CN114884801B - Alarm method, alarm device, electronic equipment and storage medium - Google Patents
Alarm method, alarm device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114884801B CN114884801B CN202210647322.XA CN202210647322A CN114884801B CN 114884801 B CN114884801 B CN 114884801B CN 202210647322 A CN202210647322 A CN 202210647322A CN 114884801 B CN114884801 B CN 114884801B
- Authority
- CN
- China
- Prior art keywords
- information
- processing priority
- target interface
- interface
- threat level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000002159 abnormal effect Effects 0.000 claims abstract description 122
- 238000012545 processing Methods 0.000 claims description 154
- 238000001514 detection method Methods 0.000 claims description 14
- 230000015654 memory Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 9
- 238000003062 neural network model Methods 0.000 claims description 7
- 238000012163 sequencing technique Methods 0.000 claims description 2
- 230000002596 correlated effect Effects 0.000 claims 2
- 230000000875 corresponding effect Effects 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract description 38
- 230000008569 process Effects 0.000 abstract description 21
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 238000012216 screening Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003247 decreasing effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
The application provides an alarm method, an alarm device, electronic equipment and a storage medium, and relates to the technical field of security. When the abnormal flow is identified from the target interface, the method generates alarm information according to the information of the target interface and/or the information of the abnormal flow, and outputs the alarm information, wherein the generated alarm information can contain related description information of the interface and/or the abnormal flow, and realize finer granularity alarm, so that an operation and maintenance person can know the emergency treatment degree of the interface according to the alarm information, and further take corresponding measures in time to process, thereby effectively improving the operation and maintenance efficiency.
Description
Technical Field
The present application relates to the field of security technologies, and in particular, to an alarm method, an alarm device, an electronic device, and a storage medium.
Background
An application program interface (Application Programming Interface, API) is used as an important interface for data interaction, and directly and purely provides data and services to users, so that data security, authority security and user behavior security of the API are more and more important.
When an API is attacked, in order to enable an operator to process the API in time, a general system outputs alarm information, but the meaning of the currently output alarm information is relatively general, for example, the interface is accessed frequently, so that the operator cannot always determine the specific meaning of the interface and easily ignores the interface, which may lead to processing delay of some important interfaces generating alarms, and the operation and maintenance efficiency is low.
Disclosure of Invention
The embodiment of the application aims to provide an alarm method, an alarm device, electronic equipment and a storage medium, which are used for solving the problems that the meaning of alarm information output in the prior art is not clear, operation and maintenance personnel cannot process some important interfaces in time, and the operation and maintenance efficiency is low.
In a first aspect, an embodiment of the present application provides an alarm method, where the method includes:
if the abnormal flow is identified from the target interface, generating alarm information according to the information of the target interface and/or the information of the abnormal flow;
and outputting the alarm information aiming at the target interface.
In the implementation process, when the abnormal flow is identified from the target interface, the method generates alarm information according to the information of the target interface and/or the information of the abnormal flow, and outputs the alarm information, wherein the generated alarm information can contain related description information of the interface and/or the abnormal flow, so that the alarm with finer granularity is realized, and an operation and maintenance person can know the emergency treatment degree of the interface according to the alarm information, and further take corresponding measures in time to process, thereby effectively improving the operation and maintenance efficiency.
Optionally, the generating the alarm information according to the information of the target interface and/or the information of the abnormal traffic includes:
Determining a processing priority of the target interface according to the service attribute of the target interface, and/or determining a threat level of the abnormal flow according to the abnormal condition of the abnormal flow;
and generating alarm information according to the processing priority and/or the threat level, wherein the alarm information comprises the processing priority and/or the threat level.
In the implementation process, the output alarm information contains the processing priority and/or threat level, so that the meaning of the output alarm information is more clear, and an operation and maintenance person can know which alarm information should be processed preferentially according to the processing priority and/or threat level, and which alarm information can be processed later, and then the interface needing to be processed preferentially can be processed first, thereby improving the operation and maintenance efficiency.
Optionally, the determining the threat level of the abnormal traffic according to the abnormal condition of the abnormal traffic includes:
analyzing the attack category of the abnormal flow;
and determining the threat level of the abnormal traffic according to the attack category.
In the implementation process, the threat level is determined according to the attack category, so that different threat levels can be determined according to different attack categories, and the threat level of the current attack of the interface can be judged according to the actual attack suffered by the interface.
