Search

CN-121984795-A - Data alarm system, processing method, electronic equipment and storage medium

CN121984795ACN 121984795 ACN121984795 ACN 121984795ACN-121984795-A

Abstract

The embodiment of the specification provides a data alarm system, a processing method, electronic equipment and a storage medium, and relates to the technical field of network security data processing. The system comprises a mode identification module, a blocking probability determination module, a compensation factor determination module and an allocation processing module, wherein the mode identification module is used for generating a dynamic information sequence with space-time association relation according to alarm information of different sources and identifying a dominant interaction mode of a current attack, the blocking probability determination module is used for determining an alarm association link and determining local information blocking probability according to information continuity between adjacent information frames in the alarm association link and change frequency of the dominant interaction mode, the compensation factor determination module is used for generating a compensation factor based on alarm treatment channel information and based on network interaction characteristics, and the allocation processing module is used for adjusting resource quota of an alarm treatment channel and alarm aggregation judgment threshold according to the compensation factor in each preset allocation period. Based on the method, the self-adaptive reduction of redundant alarms can be realized, and the safety operation efficiency and the protection accuracy are improved.

Inventors

  • YANG QING

Assignees

  • 京东方科技集团股份有限公司

Dates

Publication Date
20260505
Application Date
20260408

Claims (18)

  1. 1. A data alert system, comprising: The mode identification module is used for generating a dynamic information sequence with space-time association relation according to alarm information of different sources and identifying a dominant interaction mode of the current attack based on the dynamic association degree sequence of the dynamic information sequence; the blocking probability determining module is used for determining an alarm associated link based on the dynamic information sequence and determining local information blocking probability according to information continuity between adjacent information frames in the alarm associated link and the change frequency of the dominant interaction mode; The compensation factor determining module is used for generating a compensation factor based on the alarm handling channel information in the alarm event handling back-execution and based on the network interaction characteristics; And the allocation processing module is used for adjusting the resource quota of the alarm disposal channel and the alarm aggregation judgment threshold value according to the compensation factor in each preset allocation period.
  2. 2. The system of claim 1, wherein the dynamic intelligence sequence comprises a plurality of intelligence frames arranged in a time-sequential manner, the intelligence frames comprising structured alarm events and contexts associated with the alarm events for the same time slice; The system also comprises a data preprocessing module, a processing module and a processing module, wherein the data preprocessing module is used for acquiring the alarm event and the context based on different observation sources and merging the alarm event and the context of the same time slice to form the information frame.
  3. 3. The system according to claim 2, wherein the pattern recognition module is further configured to determine the sequence of dynamic associations, in particular for: determining an association level based on candidate pairs formed by the alarm event of the current information frame and the context of the adjacent information frame; and arranging the association levels corresponding to the plurality of information frames according to a time sequence to determine the dynamic association degree sequence.
  4. 4. The system of claim 3, wherein the candidate pair comprises an event feature vector corresponding to the alert event and a context Wen Yuyi embedding vector corresponding to the context; the pattern recognition module is further configured to: Based on a preset structuring rule, acquiring an event feature vector corresponding to the alarm event; And acquiring the context Wen Yuyi embedded vector corresponding to the context based on a preset semantic coding model.
  5. 5. A system according to claim 3, wherein the pattern recognition module, when used to determine the level of association, is specifically configured to: based on the source entity identification, the destination entity identification and the key object entity identification, entity consistency judgment is carried out on the candidate pairing; Under the condition that the entity consistency judging result meets a first preset condition, carrying out semantic consistency judgment on the candidate pairing based on entity semantic similarity; Under the condition that the semantic consistency judging result meets a second preset condition, carrying out time proximity judgment on the candidate pairing; and determining the association level according to the entity consistency determination result, the semantic consistency determination result and the time proximity determination result.
  6. 6. The system according to claim 1, wherein the pattern recognition module, when being configured to recognize a dominant interaction pattern of a current attack, is specifically configured to: determining a transfer sequence of a corresponding association level according to the information frames in the corresponding time range of the first preset sliding time window, wherein the transfer sequence is used for indicating the change condition of the association level of the adjacent information frames; According to the transfer sequence, determining a plurality of corresponding interaction modes by querying a preset mode dictionary; and determining a dominant interaction mode according to the occurrence times and the continuous duration time of the interaction modes.
  7. 7. The system according to claim 1, wherein the blocking probability determination module is further configured to detect information continuity between adjacent intelligence frames in the alarm association link, and is specifically configured to: based on the source entity identification, the destination entity identification and the key object entity identification corresponding to the adjacent information frames, carrying out entity continuity detection on the adjacent information frames; according to attack stage marks corresponding to adjacent information frames, carrying out attack stage consistency detection on the adjacent information frames by inquiring a preset attack stage progressive rule table; And carrying out semantic drift detection on the context of the adjacent information frame by inquiring a preset semantic embedded similarity interval mapping table.
  8. 8. The system of claim 1, further comprising an alert efficiency determination module for determining an intended response sparse zone based on the network interaction characteristics; The compensation factor determination module is further configured to generate a corresponding compensation factor based on a combined relationship of the response sparse region and the treatment channel.
  9. 9. The system of claim 8, wherein the alert efficiency determination module, when configured to determine an intended response sparse zone, is configured to: Constructing an interaction graph based on the network interaction characteristics; Dividing the interaction map into a plurality of subareas based on a preset security domain configuration table, a network address planning table and a business asset grouping table; Determining the interaction frequency of each partition according to a window length parameter and a stepping parameter of a second preset sliding time window, wherein the interaction frequency comprises the increment of the number of edges in the partition, the triggering times of edges crossing the partition and the passing times of paths; and determining whether the partition is an intended response sparse region according to a preset threshold configuration item.
  10. 10. The system of claim 9, wherein the alert efficiency determination module is further configured to: Determining the alarm repeated triggering characteristic of each partition according to the window length parameter and the step parameter of the second preset sliding time window, wherein the alarm repeated triggering characteristic comprises repeated triggering density, repeated triggering duration time and repeated triggering coverage asset quantity; Based on a preset fluctuation interval mapping table, determining a corresponding alarm efficiency fluctuation coefficient according to the alarm repeated triggering characteristic and a dynamic association degree sequence of corresponding time; the compensation factor determining module is further used for determining the compensation factor according to the alarm efficiency fluctuation coefficient.
  11. 11. The system according to claim 10, wherein the compensation factor determination module, when configured to generate the compensation factor, is configured to: Based on an alarm event handling receipt, constructing a response delay sample table taking the combination of the intended response sparse region and the handling channel as an index key; according to the response delay sample, determining a predicted response delay level and a delay sensitivity level corresponding to the index key by inquiring a preset response delay level interval table and sensitivity level interval table mapping; determining a compensation factor corresponding to the index key by inquiring a preset adjustment rule table according to the alarm efficiency fluctuation coefficient, the predicted response delay level and the delay sensitivity level; each rule of the adjustment rule table comprises a sparse zone identification application range and a treatment channel identification application range.
  12. 12. The system of claim 1, wherein the deployment processing module is further configured to: according to the compensation factor, adjusting a resource quota parameter and an aggregation threshold parameter corresponding to the alarm handling channel; in each preset allocation period, the dynamic association degree sequence and the local information blocking probability are redetermined according to the adjusted parameters; And if the dynamic association degree sequence indicates that the dynamic association degree of the information frame sequence in the current allocation period is kept valid and the local information blocking probability is in a preset controlled interval, archiving the current parameters into the efficiency configuration and entering the next allocation period, otherwise, backing the current parameters until the parameters are archived into the efficiency configuration.
  13. 13. The system of claim 12, wherein the dynamic relevancy sequence includes a plurality of dynamic relevancy validity markers arranged in time order; the dynamic association degree is kept valid, and the dynamic association degree validity is marked as valid proportion and is larger than or equal to a preset proportion threshold value in the current allocation period.
  14. 14. The system of claim 12, wherein the aggregate threshold parameter comprises a time window threshold parameter and a suppression threshold parameter; the allocation processing module is used for backing back the current parameters, and is specifically used for: And according to a preset rollback rule, adjusting the time window threshold parameter and the suppression threshold parameter from the current value to the value of the last allocation period according to a preset single period adjustment step upper limit.
  15. 15. A data alert processing method, comprising: generating a dynamic information sequence with a space-time association relation according to alarm information of different sources, and identifying a dominant interaction mode of the current attack based on the dynamic association degree sequence of the dynamic information sequence; determining an alarm association link based on the dynamic information sequence, and determining local information blocking probability according to information continuity between adjacent information frames in the alarm association link and the change frequency of the dominant interaction mode; generating a compensation factor based on the alarm event handling channel information in the handling back license and based on the network interaction characteristics; And in each preset allocation period, adjusting the resource quota of the alarm handling channel and the alarm aggregation judgment threshold according to the compensation factor.
  16. 16. A computer program product comprising a computer program which, when executed by a processor, implements the method of claim 15.
  17. 17. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of claim 15 when executing the computer program.
  18. 18. A computer readable storage medium, on which a computer program is stored, which program, when being executed by a processor, implements the method according to claim 15.

Description

Data alarm system, processing method, electronic equipment and storage medium Technical Field The embodiment of the specification relates to the technical field of network security data processing, in particular to a data alarm system, a processing method, electronic equipment and a storage medium. Background In the field of network security operation, collection, association and alarm handling of network threat information have become the normalization work of enterprises and key infrastructure. Generally, a security operation center needs to access multi-source data such as intrusion detection equipment, terminal detection and response, boundary protection equipment, domain name resolution, proxy access and security arrangement treatment platform, so as to support continuous monitoring and quick response to attack behaviors such as intrusion, external download, exhaustive attack, lateral movement, and the like. The related technology generally carries out alarm management around rule hit and single-source feature screening aggregation, and relieves alarm flooding and avoids alarm information redundancy through alarm deduplication, alarm classification or a merging mode based on a fixed window. The technical implementation relates to the electrical digital data processing and security event association analysis of multi-source logs and alarm events. However, the prior art has limitations in the aspects of multi-source threat information fusion and redundant alarm reduction, key threat information is easily submerged by repeated alarms or inhibited by false aggregation, and alarm aggregation and treatment resource allocation cannot be adaptively adjusted along with threat forms and treatment pressure, so that the problems of unbalanced alarm signal-to-noise ratio, delayed response, increased research and judgment burden and the like are caused, and the safety operation efficiency and the protection accuracy are affected. Disclosure of Invention In order to overcome the problems in the related art and improve the safety operation efficiency and the protection accuracy, the embodiments of the present disclosure provide a data alarm system, a processing method, an electronic device, and a storage medium. According to a first aspect of an embodiment of the present application, there is provided a data alarm system, including: The mode identification module is used for generating a dynamic information sequence with space-time association relation according to alarm information of different sources and identifying a dominant interaction mode of the current attack based on the dynamic association degree sequence of the dynamic information sequence; the blocking probability determining module is used for determining an alarm associated link based on the dynamic information sequence and determining local information blocking probability according to information continuity between adjacent information frames in the alarm associated link and the change frequency of the dominant interaction mode; The compensation factor determining module is used for generating a compensation factor based on the alarm handling channel information in the alarm event handling back-execution and based on the network interaction characteristics; And the allocation processing module is used for adjusting the resource quota of the alarm disposal channel and the alarm aggregation judgment threshold value according to the compensation factor in each preset allocation period. In some possible implementations, the dynamic intelligence sequence includes a plurality of intelligence frames arranged in a chronological order, the intelligence frames including structured alarm events and contexts associated with the alarm events for the same time slice; The system also comprises a data preprocessing module, a processing module and a processing module, wherein the data preprocessing module is used for acquiring the alarm event and the context based on different observation sources and merging the alarm event and the context of the same time slice to form the information frame. In some possible embodiments, the pattern recognition module is further configured to determine the dynamic association sequence, specifically configured to: determining an association level based on candidate pairs formed by the alarm event of the current information frame and the context of the adjacent information frame; and arranging the association levels corresponding to the plurality of information frames according to a time sequence to determine the dynamic association degree sequence. In some possible embodiments, the candidate pairing includes an event feature vector corresponding to the alert event, and a context Wen Yuyi embedding vector corresponding to the context; the pattern recognition module is further configured to: Based on a preset structuring rule, acquiring an event feature vector corresponding to the alarm event; And acquiring the context Wen Yuyi embedded