[go: up one dir, main page]

CN119628971B - Method, device, equipment and storage medium for reducing noise of safety alarm data - Google Patents

Method, device, equipment and storage medium for reducing noise of safety alarm data Download PDF

Info

Publication number
CN119628971B
CN119628971B CN202510159028.8A CN202510159028A CN119628971B CN 119628971 B CN119628971 B CN 119628971B CN 202510159028 A CN202510159028 A CN 202510159028A CN 119628971 B CN119628971 B CN 119628971B
Authority
CN
China
Prior art keywords
alarm data
target
target alarm
data
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202510159028.8A
Other languages
Chinese (zh)
Other versions
CN119628971A (en
Inventor
郑金钰
孙佳
罗家强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202510159028.8A priority Critical patent/CN119628971B/en
Publication of CN119628971A publication Critical patent/CN119628971A/en
Application granted granted Critical
Publication of CN119628971B publication Critical patent/CN119628971B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/10Pre-processing; Data cleansing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Alarm Systems (AREA)

Abstract

本申请公开了一种安全告警数据降噪方法、装置、设备及存储介质,涉及网络安全技术领域,包括:若本地预先创建的动态表中已存在与目标告警数据相匹配的目标表项,则利用所述目标表项对所述目标告警数据进行工程化研判,以便基于目标表项中预先记录的告警数据研判结果确定当前研判结果;若动态表中不存在与目标告警数据相匹配的目标表项,则利用预设大模型对目标告警数据进行分析研判得到当前研判结果,并在动态表中基于当前研判结果生成与目标告警数据对应的目标表项;基于当前研判结果确定目标告警数据是否达到预设安全威胁程度,若否,则对所述目标告警数据进行剔除处理。防止攻击被绕过以提高研判告警的覆盖率。

The present application discloses a method, device, equipment and storage medium for reducing the noise of security alarm data, which relates to the field of network security technology, including: if a target table item matching the target alarm data already exists in a locally pre-created dynamic table, the target alarm data is subjected to engineering research and judgment using the target table item, so as to determine the current research and judgment result based on the alarm data research and judgment result pre-recorded in the target table item; if a target table item matching the target alarm data does not exist in the dynamic table, the target alarm data is subjected to analysis and judgment using a preset large model to obtain the current research and judgment result, and a target table item corresponding to the target alarm data is generated in the dynamic table based on the current research and judgment result; based on the current research and judgment result, it is determined whether the target alarm data reaches a preset security threat level, and if not, the target alarm data is removed. Prevent attacks from being bypassed to improve the coverage of research and judgment alarms.