Optionally, the determining the processing priority of the processing on the target interface according to the service attribute of the target interface includes:
And searching the processing priority corresponding to the service attribute in the priority mapping table according to the service attribute of the target interface so as to obtain the processing priority for processing the target interface. Different processing priorities are set for the service attributes of the interfaces, so that the processing order can be selected for the service importance, and higher processing priorities can be set for some important interfaces, so that the safety of the important interfaces can be effectively ensured in the operation and maintenance process.
Optionally, after the threat level of the abnormal traffic is determined according to the abnormal condition of the abnormal traffic, before the outputting the alarm information for the target interface, the method further includes:
And adjusting the processing priority based on the threat level to obtain an adjusted processing priority. In this way, the processing priority can be flexibly adjusted according to the attack degree suffered by the interface, so that the processing priority can adapt to the current attack, and if the attack degree is serious, the processing priority should be higher.
Optionally, the adjusting the processing priority based on the threat level, to obtain an adjusted processing priority, includes:
acquiring historical access information of the target interface;
And adjusting the processing priority according to the historical access information and the threat level to obtain an adjusted processing priority. In this way a more appropriate processing priority can be determined based on the actual access situation of the interface.
Optionally, the obtaining the service attribute of the target interface includes:
acquiring interface information of the target interface, wherein the interface information comprises interface naming and/or interface parameters;
and acquiring the service attribute of the target interface according to the interface information.
In the implementation process, the service attribute of the interface can be rapidly obtained through interface naming and/or interface parameters.
Optionally, the outputting the alert information for the target interface includes:
And sequencing and outputting the alarm information according to the processing priority or threat level of the alarm information. Therefore, operation and maintenance personnel can directly process according to the sorting order, and manual screening operation is omitted.
Optionally, identifying whether traffic received from the target interface is abnormal traffic by:
and carrying out anomaly detection on the flow received from the target interface through a neural network model so as to determine whether the flow is abnormal. Thus, the accurate detection of abnormal flow can be realized.
In a second aspect, an embodiment of the present application provides an alarm device, including:
the alarm information generation module is used for generating alarm information according to the information of the target interface and/or the information of the abnormal flow if the abnormal flow is identified from the target interface;
and the alarm information output module is used for outputting the alarm information aiming at the target interface.
In a third aspect, an embodiment of the present application provides an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first aspect above.
In a fifth aspect, embodiments of the present application provide a computer program product comprising computer program instructions which, when read and run by a processor, perform the steps of the method provided in the first aspect.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an alarm method according to an embodiment of the present application;
FIG. 2 is a block diagram of an alarm device according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of an electronic device for executing an alarm method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that the terms "system" and "network" in embodiments of the present invention may be used interchangeably. "plurality" means two or more, and "plurality" may also be understood as "at least two" in this embodiment of the present invention. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/", unless otherwise specified, generally indicates that the associated object is an "or" relationship.
The embodiment of the application provides an alarm method, when abnormal flow is identified from a target interface, alarm information is generated according to the information of the target interface and/or the information of the abnormal flow, and the alarm information is output, and the generated alarm information can contain related description information of the interface and/or the abnormal flow, so that finer granularity alarm is realized, an operation and maintenance person can know the emergency treatment degree of the interface according to the alarm information, and further, corresponding measures are timely taken for treatment, so that the interface is prevented from being damaged, and larger loss caused by attack is avoided.
Referring to fig. 1, fig. 1 is a flowchart of an alarm method according to an embodiment of the present application, where the method includes the following steps:
step S110: if the abnormal flow is identified from the target interface, alarm information is generated according to the information of the target interface and/or the information of the abnormal flow.
The target interface may refer to any interface on a detection device, and the detection device may be a gateway, a switch, a router, or other devices. In order to avoid illegal attack of the detection equipment and ensure the safety of the detection equipment, the flow of each interface on the detection equipment can be safely detected, and corresponding alarm is carried out when the flow is abnormal, so that operation and maintenance personnel can take corresponding measures in time to process the flow.
For example, for a traffic of a certain interface, the traffic may be detected abnormally, and if it is identified that the traffic is abnormal, alarm information may be generated according to information of the interface itself and/or information of the abnormal traffic. The generated alarm information can be understood as carrying the related information of the interface and/or the related information of the abnormal flow, so that the operation and maintenance personnel can know the abnormal degree of the interface after seeing the alarm information, such as the threat degree, and then can directly select whether to perform emergency treatment or not according to the alarm information.
Step S120: and outputting alarm information aiming at the target interface.
The outputting of the alarm information here refers to outputting the alarm information to the operation and maintenance personnel, for example, outputting the alarm information to the terminal equipment of the operation and maintenance personnel, so that the operation and maintenance personnel can see the alarm information, the alarm information can carry information about the target interface itself, such as the name, the parameter and other related information of the target interface (so that the operation and maintenance personnel can see whether the interface is the interface needing urgent processing or not), and/or carry related information about abnormal traffic, such as abnormal conditions of abnormal traffic, including abnormal types, abnormal degrees and the like, for example, for logging interfaces, the abnormal conditions can include excessive logging times, logging IP abnormality and the like, and for data interfaces, such as abnormal conditions can include sensitive data crawling, data attack and the like. Of course, the abnormal conditions of the abnormal traffic received from the different interfaces are different.
In the implementation process, when the abnormal flow is identified from the target interface, the method generates alarm information according to the information of the target interface and/or the information of the abnormal flow, and outputs the alarm information, wherein the generated alarm information can contain related description information of the interface and/or the abnormal flow, so that the alarm with finer granularity is realized, and an operation and maintenance person can know the emergency treatment degree of the interface according to the alarm information, and further take corresponding measures in time to process, thereby effectively improving the operation and maintenance efficiency.
On the basis of the above embodiment, the alarm information is generated according to the information of the target interface and/or the information of the abnormal flow, and it can be understood that the alarm information can be generated according to the information of the target interface, the alarm information can be generated according to the information of the abnormal flow, and the alarm information can be generated according to the information of the target interface and the information of the abnormal flow.
The information of the target interface may refer to a service attribute of the target interface, and the service attribute may be understood as a service label of the interface, such as a login interface, where the service attribute is login, such as a data download interface, and the service attribute is data download, such as a sensitive data interface, and the service attribute is sensitive data. Different business attributes can be set for different interfaces correspondingly, wherein the business attributes can be set for each interface in advance, namely, a business attribute table is built for each interface, and the corresponding relation between the names or parameters of each interface and the business attributes of the interfaces is stored in the business attribute table, so that the business attributes corresponding to the target interface can be directly searched from the business attribute table when the business attributes of the target interface are determined.
The processing priority corresponding to the target interface can be determined according to the service attribute of the target interface, and the processing priority can be preconfigured, for example, different processing priorities are configured for different service attributes, and the corresponding relation between the service attribute and the processing priority can be stored through a priority mapping table. In some embodiments, the processing priority corresponding to the service attribute in the priority mapping table may be searched according to the service attribute of the target interface, so as to obtain the processing priority for processing the target interface.
Different processing priorities may be configured for different interfaces, such as for some important monitored interfaces, such as data interfaces, data security is more important, so higher processing priorities may be set, while for some insignificant interfaces lower processing priorities may be set. The processing priority may indicate the emergency degree of processing the interfaces, if the traffic of the interfaces is abnormal traffic, alarm information is generated for the interfaces at the moment, if the processing priority is high, the processing emergency degree is high, and if the processing priority is included in the alarm information, the operation and maintenance personnel can process the interfaces according to the corresponding sequence, such as the priority processing with high processing priority and the post-processing with low processing priority.
In addition, the threat level of the abnormal flow can be determined according to the abnormal condition of the abnormal flow, wherein the threat level can represent the threat level of the abnormal flow to the target interface, for example, the higher the threat level is, and the lower the threat level is, the lower the threat level is.
The abnormal condition of the abnormal flow may be as shown in the above example, for example, the login interface may count the login times of the same IP, if the login times exceed the set times, it is determined that the abnormal flow is the abnormal flow, or it may be further determined that the login IP is the blacklist IP, if so, it is determined that the abnormal flow is the abnormal flow, and if the abnormal condition is the abnormal login IP. Therefore, the flow can be subjected to anomaly analysis to obtain the anomaly condition, and in practical application, different analysis methods can be selected according to practical requirements to perform anomaly analysis. The corresponding threat level may then be determined based on the anomaly, for example, if the threat level corresponding to the login IP anomaly is lower if the threat level corresponding to the login frequency is higher.
In some embodiments, different threat levels may be configured in advance for different abnormal conditions of traffic of a certain interface, so that after determining that a target interface is abnormal traffic, the abnormal condition of the abnormal traffic is analyzed, and then a corresponding threat level is found and obtained according to the abnormal condition.
It will be appreciated that the anomalies herein may include attack categories, i.e., attack categories of abnormal traffic may be analyzed, and then threat levels of abnormal traffic may be determined based on the attack categories.
The attack class can be understood as an abnormal class, such as the above-mentioned classes of excessive login times, abnormal login IP and the like, and the attack classes suffered by different interfaces may also be different due to different service attributes of different interfaces, such as for a data interface, the attack classes suffered by the data interface may be classified into sensitive data downloading, non-authority data downloading and the like, so different threat levels can be set for different attack classes, and of course, the threat levels herein can be determined according to the threat levels of a certain attack class to the interfaces. If the sensitive data download is considered to be more important internally, the threat level of the sensitive data download can be larger than that of the non-authority data download, and when the threat level is set, the threat level of the sensitive data download can be set to be larger than that of the non-authority data download.
If the alarm information contains threat level, the operation and maintenance personnel can judge the threat level of the interface according to the threat level in the alarm information, and then can take corresponding measures in time for processing.
If the alarm information contains the processing priority and the threat level, the operation and maintenance personnel can also select whether to carry out emergency processing according to the processing priority or the threat level, so that the scheme can realize clear output of the alarm information, and the operation and maintenance personnel can know the alarm meaning and the alarm emergency degree at the first time. Of course, in order to refine the alarm information, so that the operation and maintenance personnel can more clearly determine the alarm meaning of the alarm information, the alarm information can also include service attributes of interfaces, for example, for a data interface, the alarm information example can be as follows: the data interface is subject to a sensitive data download attack, threat level 1, processing priority 1. Compared with the alarming which is carried out on all interfaces in a unified way, such as 'interface high-frequency access', the scheme can refine the alarming on all interfaces, so that operation and maintenance personnel can know which alarms need to be processed preferentially without screening, and further the operation and maintenance efficiency is improved.
In the implementation process, the output alarm information contains the processing priority and/or threat level, so that the meaning of the output alarm information is more clear, and an operation and maintenance person can know which alarm information should be processed preferentially according to the processing priority and/or threat level, and which alarm information can be processed later, and then the interface needing to be processed preferentially can be processed first, thereby improving the operation and maintenance efficiency.
On the basis of the above embodiment, the service attribute of the target interface may also be determined in real time, for example, when the detection device recognizes that the traffic received from the target interface is abnormal traffic, the detection device obtains the interface information of the target interface, where the interface information includes an interface name and/or an interface parameter, and then may obtain the service attribute of the target interface according to the interface information.
The interface naming refers to the name of the interface, for example, "login" may refer to a login interface, and the interface parameter may refer to a field such as username, password, or may refer to a login interface, and the service attribute of the interface may be known by identifying the interface naming and/or the interface parameter, for example, the service attribute of the interface is "login" in the example. Of course, the service attribute of the interface can be determined more accurately by combining the interface naming and the interface parameters.
Or the service attribute of the interface can be identified after the traffic is received from the interface for the first time, and then the service attribute is identified for the interface, so that the service attribute of the interface can be determined through the identified service attribute after the abnormal traffic of the interface is identified. Or the service attribute of the interface can be identified in advance through interface naming and/or interface parameters, and then the corresponding service attribute is identified for the interface, so that the service attribute of the interface can be directly determined later.
Based on the above embodiment, the detection device may identify whether the traffic received from the interface is abnormal traffic through some configured rules, for example, log on the interface, and may determine whether the number of times of logging on the interface exceeds a set number of times, if so, it is abnormal traffic, or determine whether the logged on IP is in a blacklist, if so, it is abnormal traffic, otherwise, it is not abnormal traffic.
In order to more accurately detect the abnormal flow, the neural network model may also perform abnormal detection on the flow received from the target interface to determine whether the flow is abnormal.
The type of the neural network model can be flexibly selected according to actual requirements, such as a long-term and short-term memory network model, a generated type countermeasure network model and the like. The neural network model can be trained through a large amount of flow in advance, and abnormal characteristics in the flow can be learned by the neural network model in the training process, so that abnormal detection is realized. The specific detection process is not described in detail herein.
On the basis of the above embodiment, since the processing priority is set manually in advance according to the service attribute of the interface, which includes some subjective considerations, but in a practical situation, the attack degree of the interface is closely related to the processing priority, after determining the processing priority of the target interface according to the service attribute and determining the threat level of the abnormal traffic according to the abnormal condition of the abnormal traffic, the method further includes: and adjusting the processing priority based on the threat level to obtain the adjusted processing priority.
The processing priority of the target interface, which is determined based on the traffic attributes, may be considered to be the initial processing priority, and then the processing priority may be adjusted accordingly based on the threat level actually determined. For example, the initial processing priority is 5, the level is lower, the priority processing sequence of the target interface is later, the threat level of the abnormal flow is determined to be 1 according to the abnormal situation, the threat level is higher, the interface is under serious attack at this time, and the attention of the operation and maintenance personnel needs to be caused, so the processing priority can be improved according to the threat level, for example, the processing priority is adjusted to be 4 or 3, namely, the priority processing degree of the processing priority is improved, and if the threat level is also lower, for example, the threat level is 4, the attack degree suffered by the interface is not serious at this time, and the corresponding processing priority can not be adjusted.
Or in the adjustment, whether to adjust may be determined according to the adaptation degree of the threat level and the processing priority, for example, a correspondence relationship between the threat level and the processing priority range may be preset, for example, threat level 1, which corresponds to the processing priority range of 1-2, which indicates that in a normal case, if the threat level is 1, its processing priority is 1 or 2, if the currently determined processing priority is not in this range, this may adjust the current processing priority to this range, for example, if the currently determined processing priority is 4, its adjustment amount may be-2 or-3, that is, the processing priority is adjusted to 1 or 2, and if the currently determined processing priority is in this range, no adjustment is performed. Therefore, a corresponding processing priority range can be configured for each threat level, then it is determined whether the processing priority determined according to the service attribute is within the processing priority range corresponding to the currently determined threat level, if so, no adjustment is performed, that is, the adjustment amount is 0, and if not, the current processing priority is adjusted to be within the processing priority range corresponding to the threat level.
It should be noted that, the specific adjustment mode may be flexibly set according to the actual requirement, and the specific principle is that the threat level is higher, but when the processing priority is lower, the processing priority is properly increased, and when the threat level is lower, but when the processing priority is higher, the processing priority is properly decreased, and when both are medium, no adjustment is performed.
In the implementation process, the processing priority can be flexibly adjusted according to the attack degree suffered by the interface, so that the processing priority can adapt to the current attack, and if the attack degree is serious, the processing priority should be higher.
Based on the above embodiment, when adjusting, the access information of the interface may be considered, for example, the history access information of the target interface is obtained, and then the processing priority is adjusted according to the history access information and the threat level, so as to obtain the adjusted processing priority.
The historical access information can comprise historical access quantity and the like, and can also comprise data such as access mean value, access variance, access standard deviation and the like in a period of time, wherein the data can indirectly reflect the historical access condition of the interface. For example, an adjustment amount may be determined according to the historical access information and the threat level, where the adjustment amount may be determined by mapping the historical access information to an initial priority, then performing weighted summation on the initial priority and the threat level, then determining an adjustment amount, and adjusting the currently determined processing priority according to the adjustment amount.
The mapping relationship between the historical access information and the initial priority may be preconfigured, for example, different historical access amounts correspond to corresponding initial priorities, the historical access amount is high, which indicates that the interface is important, and the priority thereof should be higher, so that a slightly higher initial priority may be configured, the historical access amount is low, which indicates that the interface may not be important, a slightly lower initial priority may be configured, and the configuration of the initial priority may be flexibly configured according to different historical access amount ranges. When the initial priority and the threat level are weighted and summed, the weight can be set according to actual requirements, for example, the weight occupied by the threat level can be a little larger, the weight occupied by the initial priority can be a little smaller, thus an adjustment amount can be calculated according to the threat level and the initial priority, and then the currently determined processing priority is adjusted, and the principle of increasing or decreasing the processing priority according to the adjustment amount during adjustment can be that the adjusted processing priority is positively related to the threat level, namely, the higher the threat level is, the higher the adjusted processing priority is, the lower the threat level is, and the lower the adjusted processing priority is.
For example, the initial priority is 1, the threat level is 1, the weight of the initial priority is 0.6, the weight of the threat level is 0.4, the adjustment amount after weighted summation is 1, if the currently determined processing priority is 3, the adjusted processing priority is 2, i.e., the processing priority is increased. And if the initial priority is 2 and the threat level is 1, the adjustment amount after weighted summation is 1.6, the currently determined processing priority is 3, the adjusted processing priority is 1.4, and the adjusted processing priority is 1 after rounding. For another example, the initial priority is 2, the threat level is 3, the adjustment amount after weighted summation is 2.4, the currently determined processing priority is 2, and the processing priority should be lowered because the threat level is lower at this time, the adjusted processing priority is 4.4, and the processing priority is 4 after rounding.
It should be noted that, in practical application, the method of adjusting the processing priority according to the historical access information and the threat level is not limited to the above-mentioned exemplary method, and a specific adjusting method may be flexibly set according to the actual requirement, so that the adjusted processing priority is adapted to the threat level and the historical access information, and a more suitable processing priority may be further obtained.
On the basis of the embodiment, after the alarm information is output to the operation and maintenance personnel, the operation and maintenance personnel can screen the alarm information according to the processing priority and/or threat level, and because the operation and maintenance personnel can receive a large amount of alarm information in a short time, the alarm information can be screened through the processing priority and/or threat level, the alarm information needing to be processed preferentially can be screened out rapidly, and then the interface needing to be processed preferentially can be processed timely.
Of course, in order to reduce screening operations of operation and maintenance personnel, when the alarm information is output, the alarm information can be further sequenced and output according to the processing priority or threat level of the alarm information. If a plurality of alarm information is output according to the sequence from high to low of the processing priority, or a plurality of alarm information is output according to the sequence from high to low of the threat level, the operation and maintenance personnel can directly process the alarm information according to the sequence when processing the alarm information without screening the alarm information, and the operation and maintenance personnel are required to be processed preferentially before, so that the operation and maintenance efficiency can be further improved.
Referring to fig. 2, fig. 2 is a block diagram illustrating a structure of an alarm device 200 according to an embodiment of the application, where the device 200 may be a module, a program segment or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above embodiment of the method of fig. 1, and is capable of performing the steps involved in the embodiment of the method of fig. 1, and specific functions of the apparatus 200 may be referred to in the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
Optionally, the apparatus 200 includes:
The alarm information generating module 210 is configured to generate alarm information according to information of the target interface and/or information of the abnormal traffic if the abnormal traffic is identified from the target interface;
and an alarm information output module 220, configured to output the alarm information for the target interface.
Optionally, the alert information generating module 210 is configured to determine a processing priority of the target interface according to a service attribute of the target interface; and/or determining threat level of the abnormal flow according to the abnormal condition of the abnormal flow; and generating alarm information according to the processing priority and/or the threat level, wherein the alarm information comprises the processing priority and/or the threat level.
Optionally, the alarm information generating module 210 is configured to analyze an attack class of the abnormal traffic; and determining the threat level of the abnormal traffic according to the attack category.
Optionally, the alert information generating module 210 is configured to search, according to the service attribute of the target interface, a processing priority corresponding to the service attribute in the priority mapping table, so as to obtain a processing priority for processing the target interface.
Optionally, the apparatus 200 further includes:
And the priority adjustment module is used for adjusting the processing priority based on the threat level to obtain the adjusted processing priority.
Optionally, the priority adjustment module is configured to obtain historical access information of the target interface; and adjusting the processing priority according to the historical access information and the threat level to obtain an adjusted processing priority.
Optionally, the alarm information generating module 210 is configured to obtain interface information of the target interface, where the interface information includes an interface name and/or an interface parameter; and acquiring the service attribute of the target interface according to the interface information.
Optionally, the alarm information output module 220 is configured to sort and output alarm information according to the processing priority or threat level of the alarm information.
Optionally, the alarm information generating module 210 is configured to perform anomaly detection on the traffic received from the target interface through a neural network model, so as to determine whether the traffic is an abnormal traffic.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device for executing an alarm method according to an embodiment of the present application, where the electronic device may include: at least one processor 310, such as a CPU, at least one communication interface 320, at least one memory 330, and at least one communication bus 340. Wherein the communication bus 340 is used to enable direct connection communication of these components. The communication interface 320 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 330 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one disk memory. Memory 330 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 330 has stored therein computer readable instructions which, when executed by the processor 310, perform the method process described above in fig. 1.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method process performed by an electronic device in the method embodiment shown in fig. 1.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the above-described method embodiments, for example, comprising: if the abnormal flow is identified from the target interface, generating alarm information according to the information of the target interface and/or the information of the abnormal flow; and outputting the alarm information aiming at the target interface.
In summary, the embodiments of the present application provide an alarm method, an apparatus, an electronic device, and a storage medium, where when an abnormal traffic is identified from a target interface, the method generates alarm information according to information of the target interface and/or information of the abnormal traffic, and outputs the alarm information, where the generated alarm information may include related description information of the interface and/or the abnormal traffic, so as to implement an alarm with finer granularity, so that an operator can know an urgent processing degree of the interface according to the alarm information, and then take corresponding measures in time to perform processing, thereby effectively improving operation and maintenance efficiency.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (9)
1. A method of alerting, the method comprising:
If the abnormal flow is identified from the target interface, generating alarm information according to the information of the target interface and the information of the abnormal flow;
Outputting the alarm information aiming at the target interface;
the generating the alarm information according to the information of the target interface and the information of the abnormal flow includes:
Determining a processing priority of the target interface according to the service attribute of the target interface, and determining a threat level of the abnormal flow according to the abnormal condition of the abnormal flow;
Generating alarm information according to the processing priority and the threat level, wherein the alarm information comprises the processing priority and the threat level;
After determining the threat level of the abnormal flow according to the abnormal condition of the abnormal flow, before outputting the alarm information for the target interface, the method further comprises:
Adjusting the processing priority based on the threat level to obtain an adjusted processing priority;
The step of adjusting the processing priority based on the threat level to obtain an adjusted processing priority includes:
acquiring historical access information of the target interface;
Adjusting the processing priority according to the historical access information and the threat level to obtain an adjusted processing priority;
the step of adjusting the processing priority according to the historical access information and the threat level to obtain an adjusted processing priority includes:
Determining an initial priority according to the historical access information, wherein a mapping relation between the historical access information and the initial priority is preconfigured;
weighting and summing the initial priority and the threat level to obtain an adjustment quantity;
and adjusting the processing priority according to the adjustment quantity, wherein the adjusted processing priority is positively correlated with the threat level.
2. The method of claim 1, wherein said determining a threat level of said abnormal traffic from an abnormal condition of said abnormal traffic comprises:
analyzing the attack category of the abnormal flow;
and determining the threat level of the abnormal traffic according to the attack category.
3. The method of claim 1, wherein said determining a processing priority for processing the target interface based on the traffic attribute of the target interface comprises:
and searching the processing priority corresponding to the service attribute in the priority mapping table according to the service attribute of the target interface so as to obtain the processing priority for processing the target interface.
4. The method of claim 1, wherein obtaining the traffic attribute of the target interface comprises:
acquiring interface information of the target interface, wherein the interface information comprises interface naming and/or interface parameters;
and acquiring the service attribute of the target interface according to the interface information.
5. The method of claim 1, wherein the outputting the alert information for the target interface comprises:
and sequencing and outputting the alarm information according to the processing priority or threat level of the alarm information.
6. The method of any of claims 1-5, wherein identifying whether traffic received from the target interface is abnormal traffic is performed by:
And carrying out anomaly detection on the flow received from the target interface through a neural network model so as to determine whether the flow is abnormal.
7. An alert device, the device comprising:
the alarm information generation module is used for generating alarm information according to the information of the target interface and the information of the abnormal flow if the abnormal flow is identified from the target interface;
the alarm information output module is used for outputting the alarm information aiming at the target interface;
the alarm information generation module is specifically configured to determine a processing priority of the target interface according to a service attribute of the target interface, and determine a threat level of the abnormal traffic according to an abnormal condition of the abnormal traffic; generating alarm information according to the processing priority and the threat level, wherein the alarm information comprises the processing priority and the threat level;
wherein the apparatus further comprises:
The priority adjustment module is used for adjusting the processing priority based on the threat level to obtain an adjusted processing priority;
The priority adjustment module is specifically configured to obtain historical access information of the target interface; adjusting the processing priority according to the historical access information and the threat level to obtain an adjusted processing priority;
The priority adjustment module is specifically configured to determine an initial priority according to the historical access information, where a mapping relationship between the historical access information and the initial priority is preconfigured; weighting and summing the initial priority and the threat level to obtain an adjustment quantity; and adjusting the processing priority according to the adjustment quantity, wherein the adjusted processing priority is positively correlated with the threat level.
8. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-6.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the method according to any of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210647322.XA CN114884801B (en) | 2022-06-09 | 2022-06-09 | Alarm method, alarm device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210647322.XA CN114884801B (en) | 2022-06-09 | 2022-06-09 | Alarm method, alarm device, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114884801A CN114884801A (en) | 2022-08-09 |
CN114884801B true CN114884801B (en) | 2024-09-24 |
Family
ID=82681678
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210647322.XA Active CN114884801B (en) | 2022-06-09 | 2022-06-09 | Alarm method, alarm device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114884801B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
CN114218577A (en) * | 2021-12-27 | 2022-03-22 | 绿盟科技集团股份有限公司 | API risk determination method, device, equipment and medium |
CN114328139A (en) * | 2021-12-17 | 2022-04-12 | 江苏银承网络科技股份有限公司 | Monitoring method and device for hall interface, storage medium and server |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105407103B (en) * | 2015-12-19 | 2018-06-29 | 中国人民解放军信息工程大学 | A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections |
CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
US11483326B2 (en) * | 2019-08-30 | 2022-10-25 | Palo Alto Networks, Inc. | Context informed abnormal endpoint behavior detection |
CN110806921B (en) * | 2019-09-30 | 2023-02-07 | 烽火通信科技股份有限公司 | OVS (optical virtual system) abnormity alarm monitoring system and method |
CN113516337A (en) * | 2021-03-25 | 2021-10-19 | 中国雄安集团数字城市科技有限公司 | Method and device for monitoring data security operation |
CN113342607A (en) * | 2021-06-08 | 2021-09-03 | 北京科东电力控制系统有限责任公司 | API-oriented full-scene multi-dimensional monitoring mechanism implementation method |
CN113419928A (en) * | 2021-07-16 | 2021-09-21 | 中国建设银行股份有限公司 | Monitoring alarm method and device |
CN114095332A (en) * | 2021-11-11 | 2022-02-25 | 建信金融科技有限责任公司 | Information processing method, device, equipment and computer storage medium |
CN114257489A (en) * | 2021-12-23 | 2022-03-29 | 中国工商银行股份有限公司 | Method and device for realizing rich monitoring alarm content and computer equipment |
CN114465881B (en) * | 2022-01-26 | 2023-08-08 | 苏州浪潮智能科技有限公司 | Alarm information storage and transmission method and related device |
CN114143173B (en) * | 2022-01-30 | 2022-07-15 | 奇安信科技集团股份有限公司 | Data processing method, device, equipment and storage medium |
-
2022
- 2022-06-09 CN CN202210647322.XA patent/CN114884801B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
CN114328139A (en) * | 2021-12-17 | 2022-04-12 | 江苏银承网络科技股份有限公司 | Monitoring method and device for hall interface, storage medium and server |
CN114218577A (en) * | 2021-12-27 | 2022-03-22 | 绿盟科技集团股份有限公司 | API risk determination method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN114884801A (en) | 2022-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112671767B (en) | Security event early warning method and device based on alarm data analysis | |
CN117439916A (en) | Network security test evaluation system and method | |
CN116614287A (en) | Network security event evaluation processing method, device, equipment and medium | |
CN112163198B (en) | Host login security detection method, system, device and storage medium | |
CA3172788A1 (en) | Endpoint security using an action prediction model | |
CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
US11477240B2 (en) | Remote monitoring of a security operations center (SOC) | |
CN114301700A (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
CN118316715B (en) | Enterprise network security risk assessment method and system | |
CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
CN114884801B (en) | Alarm method, alarm device, electronic equipment and storage medium | |
CN113765850B (en) | Internet of things abnormality detection method and device, computing equipment and computer storage medium | |
CN107612755A (en) | The management method and its device of a kind of cloud resource | |
US20230403294A1 (en) | Cyber security restoration engine | |
CN118018231A (en) | Security policy management method, device, equipment and storage medium for isolation area | |
CN104881354A (en) | Cloud disk monitoring method and device | |
CN111261271B (en) | Service availability diagnosis method and device for video monitoring environment | |
CN113127856A (en) | Network security operation and maintenance management method and device, computing equipment and storage medium | |
RU2800739C1 (en) | System and method for determining the level of danger of information security events | |
CN115941326B (en) | Background monitor reinforcement method | |
EP4027583A2 (en) | Method and apparatus for maintaining web application firewall based on non-face-to-face authentication | |
CN110750418B (en) | Information processing method, electronic equipment and information processing system | |
CN117749501A (en) | Abnormality analysis method, abnormality analysis device, electronic device, and storage medium | |
CN118898072A (en) | Automatic change information security penetration test platform | |
CN116226858A (en) | Network security test evaluation system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |