CN-116318860-B - Intelligent control method for network security equipment

Abstract

The invention provides an intelligent control method for network safety equipment, which relates to the technical field of network safety control and comprises the steps of obtaining original log data of the network safety equipment, preprocessing the original log data to obtain classified logs, extracting and selecting alarm false alarm detection related features based on historical alarm priori knowledge related to the network safety equipment, training an alarm detection model based on the detection related features and fusing the features to identify alarm false alarms of the classified logs, and finely adjusting false alarm thresholds of each type of alarm false alarms respectively. The method comprises the steps of preprocessing original log data to obtain classified logs, extracting and selecting detection related features based on warning priori knowledge related to network safety equipment, training a warning detection model by using the detection related features to carry out warning false alarm recognition on the classified logs, and finally finely adjusting false alarm threshold values to realize effective control on warning false alarm rate of the network safety equipment.

Inventors

• ZHANG SHUGUI
• LI YANG

Assignees

• 深圳铸泰科技有限公司

Dates

Publication Date

20260505

Application Date

20230129

Claims (6)

1. 1. An intelligent control method for a network security appliance, comprising: step 1, acquiring original log data of network security equipment; Step 2, carrying out data fusion and preprocessing operation on original log data to obtain a classified log, wherein the classified log is obtained by classifying alarm log data in the preprocessed log data according to time sequence; step 3, matching historical warning priori knowledge related to the network security equipment from a warning database, and extracting and selecting warning false alarm detection related features from the historical warning priori knowledge; Step 4, training an alarm detection model based on detection related features and fusing features to classify and identify alarm false alarms of the classification log, and finely adjusting false alarm thresholds of each type of alarm false alarms respectively to realize control of alarm false alarm rate of network security equipment; matching historical alarm priori knowledge related to network safety equipment from an alarm database, extracting alarm false alarm detection related features from the historical alarm priori knowledge, and selecting the alarm false alarm detection related features, wherein the method comprises the following steps: Acquiring and merging historical alarm information generated by network security equipment in a preset historical time period; Analyzing the processed historical alarm information, and matching from an alarm database to obtain corresponding historical alarm priori knowledge; According to network security attack characteristics contained in the historical alarm information, combining the prior knowledge of the historical alarm to obtain a multi-dimensional network security variable; coding all security variation values of the network security variables in corresponding dimensions, and obtaining first characteristics in different dimensions according to coding results; Selecting alarm false alarm detection related features from an alarm-feature database according to the feature importance of each first feature; Selecting alarm false alarm detection related features from an alarm-feature database according to the feature importance of each first feature, comprising: calculating the feature importance of each first feature: Wherein, the The feature importance expressed as the ith first feature is within the range of values ; The occurrence frequency of the safety change value which is expressed as the i first characteristic and is in the normal safety change range is corresponding to the i first characteristic; the current contribution factor expressed as the ith first feature and takes on the value range of ; A weight coefficient of a network security variable expressed as a dimension corresponding to the ith first feature; 1 is expressed as a standard contribution factor; removing the first features with the feature importance exceeding the maximum preset threshold and the first features smaller than the minimum preset threshold; when the residual result is 0, determining a first number of first features with feature importance exceeding a maximum preset threshold and a second number of first features with feature importance smaller than a minimum preset threshold; Locking a larger number from the first number and the second number; when the larger number is the first number, acquiring a first feature with the minimum feature importance corresponding to the first number as a residual feature; Otherwise, acquiring the first features with the maximum feature importance corresponding to the second number as residual features; selecting the related features of the alarm false alarm detection matched with the residual features from the alarm-feature database and outputting And when the residual result is not 0, selecting the alarm false alarm detection related characteristic matched with the removed first characteristic from the alarm-characteristic database, and outputting the alarm false alarm detection related characteristic.
2. 2. The intelligent control method for network security equipment according to claim 1, wherein the data fusion and preprocessing operations are performed on the log data to obtain a classification log, and the method comprises the steps of: Step 11, filtering and synthesizing the obtained original log data by using a computer to derive effective log data; step 12, processing the derived effective log data according to a standardized format to obtain a unified data format; step 13, deleting two or more pieces of data with identical characteristic values in the effective log data and only retaining one piece of data; step 14, deleting or complementing the missing data in the effective log data; And 15, extracting alarm log data from the processed log data by using a computer, and classifying according to time sequence to obtain a classification log.
3. 3. The intelligent control method for a network security appliance according to claim 2, wherein deleting or complementing missing data in the valid log data comprises: extracting and analyzing target cases containing missing values in the effective log data, and deleting the target cases if the number of the effective values contained in the target cases is smaller than a preset threshold value; If the number of the effective values contained in the target individual case is greater than or equal to a preset threshold value, discretizing all data contained in the target individual case; Based on the discretization data, selecting a data subset with high correlation with the missing data attribute from the effective log data, and constructing a sparse tensor according to the data subset; and constructing a dense tensor by using a tensor complement method of tensor decomposition, and complementing the missing data corresponding to the target case by combining the original log data.
4. 4. The intelligent control method for network security equipment according to claim 1, wherein the classifying log is classified and identified for false alarm based on the training of the alarm detection model and the feature fusion based on the detection related features, and the false alarm threshold value of each type of false alarm is finely adjusted respectively, so as to realize the control of the false alarm rate of the network security equipment, and the method comprises the following steps: The historical alarm data in the historical alarm information is called as a training sample to establish an alarm detection model; Inputting the detection related features into an alarm detection model for model training, and carrying out feature fusion on the detection related features and the alarm features in the trained alarm detection model to obtain a new detection model and alarm false alarm categories of each fusion feature; The classification log is used as an experimental sample to be input into a new detection model to obtain a detection value set ; Wherein, the The detection value of the new detection model to the j-th experimental sample is represented as n which is the number of the experimental samples; The detection value of the j-1 th experimental sample is expressed as a new detection model; a true value expressed as j-1 th experimental sample; a loss function expressed as j-1 th experimental sample; The detection contribution degree is expressed as the detection contribution degree of the experimental sample input into the new detection model; loss weight coefficient expressed as experimental sample; the contribution weight coefficient is expressed as the contribution weight coefficient in the process that the experimental sample is input into the new detection model; labeling normal alarm labels to experimental samples with detection values smaller than a preset minimum detection threshold value in the detection value set X; otherwise, labeling the undetermined alarm tag to the corresponding experimental sample, and outputting the undetermined alarm tag as a first sample; Matching and identifying all the fusion features with the features of the first samples to obtain alarm false alarm categories corresponding to each first sample; Classifying the first samples according to the alarm false alarm categories to obtain classified samples, and carrying out threshold normalization adjustment on false alarm thresholds related to similar samples to realize fine adjustment to obtain adjusted false alarm thresholds.
5. 5. The intelligent control method for network security equipment according to claim 4, wherein the matching and identifying all the fusion features with the features of the first samples to obtain the alarm false alarm category corresponding to each first sample comprises: Extracting first target features of each first sample, and respectively carrying out similarity analysis on the first target features and all fusion features to obtain a first similarity result; Screening an alarm false alarm source of a sample corresponding to a first target feature with highest feature similarity according to the first similarity result; And determining the alarm false alarm category corresponding to the corresponding first sample according to the alarm false alarm source.
6. 6. The intelligent control method for network security equipment according to claim 4, wherein the fine adjustment is implemented by performing threshold normalization adjustment on false alarm thresholds related to similar samples, and obtaining the adjusted false alarm thresholds comprises: Extracting an original false alarm threshold value of each first sample related to the same kind of samples from an alarm false alarm database; The original false alarm threshold value is finely adjusted by utilizing an adjustment formula, and the adjusted false alarm threshold value is obtained, wherein the formula is as follows: Wherein L1 is expressed as a corresponding adjusted false alarm threshold value, L0 is expressed as a corresponding original false alarm threshold value; the ratio of the total number of the classified samples corresponding to the alarm false alarm category and the first samples before the classification is expressed, and the value range is ; Represented as Under the condition, misjudgment factors aiming at alarms; Represented as Under the condition, misjudgment factors aiming at alarms; Representing the number of classified samples contained in the corresponding class of samples.

Description

Intelligent control method for network security equipment Technical Field The invention relates to the technical field of network security control, in particular to an intelligent control method for network security equipment. Background Currently, most network security devices use an abnormal alarm detection method to perform alarm detection. However, the network security alarm false alarm phenomenon inevitably occurs in the abnormal detection mode, so that resources and time are consumed for processing, the sensitivity of security analysts to alarms is reduced, the energy of the security analysts for processing real security threats is dispersed, and therefore the reduction of the false alarm rate in the network security equipment alarms is very important. Accordingly, the present invention provides an intelligent control method for a network security appliance. Disclosure of Invention The invention provides an intelligent control method for network security equipment, which is used for acquiring a classification log by preprocessing original log data, extracting and selecting detection related features based on warning priori knowledge related to the network security equipment, training a warning detection model by using the detection related features to recognize warning false alarm of the classification log, and finally finely adjusting a false alarm threshold value to realize effective control of warning false alarm rate of the network security equipment. The invention provides an intelligent control method for network security equipment, which comprises the following steps: step 1, acquiring original log data of network security equipment; Step 2, carrying out data fusion and preprocessing operation on original log data to obtain a classification log; step 3, matching historical warning priori knowledge related to the network security equipment from a warning database, and extracting and selecting warning false alarm detection related features from the historical warning priori knowledge; And 4, training an alarm detection model based on detection related features and fusing features to classify and identify alarm false alarms of the classification log, and finely adjusting false alarm thresholds of each type of alarm false alarms respectively to realize control of alarm false alarm rate of network security equipment. Preferably, the data fusion and preprocessing operation is performed on the log data, and a classification log is obtained, which includes: Step 11, filtering and synthesizing the obtained original log data by using a computer to derive effective log data; step 12, processing the derived effective log data according to a standardized format to obtain a unified data format; step 13, deleting two or more pieces of data with identical characteristic values in the effective log data and only retaining one piece of data; step 14, deleting or complementing the missing data in the effective log data; And 15, extracting alarm log data from the processed log data by using a computer, and classifying according to time sequence to obtain a classification log. Preferably, deleting or complementing the missing data in the valid log data includes: extracting and analyzing target cases containing missing values in the effective log data, and deleting the target cases if the number of the effective values contained in the target cases is smaller than a preset threshold value; If the number of the effective values contained in the target individual case is greater than or equal to a preset threshold value, discretizing all data contained in the target individual case; Based on the discretization data, selecting a data subset with high correlation with the missing data attribute from the effective log data, and constructing a sparse tensor according to the data subset; and constructing a dense tensor by using a tensor complement method of tensor decomposition, and complementing the missing data corresponding to the target case by combining the original log data. Preferably, the method for matching the historical warning priori knowledge related to the network security equipment from the warning database, extracting and selecting the warning false alarm detection related features from the historical warning priori knowledge comprises the following steps: Acquiring and merging historical alarm information generated by network security equipment in a preset historical time period; Analyzing the processed historical alarm information, and matching from an alarm database to obtain corresponding historical alarm priori knowledge; According to network security attack characteristics contained in the historical alarm information, combining the prior knowledge of the historical alarm to obtain a multi-dimensional network security variable; coding all security variation values of the network security variables in corresponding dimensions, and obtaining first characteristics in different dimensions according to cod