Description

Method, device, equipment and storage medium for reducing noise of safety alarm data
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for noise reduction of security alarm data.
Background
The alarm information generated in the network security equipment is numerous and contains a large number of false alarms. The security operators need to spend a great deal of time and effort screening and analyzing the alarm information to determine the real threat. At present, automatic treatment and noise reduction are realized on alarms of the existing judging scheme in a rule matching mode, so that the workload of safety operators is reduced, the automatic generation of noise reduction rules is realized, however, the safety alarms are matched from the rule matching angle, many attacks are easily bypassed and cannot be found out more flexibly and accurately, so that the value of the alarms is not fully utilized, and therefore, a single alarm matching mechanism cannot accurately judge comprehensive safety behaviors and has certain unilaterality.
From the above, how to prevent attacks from being bypassed to improve the coverage rate of the judging alarm is a problem to be solved urgently.
Disclosure of Invention
Accordingly, the present invention is directed to a method, apparatus, device and storage medium for noise reduction of security alarm data, which can prevent attacks from being bypassed to improve coverage rate of judging alarms. The specific scheme is as follows:
In a first aspect, the present application provides a method for noise reduction of safety alarm data, including:
Judging whether a target table item matched with the currently acquired target alarm data exists in a local pre-established dynamic table or not;
If a target table item matched with the target alarm data exists in the dynamic table, carrying out engineering research and judgment on the target alarm data by utilizing the target table item so as to determine a current research and judgment result corresponding to the target alarm data based on a pre-recorded alarm data research and judgment result in the target table item;
if the dynamic table does not have the target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, and generating a target table item corresponding to the target alarm data based on the current judging result corresponding to the target alarm data in the dynamic table;
And determining whether the target alarm data reach a preset security threat degree or not based on a current judging result corresponding to the target alarm data, and if not, eliminating the target alarm data.
Optionally, if the dynamic table does not have a target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, including:
if the dynamic table does not have the target table item matched with the target alarm data, extracting the characteristics of the target alarm data meeting the first preset research and judgment condition to obtain first characteristic information;
Analyzing and judging whether the target alarm data is alarm information corresponding to active attack or not by using a first preset large model and the first characteristic information so as to obtain a current judging result corresponding to the target alarm data;
the first preset judging condition is that the alarm type corresponding to the target alarm data is one of network attack, vulnerability exploitation and scanning behavior, and the target alarm data accords with a preset application protocol condition.
Optionally, if the dynamic table does not have a target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, including:
If the dynamic table does not have the target table item matched with the target alarm data, grouping the target alarm data meeting a second preset judging condition based on a first preset grouping condition, and aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server and alarm occurrence time to obtain second characteristic information;
Analyzing and judging whether the target alarm data is the alarm information corresponding to threat information or not by utilizing a second preset large model and the second characteristic information so as to obtain a current judging result corresponding to the target alarm data;
The first preset grouping condition is a grouping condition based on the alarm type, the application protocol, the compromise index, the source IP address and the destination IP address of the target alarm data, the second preset judging condition is that the alarm type corresponding to the target alarm data is one of malicious programs and suspicious communication, and the data flow direction of the target alarm data is the data flow direction corresponding to any node in the device when accessing other nodes in the device or the data flow direction corresponding to the node in the device when accessing the external node in the device.
Optionally, if the dynamic table does not have a target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, including:
If the dynamic table does not have the target table item matched with the target alarm data, grouping the target alarm data meeting a third preset judging condition based on a second preset grouping condition, and aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server, a source IP address and alarm occurrence time to obtain third characteristic information;
Analyzing and judging the access flow type of the attacker corresponding to the target alarm data by utilizing a third preset large model and the third characteristic information to obtain a current judging result corresponding to the target alarm data, wherein the access flow type comprises real attack flow, harmless flow and unknown flow;
The third preset judging condition is that the data flow direction of the target alarm data is the corresponding data flow direction when any node in the device accesses other nodes in the device or the corresponding data flow direction when the node outside the device accesses the nodes in the device.
Optionally, after analyzing and judging the target alarm data by using the preset large model to obtain a current judging result corresponding to the target alarm data, the method further includes:
And if the current research and judgment result represents that the access flow type of the attacker corresponding to the target alarm data is unknown, the method jumps to the step of grouping the target alarm data meeting a third preset research and judgment condition based on a second preset grouping condition and aggregating the response code corresponding to the target alarm data in each group, the IP address returned by the domain name server, the source IP address and the alarm occurrence time.
Optionally, if the dynamic table does not have a target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, and then further including:
And if the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow or harmless flow, acquiring the target alarm data corresponding to the current research and judgment result, and jumping to the step of carrying out engineering research and judgment on the target alarm data by utilizing the target table entry so as to determine the current research and judgment result corresponding to the target alarm data based on the alarm data research and judgment result recorded in the target table entry in advance.
Optionally, the generating, in the dynamic table, a target table entry corresponding to the target alarm data based on a current grinding result corresponding to the target alarm data includes:
If the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow, extracting an attack source IP address, a data flow direction and the current research and judgment result of the target alarm data to generate a target table item corresponding to the target alarm data in the dynamic table;
and if the current research and judgment result represents that the access flow type corresponding to the target alarm data is harmless flow, extracting the alarm name, the alarm type, the application protocol, the compromise index, the source IP address and the current research and judgment result of the target alarm data to generate a target table item corresponding to the target alarm data in the dynamic table.
In a second aspect, the present application provides a security alarm data noise reduction device, including:
the alarm data judging module is used for judging whether a target table item matched with the currently acquired target alarm data exists in a local pre-established dynamic table;
The alarm data research and judgment module is used for carrying out engineering research and judgment on the target alarm data by utilizing the target table item if a target table item matched with the target alarm data exists in the dynamic table so as to determine the current research and judgment result corresponding to the target alarm data based on the alarm data research and judgment result recorded in the target table item in advance;
The target table item generation module is used for analyzing and judging the target alarm data by utilizing a preset large model if the target table item matched with the target alarm data does not exist in the dynamic table, so as to obtain a current judging result corresponding to the target alarm data, and generating a target table item corresponding to the target alarm data based on the current judging result corresponding to the target alarm data in the dynamic table;
And the alarm data eliminating module is used for determining whether the target alarm data reach the preset security threat degree or not based on the current research judgment result corresponding to the target alarm data, and if not, eliminating the target alarm data.
In a third aspect, the present application provides an electronic device, comprising:
A memory for storing a computer program;
And the processor is used for executing the computer program to realize the safety alarm data noise reduction method.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the aforementioned method of noise reduction of safety alarm data.
The method comprises the steps of judging whether a target table item matched with target alarm data which is currently acquired exists in a dynamic table which is locally and pre-created, if the target table item matched with the target alarm data exists in the dynamic table, carrying out engineering research on the target alarm data by utilizing the target table item so as to determine the current research result corresponding to the target alarm data based on the alarm data research result which is pre-recorded in the target table item, if the target table item matched with the target alarm data does not exist in the dynamic table, carrying out analysis research on the target alarm data by utilizing a preset large model so as to obtain the current research result corresponding to the target alarm data, generating the target table item corresponding to the target alarm data based on the current research result corresponding to the target alarm data in the dynamic table, determining whether the target alarm data reaches a preset safety degree based on the current research result corresponding to the target alarm data, and if not, carrying out rejection treatment on the target alarm data.
From the above, the application carries out engineering research and judgment on the target alarm data by the target table item corresponding to the target alarm data in the dynamic table, if the target table item matched with the target alarm data does not exist in the dynamic table, the target alarm data is analyzed and judged by utilizing the preset large model, so that the problem of complex alarm information and low coverage of the large model is solved, the accuracy and coverage of the alarm research and judgment are improved, and noise reduction is carried out on the alarm to identify important, real and effective alarms, thereby reducing the workload of safety operators.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for noise reduction of safety alarm data according to the present application;
FIG. 2 is a flowchart of a specific method for noise reduction of safety alarm data according to the present disclosure;
FIG. 3 is a schematic diagram of matching a dynamic table with target alarm data according to the present disclosure;
FIG. 4 is a schematic diagram of a large model analysis and judgment in accordance with the present application;
FIG. 5 is a schematic diagram of an engineering study;
FIG. 6 is a schematic diagram of a security alarm processing system according to the present disclosure;
FIG. 7 is a schematic diagram of a noise reduction device for safety alarm data according to the present application;
Fig. 8 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
At present, automatic treatment and noise reduction are realized on alarms of the existing judging scheme in a rule matching mode, and the automatic generation of noise reduction rules is realized by reducing the workload of safety operators, however, many attacks are easily bypassed and cannot find real attacks more flexibly and accurately, so that the value of the alarms is not fully utilized, and therefore, a single alarm matching mechanism cannot accurately judge comprehensive safety behaviors and has certain unilateral performance. Therefore, the application provides a noise reduction method for safety alarm data, which not only solves the problems of multiple alarm information and low coverage of a large model by studying and judging results of the large model and combining engineering studying and judging to study and judge alarms, but also improves the accuracy and coverage of the alarm studying and judging, and carries out noise reduction on the alarms so as to identify important, real and effective alarms, thereby reducing the workload of safety operators.
Referring to fig. 1, the embodiment of the invention discloses a method for noise reduction of safety alarm data, which comprises the following steps:
And S11, judging whether a target table item matched with the currently acquired target alarm data exists in the local pre-created dynamic table.
In this embodiment, target alarm data of a target device is collected by using a preset monitoring device, after the target alarm data is obtained, whether a target table item matched with the target alarm data exists in the dynamic table is determined by using a locally pre-created dynamic table, wherein the dynamic table is generated by using a current determination result obtained by analyzing and determining the target alarm data by using a preset large model, and the dynamic table comprises a plurality of target table items corresponding to the target alarm data.
And step S12, if a target table item matched with the target alarm data exists in the dynamic table, carrying out engineering research and judgment on the target alarm data by utilizing the target table item so as to determine a current research and judgment result corresponding to the target alarm data based on the alarm data research and judgment result recorded in the target table item in advance.
In this embodiment, if a target table entry matching with the target alarm data already exists in the dynamic table, then the target table entry matching with the target alarm data is queried from the dynamic table, and an alarm data research and judgment result corresponding to the preset target alarm data and recorded in advance in the target table entry is read, so as to perform engineering research and judgment on the target alarm data based on the alarm data research and judgment result, so as to obtain a current research and judgment result corresponding to the target alarm data.
And S13, if no target table item matched with the target alarm data exists in the dynamic table, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, and generating a target table item corresponding to the target alarm data based on the current judging result corresponding to the target alarm data in the dynamic table.
In this embodiment, if there is no target table entry matching with the target alarm data in the dynamic table, analyzing and judging the target alarm data meeting the corresponding preset judging conditions by using different preset large models to obtain a current judging result corresponding to the target alarm data, and after obtaining the current judging result, generating a target table entry corresponding to the target alarm data in the dynamic table based on the current judging result.
In a first specific embodiment, if there is no target table entry matching with the target alarm data in the dynamic table, performing feature extraction on the target alarm data, where the alarm type of the target alarm data is Web (World Wide Web, i.e. global area network) attack, exploit, scan behavior, and the like, the application protocol is HTTP (Hypertext Transfer Protocol, i.e. hypertext transfer protocol) or HTTPs (Hypertext Transfer Protocol Secure, i.e. hypertext transfer protocol) or HTTP2 (i.e. hypertext transfer protocol 2 nd edition), and the access flow type corresponding to the target alarm data is represented by the current research result and is true attack flow, so as to obtain first feature information, and then performing analysis and research on whether the target alarm data is alarm information corresponding to active attack by using a first preset large model and the first feature information, so as to obtain the current research result. Specifically, if no target item matched with the target alarm data exists in the dynamic table, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, wherein if no target item matched with the target alarm data exists in the dynamic table, feature extraction is performed on the target alarm data meeting a first preset judging condition to obtain first feature information, and analysis and judgment are performed on whether the target alarm data is alarm information corresponding to an active attack or not by using the first preset large model and the first feature information to obtain the current judging result corresponding to the target alarm data, wherein the first preset judging condition is that the alarm type corresponding to the target alarm data is one of network attack, vulnerability exploitation and scanning behavior, and the target alarm data accords with a preset application protocol condition.
In a second specific embodiment, if there is no target table entry matching the target alarm data in the dynamic table, based on the alarm type, the application protocol, the compromise indicator, the source IP address (Internet Protocol Address, i.e., the internet protocol address) and the destination IP address of the target alarm data, the alarm type of the target alarm data is a malicious program, a suspicious communication class, and the data flow direction of the target alarm data is a data flow direction corresponding to when any node in the device accesses other nodes in the device or a data flow direction corresponding to when the node in the device accesses the external node in the device, the target alarm data corresponding to the target alarm data in each packet is grouped, and based on a first preset periodic condition, the response code, the IP address returned by the domain name server and the alarm occurrence time are aggregated, so as to obtain second feature information, and then, whether the target alarm data is alarm information corresponding to information is threat or not is analyzed and judged by using a second preset large model and the second feature information, so as to obtain a current threat judgment result.
Specifically, if there is no target table item matched with the target alarm data in the dynamic table, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, wherein if there is no target table item matched with the target alarm data in the dynamic table, the target alarm data meeting a second preset judging condition is grouped based on a first preset grouping condition, and a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server and an alarm occurrence time are aggregated to obtain second characteristic information, and whether the target alarm data is alarm information corresponding to threat information or not is analyzed and judged by using a second preset large model and the second characteristic information to obtain the current judging result corresponding to the target alarm data, wherein the first preset grouping condition is based on an alarm type, an application protocol, a compromise index, a source IP address and an IP address of the target alarm data, and the second preset grouping condition is alarm information corresponding to the alarm information of threat information corresponding to the target alarm information, and the second preset grouping condition is alarm information corresponding to the alarm information, and the target alarm information corresponding to any other type of the target alarm information, and the malicious information is access information in the internal node or the internal node.
In a third specific embodiment, if a target table entry matched with the target alarm data does not exist in the dynamic table, based on a source IP address and a data flow direction of the target alarm data, grouping the target alarm data in a data flow direction corresponding to a data flow direction when any node in the device accesses other nodes in the device or a data flow direction corresponding to a data flow direction when an external node in the device accesses other nodes in the device, and based on a second preset periodic condition, aggregating a response code corresponding to the target alarm data in each group, a response IP returned by a DNS (Domain NAME SERVER, namely a Domain name server), a source IP address and an alarm occurrence time to obtain third feature information, and analyzing, judging and intercepting an access flow type of an attacker corresponding to the target alarm data by using a third preset large model and the third feature information to obtain a current judging and intercepting. It should be noted that the first preset periodic condition and the second preset periodic condition may be configured for 30 minutes, or may be adjusted accordingly according to actual situations, which is not limited herein.
Specifically, if there is no target item matched with the target alarm data in the dynamic table, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, including grouping the target alarm data meeting a third preset judging condition based on a second preset grouping condition if there is no target item matched with the target alarm data in the dynamic table, and aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server, a source IP address and an alarm occurrence time to obtain third characteristic information, analyzing and judging an access flow type of an attacker corresponding to the target alarm data by using the third preset large model and the third characteristic information to obtain the current judging result corresponding to the target alarm data, wherein the access flow type includes real flow, harmless flow and unknown flow, the second preset grouping condition is based on the response code corresponding to the target alarm data in each group, the IP address returned by a domain name server, the source IP address and the alarm occurrence time, and the access flow direction of an internal node corresponding to any other data access node device is the access direction of the data of the internal node.
In this embodiment, when analyzing and judging the access traffic type of the attacker corresponding to the target alarm data by using the third preset large model and the third feature information, if the obtained current judging result corresponding to the target alarm data represents that the access traffic type of the attacker corresponding to the target alarm data is unknown traffic, performing cyclic analysis and judging on the target alarm data corresponding to the unknown traffic again until the current judging result represents that the access traffic type corresponding to the target alarm data is real attack traffic or harmless traffic. Specifically, after analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, the method further comprises the steps of jumping to the step of grouping the target alarm data meeting a third preset judging condition based on a second preset grouping condition if the current judging result represents that the access flow type of an attacker corresponding to the target alarm data is unknown flow, and aggregating the response code corresponding to the target alarm data in each group, the IP address returned by the domain name server, the source IP address and the alarm occurrence time.
It can be understood that when the third preset large model and the third characteristic information are utilized to analyze and judge the access flow type of the attacker corresponding to the target alarm data, if the obtained current judging result corresponding to the target alarm data represents that the access flow type of the attacker corresponding to the target alarm data is real attack flow or harmless flow, the corresponding target alarm data is obtained, and the target alarm data is transmitted to engineering judging. Specifically, if the dynamic table does not have the target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, and if the current judging result represents that the access flow type corresponding to the target alarm data is real attack flow or harmless flow, acquiring the target alarm data corresponding to the current judging result, and jumping to the step of performing engineering judging on the target alarm data by using the target table item so as to determine the current judging result corresponding to the target alarm data based on the alarm data judging result recorded in advance in the target table item.
Further, if the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow, extracting an attack source IP address, a data flow direction and the current research and judgment result of the target alarm data to form a target table item corresponding to the target alarm data in the dynamic table, and if the current research and judgment result represents that the access flow type corresponding to the target alarm data is harmless flow, extracting an alarm name, an alarm type, an application protocol, a compromise index, the source IP address and the current research and judgment result of the target alarm data to form a target table item corresponding to the target alarm data in the dynamic table. The method comprises the steps of extracting an attack source IP address, a data flow direction and a current grinding result of target alarm data to generate a target table item corresponding to the target alarm data in the dynamic table if the current grinding result represents that the access flow type corresponding to the target alarm data is real attack flow, and extracting an alarm name, an alarm type, an application protocol, a compromise index, the source IP address and the current grinding result of the target alarm data to generate the target table item corresponding to the target alarm data in the dynamic table if the current grinding result represents that the access flow type corresponding to the target alarm data is harmless flow.
And step S14, determining whether the target alarm data reach a preset security threat degree or not based on the current research judgment result corresponding to the target alarm data, and if not, eliminating the target alarm data.
In this embodiment, if the current research and judgment result corresponding to the target alarm data determines that the target alarm data reaches the preset security threat level, if the target alarm data does not reach the preset security threat level, a third party device or a SOAR (Security Orchestration, automation and Response, i.e. security arrangement automation and response) is used to automatically process the target alarm data, log recording can be performed on flow information corresponding to real attack flow corresponding to the target alarm data, or a blocking policy can be formulated according to the attack property and severity of the target alarm data, for example, for an IP address frequently initiated with an attack, permanent blocking or periodic re-evaluation of blocking status can be performed, if the target alarm data does not reach the preset security threat level, a preset whitelist database can be created, the target alarm data which does not reach the preset security threat level is stored, and the preset whitelist database can be updated periodically according to actual service requirements.
From the above, the application carries out engineering research and judgment on the target alarm data by the target table item corresponding to the target alarm data in the dynamic table, if the target table item matched with the target alarm data does not exist in the dynamic table, the target alarm data is analyzed and judged by utilizing the preset large model, so that the problem of complex alarm information and low coverage of the large model is solved, the accuracy and coverage of the alarm research and judgment are improved, and noise reduction is carried out on the alarm to identify important, real and effective alarms, thereby reducing the workload of safety operators.
As can be seen from the above embodiments, the present application performs the research alarm based on the large model research result and in combination with the engineering research to improve the accuracy and coverage of the alarm research, and therefore, the description will be made on the process of performing the research alarm based on the large model research result and in combination with the engineering research.
Referring to fig. 2, the embodiment of the invention discloses a specific method for noise reduction of safety alarm data, which comprises the following steps:
In this embodiment, the target alarm data is first obtained, and whether there is a target table item matched with the target alarm data in the locally pre-created dynamic table is determined, and fig. 3 is a schematic diagram of matching the dynamic table with the target alarm data provided in this embodiment. If a target table item matched with the target alarm data exists in the dynamic table, carrying out engineering research and judgment on the target alarm data by utilizing the target table item so as to determine a current research and judgment result corresponding to the target alarm data based on an alarm data research and judgment result corresponding to the target table item; and if the target table item matched with the target alarm data does not exist in the dynamic table, analyzing and judging the target alarm data by using a preset large model.
Fig. 4 is a schematic diagram of analysis and analysis of a large model provided in this embodiment, and analysis of the target alarm data by using a preset large model includes analysis and analysis of whether the target alarm data is alarm information corresponding to an active attack, analysis and analysis of whether the target alarm data is alarm information corresponding to threat information, and analysis of access traffic types of an attacker corresponding to the target alarm data, so as to obtain a current analysis result corresponding to the target alarm data.
Fig. 5 is a schematic diagram of an engineering grinding and judging diagram provided in this embodiment, if the current grinding and judging result represents that the access flow type corresponding to the target alarm data is real attack flow or harmless flow, the target alarm data corresponding to the current grinding and judging result is transmitted to the engineering grinding and judging result, so that the attack source IP address, the data flow direction and the current grinding and judging result of the target alarm data are extracted based on the fact that the access flow type corresponding to the target alarm data represented by the current grinding and judging result is real attack flow, so as to generate a target table item corresponding to the target alarm data in the dynamic table, or the alarm name, the alarm type, the application protocol, the compromise index, the source IP address and the current grinding and judging result of the target alarm data are extracted based on the fact that the access flow type corresponding to the target alarm data represented by the current grinding and judging result is harmless flow, so as to generate a target table item corresponding to the target alarm data in the dynamic table. Fig. 6 is a schematic diagram of a security alarm processing provided in this embodiment, in which the target alarm data is extracted based on the current determination result to form a pending alarm, and the alarm is automatically handled by using a three-party device or a SOAR.
As can be seen from the above, in this embodiment, the target alarm data is analyzed and judged by using the preset large model, and the engineering judging capability is formed by combining the judging results of the large model, so that the performance load of the large model is reduced, and the large model is used for judging more data, so as to identify important and real and effective alarms, reduce the workload of safety operators, and improve the accuracy and coverage of alarm judging.
Correspondingly, referring to fig. 7, the application also provides a device for reducing noise of safety alarm data, which comprises:
the alarm data judging module 11 is used for judging whether a target table item matched with the currently acquired target alarm data exists in a local pre-established dynamic table;
the alarm data research and judgment module 12 is configured to, if a target table entry matching the target alarm data already exists in the dynamic table, perform engineering research and judgment on the target alarm data by using the target table entry, so as to determine a current research and judgment result corresponding to the target alarm data based on a pre-recorded alarm data research and judgment result in the target table entry;
the target table item generating module 13 is configured to analyze and judge the target alarm data by using a preset large model if there is no target table item matched with the target alarm data in the dynamic table, so as to obtain a current judging result corresponding to the target alarm data, and generate a target table item corresponding to the target alarm data in the dynamic table based on the current judging result corresponding to the target alarm data;
And the alarm data eliminating module 14 is configured to determine whether the target alarm data reaches a preset security threat level based on a current judging result corresponding to the target alarm data, and if not, execute eliminating processing on the target alarm data.
From the above, the application carries out engineering research and judgment on the target alarm data by the target table item corresponding to the target alarm data in the dynamic table, if the target table item matched with the target alarm data does not exist in the dynamic table, the target alarm data is analyzed and judged by utilizing the preset large model, so that the problem of complex alarm information and low coverage of the large model is solved, the accuracy and coverage of the alarm research and judgment are improved, and noise reduction is carried out on the alarm to identify important, real and effective alarms, thereby reducing the workload of safety operators.
In some embodiments, the target table entry generating module 13 may specifically include:
The first characteristic information acquisition unit is used for extracting the characteristics of the target alarm data meeting the first preset research judgment condition if no target table item matched with the target alarm data exists in the dynamic table, so as to obtain first characteristic information;
And the first analysis and judgment unit is used for analyzing and judging whether the target alarm data is the alarm information corresponding to the active attack by utilizing a first preset large model and the first characteristic information so as to obtain the current judgment result corresponding to the target alarm data.
In some embodiments, the target table entry generating module 13 may specifically include:
The second feature information obtaining unit is used for grouping the target alarm data meeting a second preset judging condition based on a first preset grouping condition if a target table item matched with the target alarm data does not exist in the dynamic table, and obtaining second feature information by aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server and alarm occurrence time;
and the second analysis and judgment unit is used for analyzing and judging whether the target alarm data is the alarm information corresponding to the threat information by utilizing a second preset large model and the second characteristic information so as to obtain the current judgment result corresponding to the target alarm data.
In some embodiments, the target table entry generating module 13 may specifically include:
A third feature information obtaining unit, configured to, if there is no target entry matching the target alarm data in the dynamic table, group the target alarm data that meets a third preset judging condition based on a second preset grouping condition, and aggregate a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server, a source IP address, and an alarm occurrence time, so as to obtain third feature information;
And the third analysis and judgment unit is used for analyzing and judging the access flow type of the attacker corresponding to the target alarm data by utilizing a third preset large model and the third characteristic information so as to obtain the current judgment result corresponding to the target alarm data, wherein the access flow type comprises real attack flow, harmless flow and unknown flow.
In some embodiments, the security alarm data noise reduction device may specifically further include:
And the first flow type determining unit is used for jumping to the step of grouping the target alarm data meeting the third preset judging condition based on the second preset grouping condition if the current judging result represents that the access flow type of the attacker corresponding to the target alarm data is unknown flow, and aggregating the response code corresponding to the target alarm data in each group, the IP address returned by the domain name server, the source IP address and the alarm occurrence time.
In some embodiments, the security alarm data noise reduction device may specifically further include:
And the second flow type determining unit is used for acquiring the target alarm data corresponding to the current judging result if the current judging result represents that the access flow type corresponding to the target alarm data is real attack flow or harmless flow, and jumping to the step of carrying out engineering judging on the target alarm data by utilizing the target table item so as to determine the current judging result corresponding to the target alarm data based on the alarm data judging result recorded in the target table item in advance.
In some embodiments, the target table entry generating module 13 may specifically include:
The first data extraction unit is used for extracting an attack source IP address, a data flow direction and the current research and judgment result of the target alarm data if the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow, so as to generate a target table item corresponding to the target alarm data in the dynamic table;
And the second data extraction unit is used for extracting the alarm name, the alarm type, the application protocol, the compromise index, the source IP address and the current grinding result of the target alarm data if the current grinding result represents that the access flow type corresponding to the target alarm data is harmless flow, so as to generate a target table item corresponding to the target alarm data in the dynamic table.
Further, the embodiment of the present application further discloses an electronic device, and fig. 8 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application. The electronic device 20 may include, in particular, at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the security alarm data denoising method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide working voltages for each hardware device on the electronic device 20, the communication interface 24 is capable of creating a data transmission channel with an external device for the electronic device 20, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 25 is configured to obtain external input data or output data to the external device, and the specific interface type of the input/output interface may be selected according to the specific application needs and is not specifically limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the security alert data denoising method performed by the electronic device 20 as disclosed in any of the foregoing embodiments.
Furthermore, the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the method for reducing the noise of the safety alarm data when being executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and embodiments of the present application, and are intended to be in no way limiting, for those of ordinary skill in the art will, in light of the above teachings, appreciate that the principles and embodiments of the present application may be varied in any way.

Claims (7)

1. A method for noise reduction of security alert data, comprising:
Judging whether a target table item matched with the currently acquired target alarm data exists in a local pre-established dynamic table or not;
If a target table item matched with the target alarm data exists in the dynamic table, carrying out engineering research and judgment on the target alarm data by utilizing the target table item so as to determine a current research and judgment result corresponding to the target alarm data based on a pre-recorded alarm data research and judgment result in the target table item;
if the dynamic table does not have the target table item matched with the target alarm data, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, and generating a target table item corresponding to the target alarm data based on the current judging result corresponding to the target alarm data in the dynamic table;
Determining whether the target alarm data reach a preset security threat degree or not based on a current judging result corresponding to the target alarm data, and if not, eliminating the target alarm data;
Analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data if no target item matched with the target alarm data exists in the dynamic table, wherein the method comprises the steps of grouping the target alarm data meeting a second preset judging condition based on a first preset grouping condition, and aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server and an alarm occurrence time to obtain second characteristic information, analyzing and judging whether the target alarm data is alarm information corresponding to threat information by using a second preset large model and the second characteristic information to obtain the current judging result corresponding to the target alarm data, wherein the first preset grouping condition is a condition based on an alarm type, an application protocol, a compromise index, a source IP address and an IP address of the target alarm data, and the second preset grouping condition is a condition corresponding to the target alarm data, and the second preset grouping condition is a target alarm data corresponding to an alarm data type, and an access direction of an internal node or a malicious device in the internal node;
Or if the target table item matched with the target alarm data does not exist in the dynamic table, grouping the target alarm data meeting a third preset judging condition based on a second preset grouping condition, and aggregating a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server, a source IP address and alarm occurrence time to obtain third characteristic information, analyzing and judging an access flow type of an attacker corresponding to the target alarm data by using a third preset large model and the third characteristic information to obtain a current judging result corresponding to the target alarm data, wherein the access flow type comprises real attack flow, harmless flow and unknown flow, the second preset grouping condition is a condition of grouping based on a source IP address and a data flow direction of the target alarm data, and the third preset judging condition is a data flow direction corresponding to any node in the equipment or a data flow direction corresponding to any node in the equipment when the data flow direction of the target alarm data accesses other nodes in the equipment.
2. The method for noise reduction of safety alarm data according to claim 1, wherein after analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, further comprising:
And if the current research and judgment result represents that the access flow type of the attacker corresponding to the target alarm data is unknown, the method jumps to the step of grouping the target alarm data meeting a third preset research and judgment condition based on a second preset grouping condition and aggregating the response code corresponding to the target alarm data in each group, the IP address returned by the domain name server, the source IP address and the alarm occurrence time.
3. The method for noise reduction of safety alarm data according to claim 1, wherein if there is no target table item matching with the target alarm data in the dynamic table, analyzing and judging the target alarm data by using a preset large model to obtain a current judging result corresponding to the target alarm data, further comprising:
And if the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow or harmless flow, acquiring the target alarm data corresponding to the current research and judgment result, and jumping to the step of carrying out engineering research and judgment on the target alarm data by utilizing the target table entry so as to determine the current research and judgment result corresponding to the target alarm data based on the alarm data research and judgment result recorded in the target table entry in advance.
4. A method of noise reduction of safety alarm data according to any one of claims 1 to 3, wherein the generating, in the dynamic table, a target entry corresponding to the target alarm data based on a current determination result corresponding to the target alarm data, comprises:
If the current research and judgment result represents that the access flow type corresponding to the target alarm data is real attack flow, extracting an attack source IP address, a data flow direction and the current research and judgment result of the target alarm data to generate a target table item corresponding to the target alarm data in the dynamic table;
and if the current research and judgment result represents that the access flow type corresponding to the target alarm data is harmless flow, extracting the alarm name, the alarm type, the application protocol, the compromise index, the source IP address and the current research and judgment result of the target alarm data to generate a target table item corresponding to the target alarm data in the dynamic table.
5. A security alert data noise reduction apparatus, comprising:
the alarm data judging module is used for judging whether a target table item matched with the currently acquired target alarm data exists in a local pre-established dynamic table;
The alarm data research and judgment module is used for carrying out engineering research and judgment on the target alarm data by utilizing the target table item if a target table item matched with the target alarm data exists in the dynamic table so as to determine the current research and judgment result corresponding to the target alarm data based on the alarm data research and judgment result recorded in the target table item in advance;
The target table item generation module is used for analyzing and judging the target alarm data by utilizing a preset large model if the target table item matched with the target alarm data does not exist in the dynamic table, so as to obtain a current judging result corresponding to the target alarm data, and generating a target table item corresponding to the target alarm data based on the current judging result corresponding to the target alarm data in the dynamic table;
the alarm data eliminating module is used for determining whether the target alarm data reach a preset security threat degree or not based on the current research judgment result corresponding to the target alarm data, and if not, eliminating the target alarm data;
The target table entry generation module is specifically configured to group, if a target table entry matched with the target alarm data does not exist in the dynamic table, the target alarm data meeting a second preset research criterion based on a first preset grouping condition, and aggregate a response code corresponding to the target alarm data in each group, an IP address returned by a domain name server, and an alarm occurrence time to obtain second feature information; analyzing and judging whether the target alarm data is the alarm information corresponding to threat information by using a second preset big model and the second characteristic information to obtain the current judging result corresponding to the target alarm data, wherein the first preset grouping condition is a condition of grouping the target alarm data based on the alarm type, the application protocol, the compromise index, the source IP address and the destination IP address of the target alarm data, the second preset judging condition is that the alarm type corresponding to the target alarm data is one of a malicious program and suspicious communication, the data flow direction of the target alarm data is the data flow direction corresponding to any node in the equipment when accessing other nodes in the equipment or the data flow direction corresponding to the node in the equipment when accessing the external node in the equipment, or the IP address, the service source IP address and the service time of aggregation of the response IP address, the domain name code corresponding to the target alarm data in each grouping are carried out on the target alarm data based on the second preset grouping condition if no target table item matched with the target alarm data exists in the dynamic table, the method comprises the steps of obtaining third characteristic information, analyzing and judging an access flow type of an attacker corresponding to target alarm data by using a third preset large model and the third characteristic information to obtain a current judging result corresponding to the target alarm data, wherein the access flow type comprises real attack flow, harmless flow and unknown flow, the second preset grouping condition is a grouping condition based on a source IP address and a data flow direction of the target alarm data, and the third preset judging condition is a data flow direction of the target alarm data which is a data flow direction corresponding to any node in the device when accessing other nodes in the device or a data flow direction corresponding to an external node in the device when accessing other nodes in the device.
6. An electronic device, comprising:
A memory for storing a computer program;
a processor for executing the computer program to implement the security alert data denoising method as claimed in any one of claims 1 to 4.
7. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the security alert data denoising method of any of claims 1 to 4.
CN202510159028.8A 2025-02-12 2025-02-12 Method, device, equipment and storage medium for reducing noise of safety alarm data Active CN119628971B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510159028.8A CN119628971B (en) 2025-02-12 2025-02-12 Method, device, equipment and storage medium for reducing noise of safety alarm data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510159028.8A CN119628971B (en) 2025-02-12 2025-02-12 Method, device, equipment and storage medium for reducing noise of safety alarm data

Publications (2)

Publication Number Publication Date
CN119628971A CN119628971A (en) 2025-03-14
CN119628971B true CN119628971B (en) 2025-05-16

Family

ID=94891405

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510159028.8A Active CN119628971B (en) 2025-02-12 2025-02-12 Method, device, equipment and storage medium for reducing noise of safety alarm data

Country Status (1)

Country Link
CN (1) CN119628971B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116991680A (en) * 2023-09-27 2023-11-03 北京锐服信科技有限公司 Log noise reduction method and electronic equipment
CN119402282A (en) * 2024-11-20 2025-02-07 杭州安恒信息技术股份有限公司 A network security alarm automatic analysis method, device, equipment and medium
CN119416267A (en) * 2025-01-09 2025-02-11 中电云计算技术有限公司 Alarm data processing method, device, electronic device and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070629B (en) * 2021-11-16 2023-10-20 南京南瑞信息通信科技有限公司 Security arrangement and automatic response method, device and system for APT attack
CN115442133B (en) * 2022-09-02 2025-06-03 国网浙江省电力有限公司信息通信分公司 A defense automation process orchestration method based on SOAR
CN116684128A (en) * 2023-05-24 2023-09-01 南京南瑞信息通信科技有限公司 Alarm noise reduction method and system based on adaptive classification of network attack behavior
CN117914512A (en) * 2023-10-31 2024-04-19 中铁第四勘察设计院集团有限公司 Network security event monitoring method, device and rail transit weak current system
CN119094202A (en) * 2024-08-30 2024-12-06 北京中睿天下信息技术有限公司 A method and system for automatically analyzing and judging network traffic threat alarm events

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116991680A (en) * 2023-09-27 2023-11-03 北京锐服信科技有限公司 Log noise reduction method and electronic equipment
CN119402282A (en) * 2024-11-20 2025-02-07 杭州安恒信息技术股份有限公司 A network security alarm automatic analysis method, device, equipment and medium
CN119416267A (en) * 2025-01-09 2025-02-11 中电云计算技术有限公司 Alarm data processing method, device, electronic device and storage medium

Also Published As

Publication number Publication date
CN119628971A (en) 2025-03-14

Similar Documents

Publication Publication Date Title
US12301627B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11463457B2 (en) Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
US12184697B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US20240364749A1 (en) Automated internet-scale web application vulnerability scanning and enhanced security profiling
US9430646B1 (en) Distributed systems and methods for automatically detecting unknown bots and botnets
Jiang et al. Identifying suspicious activities through dns failure graph analysis
RU2769075C1 (en) System and method for active detection of malicious network resources
US9516041B2 (en) Cyber security analytics architecture
US11700269B2 (en) Analyzing user behavior patterns to detect compromised nodes in an enterprise network
Alsubhi et al. FuzMet: A fuzzy‐logic based alert prioritization engine for intrusion detection systems
CN113408948A (en) Network asset management method, device, equipment and medium
CN114357447B (en) Attacker threat scoring method and related device
WO2021216163A2 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Naik Fuzzy inference based intrusion detection system: FI-Snort
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
Qin et al. Symmetry degree measurement and its applications to anomaly detection
Alhaj et al. An effective attack scenario construction model based on identification of attack steps and stages
WO2025145874A1 (en) Security detection method and apparatus, and device and storage medium
Quinan et al. Activity and Event Network Graph and Application to Cyber-Physical Security
CN119628971B (en) Method, device, equipment and storage medium for reducing noise of safety alarm data
WO2024115310A1 (en) Monitoring system
Iskhakov et al. Data Normalization models in the security event management systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant