regular expression, obtain log after multiple filterings;The rule numbers for adding regular expression for log after multiple filterings according to regular expressions, generate multiple number logs;Then the label combination of system acting in target alarms rule is obtained;Judge multiple number logs rule numbers whether can the combination of label described in complete match, if so, multiple number logs are referred in the corresponding target alarms event category of the label combination and generate alarm.Method provided by the invention passes through the label combination for judging whether the rule numbers of target journaling are capable of complete match system acting, and not only match a movement, so as to avoid in existing log classification process, categorization results accuracy is not high, and there are problems that erroneous judgement, fail to judge, improve the accuracy that log is sorted out, alerted.
Description
Technical field
The present invention relates to classification analysis technical fields, close alarm classifying method more particularly to a kind of log multiple groups and are
System.
Background technique
With the continuous development of network technology and network size, the various network equipments in network system, operating system, peace
Full equipment etc. can all generate a large amount of daily record data, in order to extract critical data from massive logs, improve log analysis efficiency,
The function of early warning is improved, the case where alarm is failed to report, reported by mistake is reduced, needs to carry out original log multiple groups conjunction alarm and sorts out, thus
Without generating useless alarm.Log only relevant to the multiple groups of setting conjunction warning strategies, just more there is analysis and storage value.
Therefore, original log is referred in the alarm event of multiple groups conjunction, retains original log relevant to alarm event, gives up other
Useless log could allow log analysis personnel more efficiently to handle these logs, while save the memory space of log, thus
It can store the log of longer time.
Currently, mainly use clustering algorithm for the classifying method of log, and clustering algorithm is mainly by the way of statistics
Handled, there is error to a certain extent in the categorization results that obtain, accuracy be not it is very high, be easy the presence of erroneous judgement, leakage
The case where sentencing.
Summary of the invention
The object of the present invention is to provide a kind of log multiple groups to close alarm classifying method and system, is sorted out with solving existing log
Method categorization results accuracy is low, and is easy to there are problems that erroneous judgement, fail to judge.
To achieve the above object, the present invention provides following schemes:
A kind of log multiple groups conjunction alarm classifying method, which comprises
Obtain multiple target original logs;Multiple target original logs derive from firewall, the network equipment, host system
System, database or middleware;
Multiple target original logs are filtered using preset regular expression, obtain log after multiple filterings;
It is the rule numbers of log addition regular expression after multiple filterings according to the regular expression, generates more
A number log simultaneously stores;
Obtain the label combination of system acting in target alarms rule;
Judge multiple number logs rule numbers whether can the combination of label described in complete match, obtain first and sentence
Disconnected result;
If the rule numbers that first judging result is multiple number logs being capable of label group described in complete match
It closes, multiple number logs are referred in the corresponding target alarms event category of the label combination and generate alarm.
Optionally, whether the rule numbers for judging multiple number logs being capable of label groups described in complete match
It closes, obtains the first judging result, specifically include:
Successively judge that the rule numbers of multiple number logs whether there is in label combination, obtains second and sentence
Disconnected result;
If second judging result is that the rule numbers of the number log are present in the label combination, institute is determined
State number log rule numbers be located at the label combination in position;
If the rule numbers of the number log are located at the Head-of-line of label combination, by the number log recording
To empty queue, generation has matched queue;
If the rule numbers of the number log are located at position in the team of label combination, judge in the label combination
Whether the previous rule numbers of the rule numbers of the number log have matched in queue described, obtain third judgement knot
Fruit;
If the third judging result be the rule numbers of the number log previous rule numbers it is described
It is whether small with the time interval in queue, judging the number log previous number log corresponding with the previous rule numbers
In preset threshold value, the 4th judging result is obtained;
If the 4th judging result is the number log previous number log corresponding with the previous rule numbers
Time interval be less than preset threshold value, the number log recording has been matched in queue to described;
If the rule numbers of the number log are located at the tail of the queue position of label combination, judge in the label combination
Whether the previous rule numbers of the rule numbers of the number log have matched in queue described, obtain the 5th judgement knot
Fruit;
If the 5th judging result be the rule numbers of the number log previous rule numbers it is described
It is whether small with the time interval in queue, judging the number log previous number log corresponding with the previous rule numbers
In preset threshold value, the 6th judging result is obtained;
If the 6th judging result is the number log previous number log corresponding with the previous rule numbers
Time interval be less than preset threshold value, the number log recording has been matched in queue to described, generation complete match team
Column;
First judging result is generated according to the complete match queue, first judging result is multiple volumes
The rule numbers of number log being capable of label combination described in complete match.
Optionally, described that multiple number logs are referred to the corresponding target alarms event category of the label combination
In and generate alarm, specifically include:
Multiple number logs in the complete match queue are referred to the label and combine corresponding target announcement
In alert event category;
Alarm grade is determined according to multiple number logs in the complete match queue;
Log event alarm is carried out according to the alarm grade.
Optionally, multiple number logs according in the complete match queue determine alarm grade, specifically
Include:
Obtain the initial risk values and assets value of multiple number logs in the complete match queue;
Calculate the average time interval of multiple number logs in the complete match queue;
Value-at-risk is determined according to the initial risk values, the assets value and the average time interval;
The alarm grade of multiple number logs in the complete match queue is determined according to the value-at-risk.
A kind of log multiple groups conjunction alarm taxis system, the system comprises:
Log acquisition module, for obtaining multiple target original logs;Multiple target original logs are from fire prevention
Wall, the network equipment, host system, database or middleware;
Log filtering module obtains more for filtering multiple target original logs using preset regular expression
Log after a filtering;
Rule numbers adding module, for adding canonical table according to the regular expression for log after multiple filterings
Up to the rule numbers of formula, generates multiple number logs and store;
Alarm regulation label obtains module, for obtaining the label combination of system acting in target alarms rule;
Matching module, for judging whether the rule numbers of multiple number logs being capable of label groups described in complete match
It closes, obtains the first judging result;
Sort out alarm module, if the rule numbers for first judging result to be multiple number logs can be complete
Multiple number logs are referred to the label and combine corresponding target alarms event category by the whole matching label combination
In and generate alarm.
Optionally, the matching module specifically includes:
Second judgment submodule, for successively judging that the rule numbers of multiple number logs whether there is in the mark
Number combination in, obtain the second judging result;
Position determination submodule, if the rule numbers for second judging result for the number log are present in institute
It states in label combination, determines the position that the rule numbers of the number log are located in label combination;
Head of the queue log processing submodule, if the rule numbers for the number log are located at the head of the queue of label combination
Position, by the number log recording to empty queue, generation has matched queue;
Log processing submodule in team, if the rule numbers for the number log are located in the team of label combination
Position, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched described
In queue, third judging result is obtained;
Time judging submodule in team, if for the third judging result be the number log rule numbers before
One rule numbers have matched in queue described, judge the number log previous volume corresponding with the previous rule numbers
Whether the time interval of number log is less than preset threshold value, obtains the 4th judging result;
Log recording submodule in team, if being the number log and the previous rule for the 4th judging result
The time interval for numbering corresponding previous number log is less than preset threshold value, and the number log recording has been matched to described
In queue;
Tail of the queue log processing submodule, if the rule numbers for the number log are located at the tail of the queue of label combination
Position, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched described
In queue, the 5th judging result is obtained;
Tail of the queue time judging submodule, if for the 5th judging result be the number log rule numbers before
One rule numbers have matched in queue described, judge the number log previous volume corresponding with the previous rule numbers
Whether the time interval of number log is less than preset threshold value, obtains the 6th judging result;
Tail of the queue log recording submodule, if being the number log and the previous rule for the 6th judging result
The time interval for numbering corresponding previous number log is less than preset threshold value, and the number log recording has been matched to described
In queue, complete match queue is generated;
First judging result generates submodule, for generating first judging result according to the complete match queue,
First judging result be multiple number logs rule numbers can label described in complete match combine.
Optionally, the classification alarm module specifically includes:
Submodule is sorted out in log, for multiple number logs in the complete match queue to be referred to the mark
In number corresponding target alarms event category of combination;
Alarm grade determines submodule, accuses for being determined according to multiple number logs in the complete match queue
Alert grade;
Log alerts submodule, for carrying out log event alarm according to the alarm grade.
Optionally, the alarm grade determines that submodule specifically includes:
Initial risk values and assets value acquiring unit, for obtaining multiple numbers in the complete match queue
The initial risk values and assets value of log;
Average time interval computing unit, for calculating the flat of multiple number logs in the complete match queue
Equal time interval;
Value-at-risk determination unit, for according to the initial risk values, the assets value and the average time interval
Determine value-at-risk;
Level de-termination unit is alerted, for determining multiple volumes in the complete match queue according to the value-at-risk
The alarm grade of number log.
The specific embodiment provided according to the present invention, the invention discloses following technical effects:
The present invention provides a kind of log multiple groups and closes alarm classifying method and system, and it is former that the method obtains multiple targets first
Beginning log;Multiple target original logs are filtered using preset regular expression, obtain log after multiple filterings;And according to
The regular expression is the rule numbers of log addition regular expression after multiple filterings, generates multiple number logs simultaneously
Storage;Then the label combination of system acting in target alarms rule is obtained;Judge the rule numbers of multiple number logs
Whether can the combination of label described in complete match, if so, by multiple number logs be referred to the label combine it is corresponding
In target alarms event category and generate alarm.Method provided by the invention is by judging that the rule numbers of target journaling whether can
The label combination of enough complete match system actings, and a movement is not only matched, sorted out so as to avoid existing log
Cheng Zhong, categorization results accuracy is not high, and there are problems that erroneous judgement, fails to judge, and improves the accuracy that log is sorted out, alerted.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will be to institute in embodiment
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention
Example, for those of ordinary skill in the art, without any creative labor, can also be according to these attached drawings
Obtain other attached drawings.
Fig. 1 is the method flow diagram that log multiple groups provided by the invention close alarm classifying method;
Fig. 2 is the method flow diagram of matching combination alarm log provided by the invention;
Fig. 3 is the method flow diagram provided by the invention that alarm regulation is excavated using decision Tree algorithms;
Fig. 4 is the method flow diagram of determining alarm grade provided by the invention;
Fig. 5 is the system construction drawing that log multiple groups provided by the invention close alarm taxis system.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The object of the present invention is to provide a kind of log multiple groups to close alarm classifying method and system, is sorted out with solving existing log
Method categorization results accuracy is low, and is easy to there are problems that erroneous judgement, fail to judge.
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, with reference to the accompanying drawing and specific real
Applying mode, the present invention is described in further detail.
Fig. 1 is the method flow diagram that log multiple groups provided by the invention close alarm classifying method.Referring to Fig. 1, the present invention is mentioned
The log multiple groups of confession are closed alarm classifying method and are specifically included:
Step 101: obtaining multiple target original logs.
Obtaining target original log has active acquisition and passive accepting method, and active acquisition is directed to windows
Host equipment is connected using remote desktop mode, system log, database, middleware log is obtained, for linux host equipment
It is connected using ssh mode, obtains system, database, middleware log.
The passive acquisition mode can be used in equipment for not can provide actively acquisition, and device configuration syslog or installation can
Daily record data is uniformly sent to log and receives server, to obtain the target original log by the client for acquiring log.
Multiple target original logs derive from firewall, the network equipment, host system, database or middleware.
Step 102: multiple target original logs being filtered using preset regular expression, obtain day after multiple filterings
Will.
Step 103: being the rule volume of log addition regular expression after multiple filterings according to the regular expression
Number, it generates multiple number logs and stores.
The target original log that log filtering module will be got in the step 101, passes through preset regular expression
It is filtered, extracts the sensitive log in target original log, and log after the filtering of extraction is converted into unified format, and add
Add regular expression rule numbers, generate number log storage in the database, closes alarming processing for subsequent progress multiple groups.
The format of the number log of extraction are as follows:
[time] [address ip] [Log Types] [rule numbers] [original log]
Such as format is " 1522639541c0a801020101d1c2m6z0ty
00192.168.138.100OSType12AXTXId=6013AXTXSrc=Eventlog AXTXMsg=system start-up time
Be 20 seconds " number log, wherein " 1522639541 " be the time, " c0a80102 " be the corresponding address ip, " 0 " be log class
Type, here 0 representative are system logs, and " 101 " are corresponding rule numbers, remaining is log initial data.The Log Types
It (is indicated with 0) including system log, (is indicated with 1) using log, other logs (being indicated with 2).
The step 102 is mainly Filtration Goal original log, matches set filtering rule;The step 103 is mainly
For filtering after log add regular expression rule numbers because it is subsequent to target original log carry out matching be all based on just
The then rule numbers of expression formula.The rule numbers are the ID number of respective action in the database in system acting library.System
Movement may be the operation such as login, refreshing, and each this operation is a movement.
Step 104: obtaining the label combination of system acting in target alarms rule.
According to preset target alarms rule, the label combination of system acting in target alarms rule is obtained.In the present invention
What each target alarms rule was made of multiple system actings, the label combination of system acting in the target alarms rule
It is exactly the system acting combination that corresponding ID is numbered in the database all in this target alarms rule.
The target alarms rule is arranged can be there are three types of form:
One kind is built-in rule, and built-in rule is to go to add according to existing loophole, in this way when issuing a kind of new loophole
When, so that it may it is added in time so as to avoid unnecessary loss.
Second is custom rule, and custom rule utilizes data mining algorithm according to existing a large amount of daily record datas
It goes to hide security incident, the rule that comparison determines also can be set and such as " root user's login " only have root user to log in this way
Shi Caihui generates alarm, rather than all users login can all generate alarm, to realize configurable low wrong report, while can also
To play the role of early warning.
In addition there are also the third alarm regulation, the third alarm regulation is the existing log of statistics, according to statistical result meter
The probability for generating alarm when each system acting occurs is calculated, recycles conditional probability to calculate and occurs when any system acts
When, other systems movement can generate the probability of alarm when occurring.According to statistics as a result, using machine learning from existing data
In excavate the system actings of potential danger a series of and form corresponding alarm regulation, be automatically added in alarm regulation thus
It can play the role of giving warning in advance.Present invention preferably employs the third alarm regulations.
Step 105: judge multiple number logs rule numbers whether can the combination of label described in complete match, obtain
Obtain the first judging result.
The step 105 is based in the step 104 for retrieving the number log generated by the step 103
The label combination of system acting, judges that the rule numbers of retrieved number log whether can in the target alarms rule of acquisition
Each ID number in the combination of label described in complete match.
The step 105 continuously obtains number log, i.e., the log generated every time with recent events from the step 103
Data go the label in matching step 104 to combine.If successful match, even can complete match, then will constitute target alarms rule
Then the log of the label combination of middle system acting is referred in corresponding classification.
Fig. 2 is the method flow diagram of matching combination alarm log provided by the invention.Referring to fig. 2, the multiple institutes of judgement
State number log rule numbers whether can the combination of label described in complete match, obtain the first judging result, specifically include:
Step S41: obtaining filtered target journaling, i.e., the number log that the described step 103 is recorded, and the setting period is obtained
Most newly generated number log is taken, as generated in nearest a cycle without new number log, next period is waited to execute.
Step S42: combination alarm movement number, i.e., system acting in the target alarms rule in the described step 104 are obtained
Label combination.Settable alarm switch, for opening and closing combination alarm status.When obtaining label combination, only
The label combination for obtaining system acting in pre-stored target alarms rule in the open state in database, for being in
The alarm label of closed state combines, and when acquisition will be ignored.Such as obtaining label built-up sequence is a1-an:[a1,a2,a3,......,
an], a therein1-anIt respectively represents the label and combines corresponding rule numbers.
Step S43: judge that target journaling rule numbers whether in combination alarm number, that is, judge the number log
Rule numbers whether there is in label combination, and the number log that analyzing step S41 is obtained obtains the number log
Rule numbers judge the rule numbers whether in the label combination that step S42 is obtained, if it is not, ignore this number log,
The step S41 is returned, next number log is obtained.
Step S44: calculating target journaling rule numbers position, that is, it is described to determine that the rule numbers of the number log are located at
Position in label combination;For step S43, if so, the rule numbers for matching this number log are located at label combination
In position, the label group is combined into the list of system acting corresponding ID number in target alarms rule.The rule numbers
There are three kinds of situations for position in label combination, are located at queue first place, are located at position in queue, are located at queue last bit,
Three kinds of position processing steps respectively correspond step S45, S46, S47.
Step S45: record alarm regulation is located at the first log of combination, i.e., is located at the label for the rule numbers
The number log of combined Head-of-line creates an empty queue, and the number log for being located at queue first place is stored to new and is founded the team
In column, generation has matched queue.
Such as this log rule numbers are a1, queue L is created, queue has been matched are as follows:
L=[a1,]
Step S46: record alarm regulation is located at the log of position in combination, and is located at the label for the rule numbers
The existing number day for having matched and having whether there is previous rule numbers in queue is searched in the number log of position in combined team
Will, and if it exists, calculate the corresponding number log of previous rule numbers and whether the time interval of the number log currently judged surpasses
The threshold value for crossing setting, if so, giving up the number log currently judged;If it is not, the number log currently judged is deposited
It stores up and has matched in queue;If the log for having matched existing same rule number in queue, will match in queue
Existing log is updated to this number log currently judged.
Such as the rule numbers of this number log currently judged are a2, before judgement has matched and whether there is in queue L
One rule numbers corresponding number log a1If having matched in queue L, there are a1, then a is calculated1To a2Time interval t, if t
< threshold value, then by a2It stores and has matched in queue L, matched queue update at this time are as follows:
L=[a1,a2]
Step S47: record alarm regulation is located at the log of combination last bit, with the step S46, will be in the number of last bit
Log is stored to queue.If specifically: the rule numbers of the number log are located at the tail of the queue position of label combination, judgement
Whether the previous rule numbers of the rule numbers of number log described in the label combination have matched in queue described, if
It is that judge whether the time interval of the number log previous number log corresponding with the previous rule numbers is less than default
Threshold value generate complete match queue if so, the number log recording has been matched in queue to described.
Such as it is located at the log a of last bit for alarm regulationn, generate complete match queue L:
L=[a1,a2,a3,......,an]
Step S48: alarm.
ID number is a in the complete documentation label combination in the complete match queue L at this time1-anLog,
Indicate multiple number logs rule numbers can the combination of label described in complete match, at this time will be according to the complete match
The number log recorded in queue L generates alarm.
Step 106: if first judging result being capable of complete match institute for the rule numbers of multiple number logs
Label combination is stated, multiple number logs are referred in the corresponding target alarms event category of the label combination and are generated
Alarm.It specifically includes:
Step (1): multiple number logs in the complete match queue are referred to the label combination and are corresponded to
Target alarms event category in.
Step (2): alarm grade is determined according to multiple number logs in the complete match queue.
According to the step 105 be matched to as a result, corresponding alarm grade is confirmed, thus with basic, normal, high three grades
It is alerted.Mainly according to the initial risk values of combination alarm movement and assets value, the target for constituting combination alarm movement
Total event equispaced of log come calculate generation combination alarm value-at-risk, determine whether alert and alert
Grade, if alarm grade it is too low, illustrate this alarm value be not it is very high, can not have to alarm, to reduce wrong report
It may.
From the log sample data (multiple number logs in the i.e. described complete match queue) for having generated alarm
In, it can be deduced that the system acting number for generating alarm is [a1,a2,a3,......,an], [a1,a2,a3,......,an] be
The corresponding rule numbers of multiple number logs in the complete match queue.A hereiniIndicate the complete match team
The corresponding rule numbers of i-th of number log, a in columniWhat is specifically represented is a system acting, in the present invention system acting
A movement exactly when being operated, such as " clicking refresh button " are exactly a movement.
System acting a is calculated separately according to the sample data obtainediProbability p (a of alarm is generated when generationi), i ∈ [1,
N], as shown in formula (1):
Wherein NiIt is system acting aiThe number of alarm is generated, S is the total degree for generating alarm, and n is system acting aiNumber
Amount.
The present invention will not only analyze the probability of system acting generation, also be excavated by existing alarm regulation
Potential dangerous alarm regulation, therefore also want the relationship between analysis system movement.It is calculated by condition probability formula
As system acting aiWhen generation, remaining system acting ajThe probability of generation, wherein [1, n] j ∈, j ≠ i use p (a herej|ai) table
Show, as shown in formula (2):
p(aj|ai)=p (ajai)/p(ai) (2)
Wherein p (ajai) indicate ajAnd aiAccording to ajWhen preceding sequence occurs, the probability and the p (a of alarm are generatedi)
Calculation method it is similar, calculated according to existing alarm log.
When carrying out probability calculation using the formula (1), (2), due to the limitation of initial sample data, it may cause general
Rate calculates inaccuracy, and can constantly optimize after the subsequent a large amount of alarm log data of acquisition makes sample probability gradually tend to stable.
Pass through the relationship between calculated system acting, so that it may will be potential dangerous a series of using the algorithm in data mining
Movement is excavated to form corresponding alarm regulation.
Existing data mining algorithm has very much, and the present invention will according to multiple features occur probability obtain there may be
The alarm regulation of risk, it is clear that meet the application conditions of decision tree.Therefore, the present invention obtains desired knot using decision tree
Fruit.Decision Tree algorithms mainly include three parts: the selection of feature, the generation of tree, the beta pruning of tree.
Feature selecting: purpose is to choose the feature that can classify to training set.The key of feature selecting is criterion, general root
It is selected according to information gain, information gain ratio, Gini index, the present invention uses information gain ratio.
The generation of decision tree: usually using information gain maximum, information gain ratio maximum, Gini index minimum as spy
Levy the criterion of selection.Since root node, recursive generation decision tree.
The beta pruning of decision tree: the beta pruning of decision tree is the over-fitting set in order to prevent, enhances its generalization ability.Including preshearing
Branch and rear beta pruning.
The present invention will need multiple number logs for analyzing as training set D, and each system acting aiIt is exactly a spy
Value indicative, mainly excavating potential dangerous a series of system acting forms corresponding alarm regulation in the present invention.Therefore,
Which characteristic value is chosen as root node, it is necessary to calculate the corresponding information gain ratio of each characteristic value.Here it just needs to introduce
Some concepts.
It is firstly introduced into the concept of entropy, entropy H is defined as the yield value of information, for measuring the uncertainty of stochastic variable, leads to
Formula (3) is crossed to obtain:
When the probability in entropy is estimated to obtain by daily record data, corresponding entropy is known as empirical entropy.Here training dataset D
Empirical entropy be H (D), | D | indicate sample size, i.e. number of samples.Equipped with K class Ck, wherein k=1,2,3, K, |
Ck| to belong to class CkNumber of samples, then calculate empirical entropy using formula (4):
Before calculating information gain ratio, it will also be appreciated that the concept of conditional entropy.Conditional entropy H (Y | X) it indicates known random
The uncertainty of stochastic variable Y under conditions of variable X, the conditional entropy of stochastic variable Y under conditions of stochastic variable X is given, by public affairs
Formula (5) indicates:
Wherein piIt is when stochastic variable is xiWhen probability, pi=P (X=xi), xiIt is exactly stochastic variable, m is all random
The number of variable;At this time if there is 0 probability, enable 0log0=0.At this moment, then calculate information gain, information gain be relative to
For feature.
Feature aiTo information gain g (D, a of training dataset Di), be defined as set D empirical entropy H (D) and given feature
aiUnder the conditions of training dataset D empirical condition entropy H (D | ai) difference, i.e., as shown in formula (6):
g(D,ai)=H (D)-H (D | ai) (6)
Come selected characteristic, feature a here with information gain ratioiTo the information gain ratio g of training dataset DR(D,
ai), it is defined as its information gain g (D, ai) with the ratio between the empirical entropy of training dataset D, as shown in formula (7):
The value acquired using formula (7) can carry out the building of decision tree, and the present invention is using C4.5 algorithm, specifically
Process it is as shown in Figure 2.
Fig. 3 is the method flow diagram provided by the invention that alarm regulation is excavated using decision Tree algorithms.What the present invention used
Decision Tree algorithms input is training dataset D, feature set A and threshold epsilon;Output is decision tree T.The feature set A is feature ai
Set.Referring to Fig. 3, the method provided by the invention for excavating alarm regulation using decision Tree algorithms includes:
Step S31: judge whether all examples belong to same class Ck;If all examples belong to same class C in Dk, then
Setting T is single node tree, and by CkAs the class of the node, T is returned;
Step S32: whether judging characteristic collection is empty;Such as feature setThen setting T is single node tree, and by example in D
The maximum class C of numberkAs the class of the node, T is returned;
Step S33: the information gain ratio of feature set is calculated;If feature set be not it is empty, calculate in A each feature to the letter of D
The ratio of gains is ceased, selects information gain than maximum feature Ag=ai;
Step S34: judge information gain than maximum feature AgWhether threshold value is less than;If AgInformation gain ratio be less than
Threshold epsilon, then setting T is single node tree, and by the maximum class C of instance number in DkAs the class of the node, T is returned;
Step S35: each child node is calculated;If AgInformation gain ratio be not less than threshold epsilon, then to AgEach possibility
Value ajD is divided into several nonvoid subset D by (wherein j ≠ i)j, each child node is calculated, with DjFor training set, with A- { ai,aj}
It is characterized collection, recursive invocation step S31~step S34 is made of tree T node and its child node, returns to T;Until A- { ai,
ajIt is sky, recursive call process terminates.
Decision Tree algorithms are easy to over-fitting, and pruning algorithms are exactly to improve Generalization Capability for preventing decision tree over-fitting
Method.The present invention uses rear pruning algorithms, and rear beta pruning, which refers to, first generates a complete decision tree from training set, then the bottom of from
Non- leaf node is investigated upwards, if the corresponding subtree of the node is replaced with leaf node, the promotion of Generalization Capability can be brought,
The subtree is then replaced with into leaf node.
Ultimately produce each root node of tree to leaf node be the alarm regulation for having potential risk excavated, often
A node is all a system acting.Then, the alarm regulation of potential risk advises as the alarm predicted using what is excavated
Then it is added in the alarm regulation library of system, to update the target alarms rule.
The step (2) determines alarm grade according to multiple number logs in the complete match queue.
It is when there are the combinations of target alarms movement label in log, then dynamic according to combination alarm in the embodiment of the present invention
The initial risk values of work, the value of assets, composition combine total event equispaced of the target journaling of alarm movement to calculate
The value-at-risk of the combination alarm of generation, determines whether the grade for alerting and alerting, if alarm grade is too low, illustrates this
Item alarm value be not it is very high, can not have to alarm, to reduce the possibility of wrong report.
In order to determine the grade of alarm, in the embodiment of the present invention, the value-at-risk that will calculate combination alarm is carried out etc.
The division of grade, and according to corresponding grade when alarm, show user is high, normal, basic 3 grades.
Fig. 4 is the method flow diagram of determining alarm grade provided by the invention, referring to fig. 4, described in the embodiment of the present invention
Step (2) determine alarm grade comprising steps of
S51, confirmation combination alarm act initial risk values.
According to existing vulnerability database and each loophole may the degree of danger caused by host system, equipment determine combination
Alarm act initial risk values, when loophole to system cause unrepairable i.e. it is destructive endanger when, this loophole is corresponding
It will be highest for combining the initial risk values of alarm movement.
Present invention diThe initial risk values of i-th of complete match queue are indicated, if wherein certain combination is accused
Alert movement has had to be avoided by patch installing or remaining mode, then system can also reduce its corresponding value-at-risk, wind
The subsequent variation being nearly worth will utilize machine learning, to excavate the connection between movement.And diThe condition of satisfaction such as formula
(8) shown in:
0≤di≤1 (8)
S52, the value for determining assets;
In the embodiment of the present invention, mainly to the system of log analysis, so the present invention is according to assets within the unit time
T0The log amount of transmission, to judge the importance of assets.It will be according to all assets in unit time T0Interior sent out log amount carries out
It sorts, and determines the value of each assets with 1~10, use VnThe assets value of n-th of assets is indicated, such as formula (9) institute
Show:
1≤Vn≤10 (9)
S53, the equispaced for constituting the total event of target journaling of combination warning strategies is calculated;That is, calculating described complete
Average time interval with multiple number logs in queue.
It is to be fully completed it according to sequence by multiple movements because being combination alarm movement in the embodiment of the present invention
Afterwards, it can just alert.But if two movement between time interval it is too big, the present invention will be considered that the two movement be not by
Sequence is completed, therefore will not be classified as same combination alarm movement, will not be alerted occurring.
Present invention tijIndicate the time interval of j-th movement and jth+1 movement in i-th of complete match queue,
Middle j >=1.Because the movement number in each complete match queue be it is different, calculate each complete match queue here
The average value of middle everything time interval assumes there be j movement in i-th of complete match queue, then this complete match
Shown in the average time interval of queue such as formula (10):
The interval threshold that the average time interval is arranged in the present invention is 1 hour, if average time interval is greater than 1
Hour, then it will not alert.Here it indicates not alert with 0, as shown in formula (11):
S54, the value-at-risk for calculating the combination alarm generated;That is, according to the initial risk values, the assets value and institute
State the value-at-risk that average time interval determines the complete match queue.
It, will be according to the initial risk values of the complete match queue and assets value and average time in the embodiment of the present invention
It is spaced to calculate the value-at-risk of the combination alarm of generation, as shown in formula (12), n-th of assets generates i-th complete match team
The value-at-risk of column are as follows:
Rni=di×Vn×ti (12)
Here, when generating i-th complete match queue, can judge it is any Taiwan investment according to IP address field in log
It produces, to find corresponding assets value.
S55, confirmation alarm grade;Multiple numbers in the complete match queue are determined according to the value-at-risk
The alarm grade of log.
Value-at-risk when i-th combination alarm movement occurs for n-th of assets is calculated according to formula (8)~formula (12)
Rni, corresponding alarm grade will be determined according to value-at-risk here.By formula (12) it can be concluded that RniRange, such as formula
(13) shown in:
0≤Rni≤10 (13)
3 alarm grades are arranged in the present invention, respectively basic, normal, high.Therefore confirmed pair using the range division in table one
The alarm grade answered.
Table one
Corresponding alarm is carried out according to the alarm grade obtained, the mode alerted here can also be set according to alarm grade
It sets.If alert grade be in it is low or in grade, can by way of interface homepage show, if alarm grade
When being high, administrative staff can be notified at the first time by way of sending mail or short message, solved a problem promptly, Yi Mianzao
At irremediable loss.
It is corresponding with the log multiple groups conjunction alarm classifying method in the embodiment of the present invention, the present invention also provides
A kind of log multiple groups conjunction alarm taxis system, Fig. 5 is the system structure that log multiple groups provided by the invention close alarm taxis system
Figure, referring to Fig. 5, the system comprises:
Log acquisition module 501, for obtaining multiple target original logs;Multiple target original logs are from anti-
Wall with flues, the network equipment, host system, database or middleware;
Log filtering module 502 is obtained for filtering multiple target original logs using preset regular expression
Log after multiple filterings;
Rule numbers adding module 503, for being added just according to the regular expression for log after multiple filterings
The then rule numbers of expression formula generate multiple number logs and store;
Alarm regulation label obtains module 504, for obtaining the label combination of system acting in target alarms rule;
Matching module 505, for judging whether the rule numbers of multiple number logs being capable of marks described in complete match
Number combination, obtain the first judging result;
Sort out alarm module 506, if for first judging result being the rule numbers energy of multiple number logs
Multiple number logs are referred to the label and combine corresponding target alarms event by label combination described in enough complete match
In classification and generate alarm.
Wherein, the matching module 505 specifically includes:
Second judgment submodule, for successively judging that the rule numbers of multiple number logs whether there is in the mark
Number combination in, obtain the second judging result;
Position determination submodule, if the rule numbers for second judging result for the number log are present in institute
It states in label combination, determines the position that the rule numbers of the number log are located in label combination;
Head of the queue log processing submodule, if the rule numbers for the number log are located at the head of the queue of label combination
Position, by the number log recording to empty queue, generation has matched queue;
Log processing submodule in team, if the rule numbers for the number log are located in the team of label combination
Position, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched described
In queue, third judging result is obtained;
Time judging submodule in team, if for the third judging result be the number log rule numbers before
One rule numbers have matched in queue described, judge the number log previous volume corresponding with the previous rule numbers
Whether the time interval of number log is less than preset threshold value, obtains the 4th judging result;
Log recording submodule in team, if being the number log and the previous rule for the 4th judging result
The time interval for numbering corresponding previous number log is less than preset threshold value, and the number log recording has been matched to described
In queue;
Tail of the queue log processing submodule, if the rule numbers for the number log are located at the tail of the queue of label combination
Position, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched described
In queue, the 5th judging result is obtained;
Tail of the queue time judging submodule, if for the 5th judging result be the number log rule numbers before
One rule numbers have matched in queue described, judge the number log previous volume corresponding with the previous rule numbers
Whether the time interval of number log is less than preset threshold value, obtains the 6th judging result;
Tail of the queue log recording submodule, if being the number log and the previous rule for the 6th judging result
The time interval for numbering corresponding previous number log is less than preset threshold value, and the number log recording has been matched to described
In queue, complete match queue is generated;
First judging result generates submodule, for generating first judging result according to the complete match queue,
First judging result be multiple number logs rule numbers can label described in complete match combine.
The classification alarm module 506 specifically includes:
Submodule is sorted out in log, for multiple number logs in the complete match queue to be referred to the mark
In number corresponding target alarms event category of combination;
Alarm grade determines submodule, accuses for being determined according to multiple number logs in the complete match queue
Alert grade;
Log alerts submodule, for carrying out log event alarm according to the alarm grade.
The alarm grade determines that submodule specifically includes:
Initial risk values and assets value acquiring unit, for obtaining multiple numbers in the complete match queue
The initial risk values and assets value of log;
Average time interval computing unit, for calculating the flat of multiple number logs in the complete match queue
Equal time interval;
Value-at-risk determination unit, for according to the initial risk values, the assets value and the average time interval
Determine value-at-risk;
Level de-termination unit is alerted, for determining multiple volumes in the complete match queue according to the value-at-risk
The alarm grade of number log.
In practical applications, system provided by the invention can also include:
Log acquisition module is deployed in the host for needing to acquire log, host system, the network equipment, database, middleware
Deng on, for acquiring the system log of equipment and using log.
Database module, for save the log acquisition module, log acquisition module 501, log filtering module 502,
Rule numbers adding module 503, alarm regulation label obtain module 504, matching module 505 and sort out 506 institute of alarm module
System acting, asset data, policy information and the vulnerability information needed.
Movement is uniformly added and is protected for adding the movement for combining associated alarm by system acting library module
It deposits, and regular expression of the addition for log filtering in movement, so that log data is filtered.
Alarm regulation filter module, for temporarily storing the warning strategies not threatened are thought, and it is corresponding for checking
The log that warning strategies generate.
The label combination for the system acting that method and system provided by the invention continuously occur by matching, can be by target
Log is referred in corresponding alarm event, is avoided in existing log classification process, categorization results are single, various, artificially
Problem that recognition combination occurred fail to judge.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For system disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part
It is bright.
Used herein a specific example illustrates the principle and implementation of the invention, and above embodiments are said
It is bright to be merely used to help understand method and its core concept of the invention;At the same time, for those skilled in the art, foundation
Thought of the invention, there will be changes in the specific implementation manner and application range.In conclusion the content of the present specification is not
It is interpreted as limitation of the present invention.
Claims (8)
1. a kind of log multiple groups close alarm classifying method, which is characterized in that the described method includes:
Obtain multiple target original logs;Multiple target original logs from firewall, the network equipment, host system,
Database or middleware;
Multiple target original logs are filtered using preset regular expression, obtain log after multiple filterings;
It is the rule numbers of log addition regular expression after multiple filterings according to the regular expression, generates multiple volumes
Number log simultaneously stores;
Obtain the label combination of system acting in target alarms rule;
Judge multiple number logs rule numbers whether can the combination of label described in complete match, obtain the first judgement knot
Fruit;
If first judging result be multiple number logs rule numbers can the combination of label described in complete match, general
Multiple number logs are referred to the label and combine in corresponding target alarms event category and generate alarm.
2. log multiple groups according to claim 1 close alarm classifying method, which is characterized in that the multiple volumes of judgement
The rule numbers of number log whether can label combination described in complete match, obtain the first judging result, specifically include:
Successively judge that the rule numbers of multiple number logs whether there is in label combination, obtains the second judgement knot
Fruit;
If second judging result is that the rule numbers of the number log are present in the label combination, the volume is determined
The rule numbers of number log are located at the position in label combination;
If the rule numbers of the number log are located at the Head-of-line of label combination, by the number log recording to sky
Queue, generation have matched queue;
If the rule numbers of the number log are located at position in the team of label combination, judge described in the label combination
Whether the previous rule numbers of the rule numbers of number log have matched in queue described, obtain third judging result;
If the third judging result is that the previous rule numbers of the rule numbers of the number log have matched team described
In column, it is pre- to judge whether the time interval of the number log previous number log corresponding with the previous rule numbers is less than
If threshold value, obtain the 4th judging result;
If the 4th judging result be the number log previous number log corresponding with the previous rule numbers when
Between interval be less than preset threshold value, the number log recording has been matched in queue to described;
If the rule numbers of the number log are located at the tail of the queue position of label combination, judge described in the label combination
Whether the previous rule numbers of the rule numbers of number log have matched in queue described, obtain the 5th judging result;
If the 5th judging result is that the previous rule numbers of the rule numbers of the number log have matched team described
In column, it is pre- to judge whether the time interval of the number log previous number log corresponding with the previous rule numbers is less than
If threshold value, obtain the 6th judging result;
If the 6th judging result be the number log previous number log corresponding with the previous rule numbers when
Between interval be less than preset threshold value, the number log recording has been matched in queue to described, generation complete match queue;
First judging result is generated according to the complete match queue, first judging result is multiple number days
The rule numbers of will being capable of the combination of label described in complete match.
3. log multiple groups according to claim 2 close alarm classifying method, which is characterized in that described by multiple numbers
Log is referred to the label and combines in corresponding target alarms event category and generate alarm, specifically includes:
Multiple number logs in the complete match queue are referred to the label and combine corresponding target alarms thing
In part classification;
Alarm grade is determined according to multiple number logs in the complete match queue;
Log event alarm is carried out according to the alarm grade.
4. log multiple groups according to claim 3 close alarm classifying method, which is characterized in that described according to described complete
Alarm grade is determined with multiple number logs in queue, is specifically included:
Obtain the initial risk values and assets value of multiple number logs in the complete match queue;
Calculate the average time interval of multiple number logs in the complete match queue;
Value-at-risk is determined according to the initial risk values, the assets value and the average time interval;
The alarm grade of multiple number logs in the complete match queue is determined according to the value-at-risk.
5. a kind of log multiple groups close alarm taxis system, which is characterized in that the system comprises:
Log acquisition module, for obtaining multiple target original logs;Multiple target original logs derive from firewall, net
Network equipment, host system, database or middleware;
Log filtering module obtains multiple mistakes for filtering multiple target original logs using preset regular expression
Log after filter;
Rule numbers adding module, for adding regular expression according to the regular expression for log after multiple filterings
Rule numbers, generate multiple number logs and simultaneously store;
Alarm regulation label obtains module, for obtaining the label combination of system acting in target alarms rule;
Matching module, for judge multiple number logs rule numbers whether can the combination of label described in complete match,
Obtain the first judging result;
Sort out alarm module, if the rule numbers for first judging result to be multiple number logs can be complete
It is combined with the label, multiple number logs is referred to the label and are combined in corresponding target alarms event category simultaneously
Generate alarm.
6. log multiple groups according to claim 5 close alarm taxis system, which is characterized in that the matching module specifically wraps
It includes:
Second judgment submodule, for successively judging that the rule numbers of multiple number logs whether there is in the label group
In conjunction, the second judging result is obtained;
Position determination submodule, if the rule numbers for second judging result to be the number log are present in the mark
Number combination in, determine the rule numbers of the number log be located at the label combine in position;
Head of the queue log processing submodule, if the rule numbers for the number log are located at the head of the queue position of label combination
It sets, by the number log recording to empty queue, generation has matched queue;
Log processing submodule in team, if the rule numbers for the number log are located at position in the team of label combination
It sets, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched team described
In column, third judging result is obtained;
Time judging submodule in team, if the previous rule for the rule numbers that the third judging result is the number log
It then numbers and has been matched in queue described, judge the number log previous number day corresponding with the previous rule numbers
Whether the time interval of will is less than preset threshold value, obtains the 4th judging result;
Log recording submodule in team, if being the number log and the previous rule numbers for the 4th judging result
The time interval of corresponding previous number log is less than preset threshold value, and the number log recording has been matched queue to described
In;
Tail of the queue log processing submodule, if the rule numbers for the number log are located at the tail of the queue position of label combination
It sets, judges whether the previous rule numbers of the rule numbers of number log described in the label combination have matched team described
In column, the 5th judging result is obtained;
Tail of the queue time judging submodule, if the previous rule for the rule numbers that the 5th judging result is the number log
It then numbers and has been matched in queue described, judge the number log previous number day corresponding with the previous rule numbers
Whether the time interval of will is less than preset threshold value, obtains the 6th judging result;
Tail of the queue log recording submodule, if being the number log and the previous rule numbers for the 6th judging result
The time interval of corresponding previous number log is less than preset threshold value, and the number log recording has been matched queue to described
In, generate complete match queue;
First judging result generates submodule, described for generating first judging result according to the complete match queue
First judging result be multiple number logs rule numbers can label described in complete match combine.
7. log multiple groups according to claim 6 close alarm taxis system, which is characterized in that the classification alarm module tool
Body includes:
Submodule is sorted out in log, for multiple number logs in the complete match queue to be referred to the label group
It closes in corresponding target alarms event category;
Alarm grade determines submodule, for determining alarm etc. according to multiple number logs in the complete match queue
Grade;
Log alerts submodule, for carrying out log event alarm according to the alarm grade.
8. log multiple groups according to claim 7 close alarm taxis system, which is characterized in that the alarm grade determines son
Module specifically includes:
Initial risk values and assets value acquiring unit, for obtaining multiple number logs in the complete match queue
Initial risk values and assets value;
Average time interval computing unit, for calculating the mean time of multiple number logs in the complete match queue
Between be spaced;
Value-at-risk determination unit, for being determined according to the initial risk values, the assets value and the average time interval
Value-at-risk;
Level de-termination unit is alerted, for determining multiple number days in the complete match queue according to the value-at-risk
The alarm grade of will.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811226511.XA CN109450671B (en) | 2018-10-22 | 2018-10-22 | Log multi-combination alarm classification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811226511.XA CN109450671B (en) | 2018-10-22 | 2018-10-22 | Log multi-combination alarm classification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109450671A true CN109450671A (en) | 2019-03-08 |
| CN109450671B CN109450671B (en) | 2020-12-08 |
Family
ID=65547694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811226511.XA Active CN109450671B (en) | 2018-10-22 | 2018-10-22 | Log multi-combination alarm classification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109450671B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995784A (en) * | 2019-04-03 | 2019-07-09 | 杭州汉领信息科技有限公司 | A kind of data extraction accelerated method based on UDP |
| CN111274285A (en) * | 2020-01-15 | 2020-06-12 | 上海观安信息技术股份有限公司 | Alarm correlation method based on information theory |
| CN113377623A (en) * | 2021-07-02 | 2021-09-10 | 华青融天(北京)软件股份有限公司 | Automatic generation method and device of alarm rule and electronic equipment |
| CN114154836A (en) * | 2021-11-29 | 2022-03-08 | 中国邮电器材集团有限公司 | Method for monitoring contract execution and triggering early warning and electronic equipment |
| CN115514613A (en) * | 2022-11-15 | 2022-12-23 | 阿里云计算有限公司 | Alarm strategy obtaining method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| US9910994B1 (en) * | 2015-08-27 | 2018-03-06 | Amazon Technologies, Inc. | System for assuring security of sensitive data on a host |
| CN108229585A (en) * | 2018-02-05 | 2018-06-29 | 北京安信天行科技有限公司 | The classifying method and system of a kind of daily record |
-
2018
- 2018-10-22 CN CN201811226511.XA patent/CN109450671B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| US9910994B1 (en) * | 2015-08-27 | 2018-03-06 | Amazon Technologies, Inc. | System for assuring security of sensitive data on a host |
| CN108229585A (en) * | 2018-02-05 | 2018-06-29 | 北京安信天行科技有限公司 | The classifying method and system of a kind of daily record |
Non-Patent Citations (3)
| Title |
|---|
| DUY DUC AN BUI等: ""Learning regular expressions for clinical text classification "", 《JOURNAL OF THE AMERICAN MEDICAL INFORMATICS ASSOCIATION, VOLUME 21, ISSUE 5, SEPTEMBER 2014》 * |
| 思帆: ""一种基于主机日志分析的实时风险评估模型的研究与实现"", 《中国优秀硕士学位论文全文数据库》 * |
| 李晨旸: ""入侵检测的日志综合分析模型研究"", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995784A (en) * | 2019-04-03 | 2019-07-09 | 杭州汉领信息科技有限公司 | A kind of data extraction accelerated method based on UDP |
| CN109995784B (en) * | 2019-04-03 | 2022-02-11 | 杭州汉领信息科技有限公司 | UDP-based data extraction acceleration method |
| CN111274285A (en) * | 2020-01-15 | 2020-06-12 | 上海观安信息技术股份有限公司 | Alarm correlation method based on information theory |
| CN113377623A (en) * | 2021-07-02 | 2021-09-10 | 华青融天(北京)软件股份有限公司 | Automatic generation method and device of alarm rule and electronic equipment |
| CN113377623B (en) * | 2021-07-02 | 2024-05-28 | 华青融天(北京)软件股份有限公司 | Automatic generation method and device of alarm rules and electronic equipment |
| CN114154836A (en) * | 2021-11-29 | 2022-03-08 | 中国邮电器材集团有限公司 | Method for monitoring contract execution and triggering early warning and electronic equipment |
| CN115514613A (en) * | 2022-11-15 | 2022-12-23 | 阿里云计算有限公司 | Alarm strategy obtaining method and device |
| CN115514613B (en) * | 2022-11-15 | 2023-04-11 | 阿里云计算有限公司 | Alarm strategy obtaining method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109450671B (en) | 2020-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109450671A (en) | A kind of log multiple groups close alarm classifying method and system | |
| CN111475804B (en) | Alarm prediction method and system | |
| CN106790008B (en) | Machine learning system for detecting abnormal host in enterprise network | |
| Zheng et al. | Semi-supervised classification on data streams with recurring concept drift and concept evolution | |
| CN108494810A (en) | Network security situation prediction method, apparatus and system towards attack | |
| Ourston et al. | Applications of hidden markov models to detecting multi-stage network attacks | |
| CN103746961B (en) | A kind of causal knowledge method for digging of cyber attack scenarios, device and server | |
| WO2021213247A1 (en) | Anomaly detection method and device | |
| CN109871401A (en) | A kind of time series method for detecting abnormality and device | |
| CN117473571B (en) | Data information security processing method and system | |
| CN103368979A (en) | Network security verifying device based on improved K-means algorithm | |
| CN106375339A (en) | Attack mode detection method based on event slide window | |
| US7756593B2 (en) | Anomaly anti-pattern | |
| Ajdani et al. | Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm | |
| Koshal et al. | Cascading of C4. 5 decision tree and support vector machine for rule based intrusion detection system | |
| CN109063205A (en) | A kind of construction of knowledge base method of network-oriented safety | |
| CN116827764B (en) | Internet of things fault detection control method and system based on neural network | |
| CN111143838A (en) | Database user abnormal behavior detection method | |
| Ahmad et al. | Analysis of classification techniques for intrusion detection | |
| CN111506710A (en) | Information sending method and device based on rumor prediction model and computer equipment | |
| Maniraj et al. | Data aggregation and terror group prediction using machine learning algorithms | |
| Ruotsalainen et al. | Gais: A method for detecting interleaved sequential patterns from imperfect data | |
| KR102021138B1 (en) | Method and program of malicious domain classification based on artificial intelligence | |
| CN116760578A (en) | Threat situation prediction method applying AI | |
| CN114238062B (en) | Board card burning device performance analysis method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |