Search

CN-121984703-A - Intelligent alarm noise reduction method and device

CN121984703ACN 121984703 ACN121984703 ACN 121984703ACN-121984703-A

Abstract

The invention discloses an intelligent alarm noise reduction method and device, and relates to the technical field of network security, wherein the method comprises the steps of obtaining original alarm data collected in real time, inputting the original alarm data into a large language model, obtaining structured alarm data output by the large language model, taking the structured alarm data as an alarm data stream, inputting the structured alarm data into a rule engine with an attack pattern rule base, pre-storing attack pattern rules reflecting logic sequences among attack features in the attack pattern rule base, obtaining an alarm data sequence which is identified by the rule engine in the alarm data stream and is matched with the pre-stored attack pattern rules, aggregating the alarm data sequence into an attack event, and determining the attack event as an alarm noise reduction result. The invention can accurately describe complex attack events according to the attack semantic association discrete alarm data in the alarm data, and improves the accuracy and efficiency of alarm noise reduction.

Inventors

  • HUANG YI
  • SHI MEIJUN

Assignees

  • 中国建设银行股份有限公司苏州分行

Dates

Publication Date
20260505
Application Date
20251215

Claims (13)

  1. 1. An intelligent alarm noise reduction method is characterized by comprising the following steps: acquiring original alarm data acquired in real time; Inputting the original alarm data into a large language model to obtain structured alarm data output by the large language model, wherein the large language model is obtained by fine adjustment of a network security knowledge base, and the structured alarm data comprises attack characteristics extracted from the original alarm data by the large language model according to the network security knowledge base, wherein the attack characteristics comprise an attack tactic, an attack technology and an attack program; The structured alarm data is used as an alarm data stream and is input into a rule engine with an attack mode rule base, wherein attack mode rules reflecting the logic sequence among attack features are prestored in the attack mode rule base; Acquiring an alarm data sequence which is identified by a rule engine in an alarm data stream and is matched with a pre-stored attack mode rule, and aggregating the alarm data sequence into an attack event; And determining the attack event as an alarm noise reduction result.
  2. 2. The method of claim 1, wherein inputting the structured alert data as an alert data stream into a rules engine of a built-in attack pattern rule base comprises: Filtering the structured alarm data according to a preset white list; the filtered structured alarm data is used as an alarm data stream and is input into a rule engine with an attack mode rule base; Wherein the white list is obtained as follows: acquiring historical alarm data in a preset time period; Identifying a false alarm mode in historical alarm data through time sequence data analysis, wherein the false alarm mode is an alarm data combination generated by repetitive or periodic network activity; And adding the identified false positive pattern to the white list.
  3. 3. The method of claim 2, further comprising, after acquiring the historical alert data for a predetermined period of time: Desensitizing the historical alarm data to obtain desensitized historical alarm data; identifying false alarm modes in historical alarm data through time sequence data analysis comprises the following steps: And analyzing the history alarm data after desensitization treatment by using an association rule mining algorithm, and identifying a false alarm mode in the history alarm data.
  4. 4. The method of claim 3, wherein the rule association mining algorithm comprises an Apriori algorithm.
  5. 5. The method of claim 1, further comprising, after determining the attack event as an alarm noise reduction result: pushing the alarm noise reduction result to an analyst, and acquiring an attack event marked in the alarm noise reduction result by the analyst; fine-tuning the large language model using the marked attack events; The attack pattern rules in the rules engine are optimized using the marked attack events.
  6. 6. An intelligent warning noise reduction device, which is characterized by comprising: The alarm data acquisition module is used for acquiring original alarm data acquired in real time; The attack characteristic extraction module is used for inputting the original alarm data into a large language model to obtain structured alarm data output by the large language model, wherein the large language model is obtained by fine tuning by using a network security knowledge base; The attack mode matching module is used for taking the structured alarm data as an alarm data stream and inputting the alarm data stream into a rule engine with an attack mode rule base, wherein the attack mode rule base is pre-stored with attack mode rules reflecting the logic sequence among attack characteristics; the attack event aggregation module is used for acquiring an alarm data sequence which is identified by the rule engine in the alarm data stream and matched with a prestored attack mode rule, and aggregating the alarm data sequence into an attack event; And the alarm data noise reduction module is used for determining the attack event as an alarm noise reduction result.
  7. 7. The apparatus of claim 6, wherein the attack pattern matching module is specifically configured to: Filtering the structured alarm data according to a preset white list; The filtered structured alarm data is used as an alarm data stream and is input into a rule engine with an attack mode rule base, wherein a white list is obtained according to the following mode: acquiring historical alarm data in a preset time period; Identifying a false alarm mode in historical alarm data through time sequence data analysis, wherein the false alarm mode is an alarm data combination generated by repetitive or periodic network activity; And adding the identified false positive pattern to the white list.
  8. 8. The apparatus of claim 7, wherein the attack pattern matching module further comprises an alert data desensitization unit to: Desensitizing the historical alarm data to obtain desensitized historical alarm data; The attack pattern matching module is specifically used for analyzing the history alarm data after the desensitization processing through the association rule mining algorithm and identifying a false alarm pattern in the history alarm data.
  9. 9. The apparatus of claim 8, wherein the rule association mining algorithm comprises an Apriori algorithm.
  10. 10. The apparatus of claim 6, further comprising a closed loop learning module to: pushing the alarm noise reduction result to an analyst, and acquiring an attack event marked in the alarm noise reduction result by the analyst; fine-tuning the large language model using the marked attack events; The attack pattern rules in the rules engine are optimized using the marked attack events.
  11. 11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 5 when executing the computer program.
  12. 12. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.
  13. 13. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.

Description

Intelligent alarm noise reduction method and device Technical Field The invention relates to the technical field of network security, in particular to an intelligent alarming and noise reduction method and device. Background With the penetration of digital transformation, enterprise network architecture is increasingly complex, and in order to cope with diversified security threats, various security devices such as a Firewall (Firewall), an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), a Web Application Firewall (WAF), a terminal detection and response (EDR) and the like are usually deployed. These devices constitute a deep defense system, but in actual operation, they also present serious challenges. The prior art scheme mainly has the following defects: 1. The massive alarms lead to the alarm fatigue of operation and maintenance personnel, namely thousands to tens of thousands of alarms are generated by the safety equipment every day, and the safety equipment comprises a large number of repeated alarms and false alarms, so that the operation and maintenance personnel are submerged in an alarm storm, the real threat is difficult to focus, the response efficiency is low, and the alarm is easy to miss due to fatigue. 2. The existing method pays attention to single-point alarms or simple merging, and lacks the identification capability of complex attack chains. Disclosure of Invention The embodiment of the invention provides an intelligent alarm noise reduction method, which is used for accurately describing complex attack events according to attack semantic association discrete alarm data in alarm data and improving the accuracy and efficiency of alarm noise reduction, and comprises the following steps: acquiring original alarm data acquired in real time; Inputting the original alarm data into a large language model to obtain structured alarm data output by the large language model, wherein the large language model is obtained by fine adjustment of a network security knowledge base, and the structured alarm data comprises attack characteristics extracted from the original alarm data by the large language model according to the network security knowledge base, wherein the attack characteristics comprise an attack tactic, an attack technology and an attack program; The structured alarm data is used as an alarm data stream and is input into a rule engine with an attack mode rule base, wherein attack mode rules reflecting the logic sequence among attack features are prestored in the attack mode rule base; Acquiring an alarm data sequence which is identified by a rule engine in an alarm data stream and is matched with a pre-stored attack mode rule, and aggregating the alarm data sequence into an attack event; And determining the attack event as an alarm noise reduction result. The embodiment of the invention also provides an intelligent alarm noise reduction device, which is used for accurately describing complex attack events according to attack semantic association discrete alarm data in alarm data and improving the accuracy and efficiency of alarm noise reduction, and comprises the following steps: The alarm data acquisition module is used for acquiring original alarm data acquired in real time; The attack characteristic extraction module is used for inputting the original alarm data into a large language model to obtain structured alarm data output by the large language model, wherein the large language model is obtained by fine tuning by using a network security knowledge base; The attack mode matching module is used for taking the structured alarm data as an alarm data stream and inputting the alarm data stream into a rule engine with an attack mode rule base, wherein the attack mode rule base is pre-stored with attack mode rules reflecting the logic sequence among attack characteristics; the attack event aggregation module is used for acquiring an alarm data sequence which is identified by the rule engine in the alarm data stream and matched with a prestored attack mode rule, and aggregating the alarm data sequence into an attack event; And the alarm data noise reduction module is used for determining the attack event as an alarm noise reduction result. The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the intelligent alarm noise reduction method is realized when the processor executes the computer program. The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the intelligent alarm noise reduction method when being executed by a processor. The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program realizes the intelligent alar