Alarm processing method, device and electronic equipment

CN115629945BActive Publication Date: 2026-07-10ALIBABA INNOVATION PRIVATE LIMITED

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA INNOVATION PRIVATE LIMITED
Filing Date
2021-07-13
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Excessive alarm messages on the cloud server prevent users from handling them in a timely manner, posing a security risk.

Method used

By generating an alarm graph, the relationship between target alarms and related alarms is determined, and they are provided to users as alarms from the same source. The node and edge information of the alarm graph is used to perform graph traversal and disjoint set processing to achieve alarm grouping and aggregation.

Benefits of technology

Effective grouping and aggregation of alarm information helps users handle a large number of alarms in a timely manner and reduce security risks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115629945B_ABST
    Figure CN115629945B_ABST
Patent Text Reader

Abstract

The application provides an alarm processing method, comprising: obtaining a target alarm generated by a server system; generating alarm query data according to information contained in the target alarm and entity information of an entity associated with the target alarm; determining, based on the alarm query data, associated alarms having an association relationship with the target alarm in a pre-generated alarm graph; taking the target alarm and the associated alarms as a group of homologous alarms, and providing homologous alarm information to a user. In the application, for a target alarm generated by a server system, associated alarms having an association relationship with the target alarm can be determined based on a pre-established alarm graph, and the target alarm and the associated alarms are provided to a user as a group of homologous alarms, so that a large amount of alarm information is grouped by the alarm processing method, so that the user can timely process a large amount of alarm information, and the problem of potential safety hazards caused by too much alarm information and untimely processing is solved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, specifically to an alarm processing method, and also to an alarm processing device, an electronic device, and a computer storage medium. Background Technology

[0002] With the rapid development of technology, various cloud servers are also constantly evolving. More and more information needs to be stored on cloud servers, and more and more programs need to run on cloud servers. Storing information or running programs on cloud servers can greatly save space on local servers, thereby enabling local servers to quickly run local programs or store information.

[0003] Whether running programs or storing information on a cloud server, threat monitoring is essential to ensure secure operation and safe storage. However, because cloud servers typically employ multi-engine threat monitoring solutions, users face a massive volume of alerts to process daily. This often leads to delays in addressing alerts, resulting in significant security vulnerabilities for running programs or stored information. Summary of the Invention

[0004] This application provides an alarm processing method to address the security risks caused by excessive alarm information and failure to process it in a timely manner. This application also provides an alarm processing device, an electronic device, and a computer storage medium.

[0005] This application provides an alarm processing method, including:

[0006] Obtain target alarms generated by the server system;

[0007] Based on the information contained in the target alarm and the entity information of the entity associated with the target alarm, alarm query data is generated;

[0008] Based on the alarm query data, in the pre-generated alarm graph, related alarms that are associated with the target alarm are identified; the node information of the alarm graph includes interrelated entity information and alarm information generated by these entities, and the edge information of the alarm graph includes the association information between the entity information and the alarm information;

[0009] The target alarm and the associated alarm are grouped together as a common source alarm, and the common source alarm information is provided to the user.

[0010] Optionally, the step of determining related alarms that are associated with the target alarm in the pre-generated alarm map based on the alarm query data includes:

[0011] Based on the alarm query data, the alarm graph is traversed using the edge information in the alarm graph as the path basis, and the alarms traversed in the graph traversal are used as the associated alarms.

[0012] Optionally, the step of performing a graph traversal on the alarm map includes:

[0013] Based on the alarm query data, the edge information in the alarm graph is used to recursively traverse upwards and downwards;

[0014] After reaching the final ancestor node, the traversal ends, and all paths and nodes traversed form a connected subgraph; all alarms in the connected subgraph are the associated alarms.

[0015] Optionally, the final ancestor node can be used as the core reason for triggering the target alarm.

[0016] Optionally, in the step of generating alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm, target alarm feature data is selected from the alarm query data and recorded in the disjoint set auxiliary table corresponding to the target alarm.

[0017] The step of identifying associated alarms that are related to the target alarm in the pre-generated alarm map includes:

[0018] When recording the target alarm feature data into the disjoint-set auxiliary table, the ancestor node of the target alarm is initialized to itself;

[0019] In the disjoint-set auxiliary table, based on the existing node information and associated information, as well as the continuously recorded new node information and associated information, the ancestor nodes of the target alarm and the ancestor nodes of the alarm records passed through in the disjoint-set processing are recursively updated using the disjoint-set processing method.

[0020] After the update is complete, alarms with the same ancestor node are considered related alarms.

[0021] Optionally, the disjoint-set auxiliary table includes at least the following information:

[0022] Node identifier information, node type information, parent node identifier information, parent node type information, ancestor node identifier information, and ancestor node type information.

[0023] Optionally, the initial version of the alarm map is generated using the following method:

[0024] Collect entity information and alarm information;

[0025] Based on the relationships between entities reflected in the entity information, establish the relationships between the entities;

[0026] The alarm is associated with an entity based on the associated entity information contained in the alarm information.

[0027] Optionally, the alarm map is updated in the following manner:

[0028] Monitor real-time alarm information;

[0029] Based on the alarm information, extract the associated entity information and establish the association relationship between the alarm information and the associated entity;

[0030] Based on the alarm information, associated entities, and the associated relationships, the alarm information and associated entities are aggregated into the current alarm graph to obtain an updated alarm graph.

[0031] Optionally, providing the same-source alarm information to the user includes: providing the user with an alarm information table, the alarm information table listing the received alarms, and grouping the same-source alarms into the same group;

[0032] The step of grouping the target alarm and the associated alarm into a group of alarms from the same source includes: updating the alarm information table and assigning the target alarm to the group of alarms from the same source where the associated alarm is located.

[0033] Optionally, the entity information includes at least one of the following: process information, network connection information, executable file related information, intelligence information, and existing alarm information.

[0034] Optionally, the association information includes at least one of the following:

[0035] The association information between the process information and the network connection information;

[0036] The association information between the process information and the relevant information of the executable file;

[0037] The correlation information between the process information and the intelligence information;

[0038] The correlation information between the process information and the alarm information;

[0039] The association information between the network connection information and the relevant information of the executable file;

[0040] The correlation information between the network connection information and the intelligence information;

[0041] The correlation information between the network connection information and the alarm information;

[0042] The correlation information between the executable file and the intelligence information;

[0043] The correlation information between the executable file and the alarm information;

[0044] The correlation information between the intelligence information and the alarm information.

[0045] This application also provides an alarm processing device, including:

[0046] The target alarm acquisition unit is used to acquire target alarms generated by the server system.

[0047] The generation unit is used to generate alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm;

[0048] The determining unit is used to determine, based on the alarm query data, related alarms that are associated with the target alarm in a pre-generated alarm graph; the node information of the alarm graph includes interrelated entity information and alarm information generated by these entities, and the edge information of the alarm graph includes the association information between the entity information and the alarm information;

[0049] A providing unit is configured to group the target alarm and the associated alarm as a set of common-source alarms and provide the common-source alarm information to the user.

[0050] This application also provides an electronic device, including:

[0051] processor;

[0052] The memory is used to store computer programs, which are executed by the processor to perform the alarm handling methods described above.

[0053] This application also provides a computer storage medium storing a computer program, which is executed by a processor to perform the above-described alarm processing method.

[0054] Compared with the prior art, the embodiments of this application have the following advantages:

[0055] This application provides an alarm processing method, comprising: acquiring a target alarm generated by a server system; generating alarm query data based on information contained in the target alarm and entity information of entities associated with the target alarm; determining associated alarms related to the target alarm in a pre-generated alarm graph based on the alarm query data; the node information of the alarm graph includes mutually related entity information and alarm information generated by these entities, and the edge information of the alarm graph includes the association information between the entity information and the alarm information; grouping the target alarm and the associated alarms as a group of homologous alarms, and providing the homologous alarm information to the user. Because in this application, for a target alarm generated by a server system, associated alarms related to the target alarm can be determined based on a pre-established alarm graph, and the target alarm and associated alarms can be grouped as a group of homologous alarms and provided to the user, this alarm processing method achieves the grouping of a large amount of alarm information, facilitating timely processing of a large number of alarms by the user, and solving the problem of security risks caused by excessive alarm information and failure to process it in a timely manner. Attached Figure Description

[0056] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this application. For those skilled in the art, other drawings can be obtained based on these drawings.

[0057] Figure 1 This is a schematic diagram of the overall alarm processing process provided in the first embodiment of this application;

[0058] Figure 2 A flowchart of the alarm processing method provided in the first embodiment of this application;

[0059] Figure 3 A schematic diagram of the security incident monitoring process provided in the first embodiment of this application;

[0060] Figure 4 A schematic diagram of the alarm graph provided in the first embodiment of this application;

[0061] Figure 5 A schematic diagram illustrating the first alarm aggregation method provided in the first embodiment of this application;

[0062] Figure 6 A schematic diagram illustrating the second alarm aggregation method provided in the first embodiment of this application;

[0063] Figure 7 A schematic diagram illustrating the third alarm aggregation method provided in the first embodiment of this application;

[0064] Figure 8 This is a schematic diagram of the alarm processing device provided in the second embodiment of this application;

[0065] Figure 9 This is a schematic diagram of the electronic device provided in the third embodiment of this application. Detailed Implementation

[0066] Many specific details are set forth in the following description to provide a full understanding of this application. However, this application can be implemented in many other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of this application. Therefore, this application is not limited to the specific implementations disclosed below.

[0067] This application provides an alarm processing method, apparatus, electronic device, and computer storage medium. The alarm processing method, apparatus, electronic device, and computer storage medium are described below through specific embodiments.

[0068] The alarm processing method in this application is mainly used to group a large number of alarm information generated by the cloud server, so as to classify multiple alarms caused by the same event into alarms from the same source, so that users can easily process the large number of alarm information after grouping.

[0069] The alarm handling method in this application is mainly based on the following approach: First, obtain information on interconnected entities in the cloud server that trigger a large number of alarms; this entity information is primarily used to construct an alarm graph for alarm backtracking. For details, please refer to... Figure 1 , Figure 1 This is a schematic diagram illustrating the overall process of alarm processing provided in the first embodiment of this application. From... Figure 1 As can be seen, the alarm handling process includes alarm retrospection, alarm aggregation, and alarm deployment. This entity information includes... Figure 1 The data source shown contains host data and intelligence data.

[0070] The entity information mentioned above corresponds to a multi-engine center. Based on an entity within a multi-engine center, multiple alarms may be generated. That is, there is a correlation between multiple alarms and entity information.

[0071] During the alarm backtracking phase, alarm backtracking information can be obtained based on alarms, and further entity relationship extraction can be performed. Ultimately, this yields data containing the relationships between alarms and other entities. This data can be termed Open Pluggable Specification (OPS) operational data, or simply Alarm Operations Ops (Ops) data. These other entities can refer to processes, networks, files, IPs, events, etc. In fact, after the alarm backtracking phase concludes, the alarm graph has already been constructed; that is, the alarm backtracking phase ends after the alarm graph is built.

[0072] Specifically, when constructing alarm operation Ops data, alarm information, along with accompanying basic information such as processes and files, can be correlated using key fields (such as process identifier information and file message digest algorithms) and sent back to the operation platform's message queue as alarm backtracking information. For this backtracking information, entity and relationship information is extracted in real time to form alarm operation Ops data. After forming the alarm operation Ops data, an alarm graph can be constructed based on it. The aforementioned message queue can be used to extract entity and relationship information from the information in real time, thereby constructing the alarm graph in real time.

[0073] from Figure 1 As can be seen, the alarm aggregation phase follows the alarm backtracking phase. During this phase, three methods can be used: direct graph traversal of the alarm graph, a disjoint-set data structure with an auxiliary table, and a heuristic merge auxiliary table. An alarm aggregation table can be obtained using any of these three methods. Once the aggregation table is obtained, the alarm aggregation phase ends. The aggregation table records detailed alarm information and corresponding grouping information.

[0074] Following the alarm aggregation phase, the alarm release phase begins directly. During this phase, alarms can be grouped based on the alarm aggregation table. This grouping process essentially involves grouping alarms with the same origin from multiple sources together. In the alarm release phase, alarms from the same source within the same group are provided to the cloud security center. In this application, multiple engines generate process detection based on information such as processes and files. After generating and grouping these alarms, real-time secondary verification is performed to eliminate false alarms and duplicate alarms, thereby pushing the grouped alarm information with the same origin to the user.

[0075] The above Figure 1 This describes the process of dividing multiple alarms into multiple or one alarm from the same source. After dividing multiple alarms into alarms from the same source, it is also possible to find alarms from the same source for newly generated alarms. The first embodiment below is a method for alarm processing of newly generated alarms.

[0076] First Embodiment

[0077] The first embodiment of this application provides an alarm processing method, which is described below in conjunction with... Figure 2-7 Please provide an explanation.

[0078] Please refer to Figure 2 This is a flowchart of the alarm processing method provided in the first embodiment of this application.

[0079] The alarm processing method of this application embodiment includes the following steps:

[0080] Step S201: Obtain target alarms generated by the server system.

[0081] As one implementation method for obtaining target alarms generated by the server system, it can be done as follows: based on a pre-established alarm information list, obtain the alarms that are not grouped in the alarm information list; and take the ungrouped alarms as target alarms.

[0082] Specifically, alarm information can be stored in an alarm information list. This list can store both grouped alarms (existing alarms, with each group representing alarms from the same source) and newly generated alarms (ungrouped alarms). In this embodiment, the alarm information list is essentially an alarm aggregation table. In this embodiment, whenever the server generates a new alarm, the new alarm is stored in the alarm information list to create an alarm aggregation. An alarm can be selected from the new alarms as the target alarm.

[0083] To better understand same-origin alerts, please refer to... Figure 3 , Figure 3 This is a schematic diagram of the security event monitoring process provided in the first embodiment of this application. Figure 3 As can be seen from the data, alarms 1, 2, 3, 4, 5, and 6 are all alarms caused by network attacks on network 1 by the URL "115.197.95.179". Therefore, alarms 1, 2, 3, 4, 5, and 6 are a group of alarms from the same source.

[0084] To group ungrouped alarms stored in the alarm information list—that is, to obtain alarms from the same source as the ungrouped alarms—one of the ungrouped alarms can be selected as the target alarm. Specifically, any ungrouped alarm can be arbitrarily selected from the alarm information list as the target alarm. For example, assuming alarm 6 is not grouped in the alarm information list, alarm 6 can be selected as the target alarm.

[0085] Step S202: Generate alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm.

[0086] After obtaining the target alarm generated by the server system in step S101, alarm query data can be generated based on the information contained in the target alarm and the entity information of the entity associated with the target alarm.

[0087] Specifically, the entity associated with a target alarm can be the entity that generated the target alarm, or an entity related to the entity that generated the target alarm. For example, if a process checks text and detects a problem, triggering an alarm, the process that checked the text generated the alarm, but the associated entity is the text itself. For a clearer understanding of the entity information associated with the target alarm, please refer to [link to relevant documentation]. Figure 3 When alarm 6 is the target alarm, since alarm 6 is generated by process 3 detecting file 1, process 3 can be regarded as the entity that generated the target alarm, and file 1 can be regarded as the entity related to the entity that generated the target alarm.

[0088] The alarm query data mentioned above is Figure 1 The alarm operation Ops data shown is as follows. A specific method for generating alarm query data can be: first, with user authorization, obtaining process information, network connection information, executable file information, and existing alarm information generated by the cloud server during security monitoring of security events. This process information, network connection information, and executable file information are all obtained based on multi-engine monitoring of security events.

[0089] After obtaining the aforementioned process information, network connection information, executable file information, and existing alarm information, process chain information is obtained based on the process information; and the relationship between processes and the network is obtained based on the process chain information and the identification information of the network connection information. This yields the relationship information between process information and network connection information.

[0090] Simultaneously, based on process chain information and executable file-related information, the relationship between processes and files is obtained. In other words, the relationship between process information and executable file-related information is obtained.

[0091] After obtaining the relationship information between processes and networks, as well as the relationship information between processes and files, we can also obtain the relationship information between networks and files based on the relationship information between processes and networks and between processes and files. That is, we can obtain the relationship information between network connection information and relevant information of executable files.

[0092] At the same time, based on the associated entity information contained in the existing alarm information, the existing alarms are associated with the entities to obtain the association relationship information between the alarms and the entities.

[0093] The information on each entity, the alarm information, and the relationships between them can be used as alarm query data.

[0094] To clearly represent the information of each entity, alarm information, and the relationships between them, each entity (including process information, network connection information, and executable file-related information) and existing alarm information are treated as node information; the relationships between processes and networks, processes and files, networks and files, and alarms and entities are treated as edge information of the alarm graph; thus, an alarm graph can be established.

[0095] This alarm graph consists of nodes representing interconnected entities generated by a cloud server and the alarms they generate, with the relationships between entities and alarms forming the edges. Specifically, the node information in the alarm graph includes information about interconnected entities generated by the server and the alarm information they generate, while the edge information includes information about the relationships between entities and alarm information.

[0096] The aforementioned interrelated entity information includes at least one of the following: process information, network connection information, executable file-related information, intelligence information, and existing alarm information. Naturally, the nodes in the alarm graph include: processes, networks, executable files, intelligence, and existing alarms.

[0097] The correlation information between the aforementioned entity information and alarm information refers to the correlation information between any two of the aforementioned entity information or between entity information and alarm information. Examples include: the correlation information between process information and network connection information; the correlation information between process information and executable file-related information; the correlation information between process information and intelligence information; the correlation information between process information and existing alarm information; the correlation information between network connection information and executable file-related information; the correlation information between network connection information and intelligence information; the correlation information between network connection information and existing alarm information; the correlation information between executable file-related information and existing alarm information; and the correlation information between intelligence information and existing alarm information.

[0098] In this embodiment, if an alarm map is to be generated in advance, an initial version of the alarm map needs to be generated in advance, and then the initial version is continuously updated.

[0099] Specifically, the initial version of the alarm map is generated using the following method: First, entity information and alarm information are collected; then, the relationships between entities are established based on the relationships between entities reflected in the entity information; and finally, alarms are associated with entities based on the associated entity information contained in the alarm information.

[0100] More specifically, the initial version of generating the alarm graph mentioned above can refer to: first, with user authorization, obtaining process information, network connection information, executable file information, and existing alarm information generated by the cloud server during security monitoring of security events. This process information, network connection information, and executable file information are all obtained based on a multi-engine approach to monitoring security events.

[0101] After obtaining the aforementioned process information, network connection information, executable file information, and existing alarm information, process chain information is obtained based on the process information; and the relationship between processes and the network is obtained based on the process chain information and the identification information of the network connection information. This yields the relationship information between process information and network connection information.

[0102] Simultaneously, based on process chain information and executable file-related information, the relationship between processes and files is obtained. In other words, the relationship between process information and executable file-related information is obtained.

[0103] After obtaining the relationship information between processes and networks, as well as the relationship information between processes and files, we can also obtain the relationship information between networks and files based on the relationship information between processes and networks and between processes and files. That is, we can obtain the relationship information between network connection information and relevant information of executable files.

[0104] At the same time, based on the associated entity information contained in the existing alarm information, the existing alarms are associated with the entities to obtain the association relationship information between the alarms and the entities.

[0105] Next, process information, network connection information, executable file information, and existing alarm information are used as node information; the relationship information between processes and networks, the relationship information between processes and files, the relationship information between networks and files, and the association information between alarms and entities are used as edge information of the alarm graph; thus, the initial version of the alarm graph can be obtained.

[0106] After obtaining the initial version of the alarm graph, the alarm graph is updated in the following way: First, real-time alarm information is monitored; then, based on the real-time alarm information, the associated entity information is extracted, and the association relationship between the real-time alarm information and the associated entities is established; finally, based on the real-time alarm information, associated entities, and association relationships, the real-time alarm information and associated entities are aggregated into the initial version of the alarm graph to obtain the updated alarm graph.

[0107] Specifically, please see Figure 4 , Figure 4 This is a schematic diagram of the alarm graph provided in the first embodiment of this application. From Figure 4 As can be seen, the alarm graph includes process, file, registry information, alarms, and network connection information; it also includes process tags, file tags, registry tags, and login events. The alarm graph clearly displays the relationships between entity information and alarm information.

[0108] It's important to note that the process of obtaining the alert graph also incorporates intelligence data and network traffic data (such as interception data from high-performance networks, application protection systems, and DDoS protection). This intelligence and network traffic data enrich the information contained in the alert graph. Furthermore, since the alerts are all obtained through monitoring this information on cloud servers, for example, identifying malicious file downloads and executions based on process command lines or file paths can generate alerts, making it easy to associate alerts with processes. Similarly, alerts can be linked to the network or associated with files, ultimately forming a real-time updated alert graph.

[0109] Specifically, in this embodiment, since it is necessary to obtain the entity information of the entity associated with the target alarm, it can be done in the following manner: The target alarm information corresponding to the target alarm is processed according to... Figure 3 The security event monitoring content shown is matched with entity information, and entities whose entity information matches the target alarm information are identified as entities associated with the target alarm. For example, based on Figure 3 As can be seen, when the target alarm is alarm 6, since alarm 6 matches process 3, process 3 is considered the entity associated with target alarm 6. After determining the entity associated with the target alarm, alarm query data is generated based on the information contained in the target alarm and the entity information of the entity associated with the target alarm.

[0110] One implementation method for generating alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm is to select target alarm feature data from the alarm query data and record it in the disjoint set auxiliary table corresponding to the target alarm.

[0111] In the subsequent process, Table 1 will be used to represent the aforementioned disjoint-set data structure auxiliary table. Table 1 will be used to elaborate on the disjoint-set data structure auxiliary table.

[0112] The above disjoint-set auxiliary table includes at least the following information: node identifier information, node type information, parent node identifier information, parent node type information, ancestor node identifier information, and ancestor node type information.

[0113] based on Figure 3 The diagram shown illustrates the security incident monitoring process, and the resulting disjoint-setup auxiliary table is shown in Table 1.

[0114]

[0115]

[0116] Table 1

[0117] In subsequent processes, alarm aggregation can be performed using a disjoint-set auxiliary table. Specifically, by using the node relationships between nodes in the alarm graph recorded in Table 1, the associated alarms of the target alarm can be directly obtained. For example, when alarm 6 is the target alarm, its corresponding ancestor node is network 1. Table 1 shows that the ancestor node network 1 also triggered alarms 1, 2, 3, 4, and 5. Therefore, alarms 1, 2, 3, 4, 5, and 6 form a group of alarms with the same origin.

[0118] The above disjoint-set auxiliary table can be established in the following manner.

[0119] First, based on the alarm query data, the identification information of the target node corresponding to the target alarm and the identification information of the adjacent connected nodes of the target node are obtained. For example, when the target alarm is alarm 6, the identification information of the adjacent nodes can be obtained first, and then... Figure 3 As can be seen, the identification information of the adjacent nodes is file 1.

[0120] Next, based on the node relationships between the target node and its neighboring nodes, the parent node of the target node is determined. This is done through... Figure 3 As can be seen, file 1 may trigger alarm 6. Therefore, the node corresponding to file 1 is taken as the parent node of the target node (the node corresponding to the target alarm). Thus, the table used to represent the relationship between the target node and its neighboring nodes is shown in Table 2.

[0121] Node identifier Node type Parent node Parent node type 6 Alarm 1 document 1 document 1 document

[0122] Table 2

[0123] Then, traverse each node in the alarm graph to obtain the updated parent node of the target node.

[0124] For example, when alarm 5 is received, the information of alarm 5 needs to be added to Table 2, and Table 2 is updated to Table 3.

[0125] Node identifier Node type Parent node Parent node type 6 Alarm 1 document 1 document 1 document 5 Alarm 1 document

[0126] Table 3

[0127] When process 3 is obtained, information about process 3 needs to be added to Table 3, and Table 3 is updated to Table 4. Since the parent node of file 1 is the node corresponding to process 3, the parent nodes of all nodes whose parent node is file 1 are updated to the node corresponding to process 3.

[0128] Node identifier Node type Parent node Parent node type 6 Alarm 3 process 1 document 3 process 5 Alarm 3 process 3 process 3 process

[0129] Table 4

[0130] Following the above method, this process continues until no new parent node can be found in the alarm graph. The node obtained after the final traversal is taken as the ancestor node of the target node and all other nodes. The node corresponding to Network 1 above is the ancestor node. Therefore, the final list of information representing the node relationships between the nodes in the alarm graph is shown in Table 1.

[0131] Table 1 above lists in detail the identification information of each node, the identification information of the parent node, the identification information of the ancestor node, as well as the type information of each node, the type information of the parent node, and the type information of the ancestor node.

[0132] Please refer to Figure 5 This diagram illustrates the first alarm aggregation method provided in this application, which is an alarm aggregation method based on a disjoint-setup auxiliary table. Specifically, in this alarm aggregation method, ungrouped target alarms are obtained from the alarm information list, and then associated alarms with the target alarms are obtained according to the disjoint-setup auxiliary table.

[0133] In this application, after obtaining the associated alarms of the target alarm, the target alarm and the associated alarms are treated as a group of alarms from the same source. Furthermore, the alarm information list is updated based on the associated alarms of the target alarm to obtain the updated alarm information list.

[0134] Simultaneously, after obtaining the associated alarms of the target alarm, the alarm graph is updated based on the associated alarms to obtain an updated alarm graph. For example, the relationship information between the target alarm 6 and other alarms (alarm 1, alarm 2, alarm 3, alarm 4, alarm 5) is added to the alarm graph to facilitate finding common source alarms for newly generated alarms.

[0135] Step S203: Based on the alarm query data, identify the associated alarms that are related to the target alarm in the pre-generated alarm map.

[0136] In this embodiment, the node information of the alarm graph includes interconnected entity information and alarm information generated by these entities, and the edge information of the alarm graph includes the relationship information between entity information and alarm information.

[0137] As a method based on alarm query data, identifying associated alarms that are related to the target alarm in a pre-generated alarm graph can refer to: based on the alarm query data, using the edge information in the alarm graph as the path basis, performing a graph traversal on the alarm graph, and taking the alarms passed through in the graph traversal as associated alarms.

[0138] More specifically, as one implementation method for graph traversal of the alarm graph, it can refer to: based on the alarm query data, using the edge information in the alarm graph, traversing upwards and downwards recursively; after reaching the final ancestor node upwards, the traversal ends, and all paths and nodes traversed form a connected subgraph; all alarms in this connected subgraph are associated alarms.

[0139] For example, using the disjoint-set auxiliary table in Table 1, we can obtain a path "Network 1 → Process 1 → Process 2 → Process 3 → File 1 → Alarm 6" and another path "Network 1 → Process 1 → Process 2 → Process 3 → Alarm 5". From these two paths, we can see that Alarm 5 is a related alarm to the target alarm, i.e., Alarm 6. Naturally, Alarm 5 and Alarm 6 are a set of alarms with the same source. In the above paths, we can see that Network 1 is the ancestor node.

[0140] In this embodiment, the final ancestor node is used as the core reason for triggering the target alarm. For example, network 1 is the core reason for triggering alarm 6, from... Figure 3 It can also be seen that network 1 was attacked, which triggered a series of alarms: alarm 1, alarm 2, alarm 3, alarm 4, alarm 5, alarm 6.

[0141] In this embodiment, the alarm query data may include information on each entity in the pre-generated alarm map and the alarm information that has been grouped; the target alarm feature data may include the identification information of the target alarm.

[0142] Specifically, identifying associated alarms with a relationship to the target alarm in the pre-generated alarm map can be achieved as follows: First, when recording the target alarm feature data into the disjoint-setup auxiliary table, the ancestor node of the target alarm is initialized to itself. Then, in the disjoint-setup auxiliary table, based on existing node information and associated information, as well as continuously recorded new node information and associated information, the ancestor node of the target alarm, and the ancestor nodes of alarm records passed through the disjoint-setup process, are recursively updated using a disjoint-setup processing method. Finally, after the update is complete, alarms with the same ancestor node are considered associated alarms. The disjoint-setup processing method refers to the process of continuously updating the parent node of the target alarm 6 according to Tables 2 to 4 until the final ancestor node is obtained. In this embodiment, the recursive update of the ancestor node of the target alarm and the ancestor nodes of alarm records passed through the disjoint-setup process is essentially equivalent to alarm aggregation while performing alarm backtracking, greatly improving the timeliness and efficiency of alarm aggregation.

[0143] As one implementation method for identifying associated alarms that are related to the target alarm in a pre-generated alarm graph based on alarm query data, another method is to directly perform graph traversal on the alarm graph to identify associated alarms that are related to the target alarm.

[0144] Specifically, the implementation method of directly performing graph traversal on the alarm graph can be found in [reference needed]. Figure 6 , Figure 6 This is a schematic diagram of a second type of alarm aggregation provided in the first embodiment of this application.

[0145] exist Figure 6 As can be seen from this, directly performing graph traversal on the alarm graph to determine the associated alarms that are related to the target alarm can refer to: using a graph aggregation model to perform graph traversal on the alarm graph to determine the associated alarms that are related to the target alarm.

[0146] More specifically, by using a graph aggregation model to perform graph traversal on the alarm graph, related alarms that are associated with the target alarm can be determined according to... Figure 6 The steps illustrated are as follows: First, the graph aggregation model executes step S601 based on the alarm information list: obtain ungrouped target alarms. In fact, step S601 corresponds to step S201, both used to obtain ungrouped target alarms from the alarm information list.

[0147] After acquiring the target alarm, the graph aggregation model executes step S602 based on the alarm graph: querying the connected subgraph of the target alarm in the alarm graph. In practice, querying the connected subgraph of the target alarm in the alarm graph is mainly used for depth-first traversal in the alarm graph. Depth-first traversal specifically refers to first finding its parent node upwards, then traversing its sibling nodes downwards. If other alarms are found, they are considered to be from the same source as the target alarm. This traversal process is recursively repeated upwards and downwards until no new parent nodes are generated upwards, at which point the traversal ends. All alarms encountered are from the same source as the target alarm, and these alarms can be grouped together. The parent node obtained at the end is the factor that caused the alarm from the same source.

[0148] After step S602, step S603 can be executed: return the alarm nodes in the connected subgraph. At this point, all alarms in the alarm graph that are from the same source as the target alarms are obtained. Then, step S604 can be executed: group the target alarms. In fact, step S604 is the process of updating the alarm information list.

[0149] The third alarm aggregation method for identifying related alarms that are associated with the target alarm is based on a heuristic merging auxiliary table. The heuristic merging auxiliary table is shown in Table 5.

[0150]

[0151]

[0152] Table 5

[0153] Table 5 records the node relationships between the nodes in the alarm graph, which also helps identify related alarms that are associated with the target alarm. For example, when alarm 6 is the target alarm, its ancestor node is the node corresponding to network 1. Table 5 shows that network 1 also triggered alarms 1, 2, 3, 4, and 5. Therefore, alarms 1, 2, 3, 4, 5, and 6 are all from the same source.

[0154] The above heuristic merge auxiliary table can be constructed in the following manner.

[0155] First, based on the alarm query data, the identification information of the target node corresponding to the target alarm and the identification information of the adjacent connected nodes of the target node are obtained. For example, when the target alarm is alarm 6, the identification information of the adjacent nodes can be obtained first, and then... Figure 3 As can be seen, the identification information of the adjacent nodes is file 1.

[0156] Next, based on the node relationships between the target node and its neighboring nodes, the parent node of the target node is determined. This is done through... Figure 3 As can be seen, file 1 triggers alarm 6. Therefore, the node corresponding to file 1 is taken as the parent node of the target node (the node corresponding to the target alarm). Thus, the table used to represent the relationship between the target node and its neighboring nodes is shown in Table 6.

[0157]

[0158] Table 6

[0159] Next, traverse each node in the alarm graph to obtain the updated parent node of the target node, and record the parent node group information.

[0160] For example, when alarm 5 is received, the information of alarm 5 needs to be added to Table 6, and Table 6 is updated to Table 7.

[0161]

[0162] Table 7

[0163] Following the above method, this process continues until no new parent node can be found in the alarm graph. The node obtained after the final traversal is taken as the ancestor node of the target node and all other nodes. The node corresponding to Network 1 above is the ancestor node. Therefore, the final list of information representing the node relationships between the nodes in the alarm graph is shown in Table 5.

[0164] Table 5 above details the identifiers of each node, its parent node, its ancestor node, and the types of each node, its parent node, and its ancestor node. The parent node group information for each node is recorded in the row corresponding to the ancestor node in the table. The parent node group information records the information of all child nodes under that node. For example, when File 1 is the current update parent node, Table 7 shows that its child nodes are File 1, Alarm 6, and Alarm 5.

[0165] In fact, the process of obtaining heuristic merge auxiliary tables and disjoint-setup auxiliary tables is similar, the only difference being that heuristic merge auxiliary tables also contain parent node group information. Furthermore, the methods for using heuristic merge auxiliary tables and disjoint-setup auxiliary tables for alarm aggregation are quite similar.

[0166] Please refer to Figure 7 This is a schematic diagram of the third type of alarm aggregation provided in this application, namely: a schematic diagram of alarm aggregation based on a heuristic merging auxiliary table. Specifically, in this alarm aggregation method, the ungrouped target alarm is obtained based on the alarm information list, and then alarms from the same source as the target alarm are obtained according to the heuristic merging auxiliary table.

[0167] The reason for employing the three alarm aggregation methods mentioned above is that the alarm aggregation method, which directly traverses the alarm graph, effectively solves the problem of long alarm chains preventing aggregation by grouping related alarms together. Furthermore, if new alarms are related to already aggregated alarm groups, they can be merged together, significantly improving the alarm aggregation rate. The alarm aggregation method based on a disjoint-setup auxiliary table, which simulates graph traversal through recursive queries, addresses the issue of low overall alarm aggregation rates caused by excessively deep traversals. The alarm aggregation method based on a heuristic merge auxiliary table adds a field to record all child nodes belonging to a given parent node; that is, it records all child node information under a given node using parent node group information. This effectively avoids stack overflow caused by recursion, greatly improving traversal efficiency.

[0168] Step S204: Treat the target alarm and related alarms as a group of alarms from the same source, and provide the alarm information from the same source to the user.

[0169] One way to provide users with alarm information from the same source is to provide them with an alarm information table, list the received alarms in the table, and group alarms from the same source into the same group.

[0170] The above-mentioned grouping of target alarms and related alarms into a single source group can refer to updating the alarm information table and assigning the target alarm to the same source group containing the related alarms.

[0171] In this application, for target alarms generated by the server system, related alarms that are associated with the target alarm can be identified based on a pre-established alarm graph. The target alarm and related alarms are then provided to the user as a group of alarms from the same source. This alarm processing method enables the grouping of a large number of alarm information, making it easier for users to process a large number of alarms in a timely manner. This solves the problem of security risks caused by excessive alarm information and failure to process it in a timely manner.

[0172] Second Embodiment

[0173] Corresponding to the alarm processing method provided in the first embodiment of this application, the second embodiment of this application provides an alarm processing device. Since the device embodiment is basically similar to the first embodiment, the description is relatively simple; relevant details can be found in the description of the first embodiment. The device embodiments described below are merely illustrative.

[0174] Please refer to Figure 8 This is a schematic diagram of the alarm processing device provided in the second embodiment of this application.

[0175] The alarm processing device includes:

[0176] The target alarm acquisition unit 801 is used to acquire target alarms generated by the server system.

[0177] The generation unit 802 is used to generate alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm.

[0178] The determining unit 803 is used to determine, based on the alarm query data, related alarms that are associated with the target alarm in a pre-generated alarm graph; the node information of the alarm graph includes interrelated entity information and alarm information generated by these entities, and the edge information of the alarm graph includes the association information between the entity information and the alarm information;

[0179] The providing unit 804 is used to treat the target alarm and the associated alarm as a group of alarms from the same source, and to provide the alarm information from the same source to the user.

[0180] Optionally, the determining unit is specifically used for:

[0181] Based on the alarm query data, the alarm graph is traversed using the edge information in the alarm graph as the path basis, and the alarms traversed in the graph traversal are used as the associated alarms.

[0182] Optionally, the determining unit is specifically used for:

[0183] Based on the alarm query data, the edge information in the alarm graph is used to recursively traverse upwards and downwards;

[0184] After reaching the final ancestor node, the traversal ends, and all paths and nodes traversed form a connected subgraph; all alarms in the connected subgraph are the associated alarms.

[0185] Optionally, the determining unit is specifically used to: take the final ancestor node as the core reason for triggering the target alarm.

[0186] Optionally, the generation unit is specifically used to: select target alarm feature data from the alarm query data and record it in the disjoint-set auxiliary table corresponding to the target alarm;

[0187] The determining unit is specifically used for:

[0188] When recording the target alarm feature data into the disjoint-set auxiliary table, the ancestor node of the target alarm is initialized to itself;

[0189] In the disjoint-set auxiliary table, based on the existing node information and associated information, as well as the continuously recorded new node information and associated information, the ancestor nodes of the target alarm and the ancestor nodes of the alarm records passed through in the disjoint-set processing are recursively updated using the disjoint-set processing method.

[0190] After the update is complete, alarms with the same ancestor node are considered related alarms.

[0191] Optionally, the disjoint-set auxiliary table includes at least the following information:

[0192] Node identifier information, node type information, parent node identifier information, parent node type information, ancestor node identifier information, and ancestor node type information.

[0193] Optionally, it also includes an alarm map generation unit, specifically used for:

[0194] Collect entity information and alarm information;

[0195] Based on the relationships between entities reflected in the entity information, establish the relationships between the entities;

[0196] The alarm is associated with an entity based on the associated entity information contained in the alarm information.

[0197] Optionally, it also includes an alarm graph update unit, specifically used for:

[0198] Monitor real-time alarm information;

[0199] Based on the alarm information, extract the associated entity information and establish the association relationship between the alarm information and the associated entity;

[0200] Based on the alarm information, associated entities, and the associated relationships, the alarm information and associated entities are aggregated into the current alarm graph to obtain an updated alarm graph.

[0201] Optionally, the providing unit is specifically used to: provide the user with an alarm information table, the alarm information table listing the received alarms and grouping alarms from the same source into the same group;

[0202] The providing unit is specifically used to: update the alarm information table and classify the target alarm into the same-source alarm group where the associated alarm is located.

[0203] Optionally, the entity information includes at least one of the following: process information, network connection information, executable file related information, intelligence information, and existing alarm information.

[0204] Optionally, the association information includes at least one of the following:

[0205] The association information between the process information and the network connection information;

[0206] The association information between the process information and the relevant information of the executable file;

[0207] The correlation information between the process information and the intelligence information;

[0208] The correlation information between the process information and the alarm information;

[0209] The association information between the network connection information and the relevant information of the executable file;

[0210] The correlation information between the network connection information and the intelligence information;

[0211] The correlation information between the network connection information and the alarm information;

[0212] The correlation information between the executable file and the intelligence information;

[0213] The correlation information between the executable file and the alarm information;

[0214] The correlation information between the intelligence information and the alarm information.

[0215] Third Embodiment

[0216] Corresponding to the method of the first embodiment of this application, the third embodiment of this application also provides an electronic device.

[0217] like Figure 9 As shown, Figure 9 This is a schematic diagram of the electronic device provided in the third embodiment of this application.

[0218] The electronic device includes: a processor 901; and a memory 902 for storing a computer program, which is executed by the processor to perform the alarm processing method of the first embodiment.

[0219] Fourth embodiment

[0220] Corresponding to the method of the first embodiment of this application, the fourth embodiment of this application also provides a computer storage medium storing a computer program, which is executed by a processor to perform the alarm processing method of the first embodiment.

[0221] Although this application discloses preferred embodiments as described above, it is not intended to limit this application. Any person skilled in the art can make possible changes and modifications without departing from the spirit and scope of this application. Therefore, the scope of protection of this application should be determined by the scope defined in the claims of this application.

[0222] In a typical configuration, a computing device includes one or more processors (CPUs), input / output interfaces, a network interface, and memory. Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0223] 1. Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information by any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include non-transitory computer-readable storage media, such as modulated data signals and carrier waves.

[0224] 2. Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

Claims

1. An alarm processing method, characterized in that, include: Obtain target alarms generated by the server system, wherein the target alarms are ungrouped alarms; Based on the information contained in the target alarm and the entity information of the entity associated with the target alarm, alarm query data is generated; Based on the alarm query data, target alarm feature data is selected from the alarm query data. When the target alarm feature data is recorded in the disjoint-set auxiliary table, the ancestor node of the target alarm is initialized to itself. In the disjoint-set auxiliary table, based on the existing node information and association information, as well as the continuously recorded new node information and association information, the ancestor node of the target alarm and the ancestor node of the alarm records passed in the disjoint-set processing are recursively updated using the disjoint-set processing method. After the update is completed, alarms with the same ancestor node are associated alarms. The node information of the alarm graph includes the information of mutually related entities and the alarm information generated by these entities. The edge information of the alarm graph includes any two types of entity information, or the association information between the entity information and the alarm information. The alarm graph is generated by the cloud server based on the node information and the edge information. The target alarm and the associated alarm are grouped into a common source alarm group, and the common source alarm information is provided to the user. The step of grouping the target alarm and the associated alarm into a common source alarm group indicates that the alarm information table is updated and the target alarm is included in the common source alarm group where the associated alarm is located. The common source alarm is used to indicate multiple alarms caused by the same event.

2. The alarm processing method according to claim 1, characterized in that, The step of determining related alarms that are associated with the target alarm in the pre-generated alarm map based on the alarm query data includes: Based on the alarm query data, the alarm graph is traversed using the edge information in the alarm graph as the path basis, and the alarms traversed in the graph traversal are used as the associated alarms.

3. The alarm processing method according to claim 2, characterized in that, The graph traversal of the alarm map includes: Based on the alarm query data, the edge information in the alarm graph is used to recursively traverse upwards and downwards; After reaching the final ancestor node, the traversal ends, and all paths and nodes traversed form a connected subgraph; all alarms in the connected subgraph are the associated alarms.

4. The alarm processing method according to claim 3, characterized in that, The final ancestor node is used as the core reason for triggering the target alarm.

5. The alarm processing method according to claim 1, characterized in that, In the step of generating alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm, target alarm feature data is selected from the alarm query data and recorded in the disjoint set auxiliary table corresponding to the target alarm.

6. The alarm processing method according to claim 5, characterized in that, The disjoint-set auxiliary table shall include at least the following information: Node identifier information, node type information, parent node identifier information, parent node type information, ancestor node identifier information, and ancestor node type information.

7. The alarm processing method according to claim 1, characterized in that, The initial version of the alarm map was generated using the following method: Collect entity information and alarm information; Based on the relationships between entities reflected in the entity information, establish the relationships between the entities; The alarm is associated with an entity based on the associated entity information contained in the alarm information.

8. The alarm processing method according to claim 7, characterized in that, The alarm graph is updated in the following manner: Monitor real-time alarm information; Based on the alarm information, extract the associated entity information and establish the association relationship between the alarm information and the associated entity; Based on the alarm information, associated entities, and the associated relationships, the alarm information and associated entities are aggregated into the current alarm graph to obtain an updated alarm graph.

9. The alarm processing method according to claim 1, characterized in that, Providing the same source alarm information to the user includes: providing the user with an alarm information table, which lists the received alarms and groups the same source alarms into the same group; The step of grouping the target alarm and the associated alarm into a group of alarms from the same source includes: updating the alarm information table and assigning the target alarm to the group of alarms from the same source where the associated alarm is located.

10. The alarm processing method according to claim 1, characterized in that, The entity information includes at least one of the following: process information, network connection information, executable file related information, intelligence information, and existing alarm information.

11. The method according to claim 10, characterized in that, The association information includes at least one of the following: The association information between the process information and the network connection information; The association information between the process information and the relevant information of the executable file; The correlation information between the process information and the intelligence information; The correlation information between the process information and the alarm information; The association information between the network connection information and the relevant information of the executable file; The correlation information between the network connection information and the intelligence information; The correlation information between the network connection information and the alarm information; The correlation information between the executable file and the intelligence information; The correlation information between the executable file and the alarm information; The correlation information between the intelligence information and the alarm information.

12. An alarm processing device, characterized in that, include: The target alarm acquisition unit is used to acquire target alarms generated by the server system, wherein the target alarms are ungrouped alarms; The generation unit is used to generate alarm query data based on the information contained in the target alarm and the entity information of the entity associated with the target alarm; The determining unit is used to determine, based on the alarm query data, related alarms that are associated with the target alarm in a pre-generated alarm graph; the node information of the alarm graph includes mutually related entity information and alarm information generated by these entities, the edge information of the alarm graph includes any two types of entity information, or the association information between the entity information and the alarm information, and the alarm graph is generated by the cloud server based on the node information and the edge information; A providing unit is configured to group the target alarm and the associated alarm as a group of alarms from the same source, and provide the alarm information from the same source to the user. Grouping the target alarm and the associated alarm as a group of alarms from the same source indicates that the alarm information table is updated and the target alarm is assigned to the same source alarm group where the associated alarm is located. The same source alarm indicates multiple alarms caused by the same event. The determining unit is further configured to select target alarm feature data from the alarm query data, and when recording the target alarm feature data into the disjoint-set auxiliary table, initialize the ancestor node of the target alarm to itself; in the disjoint-set auxiliary table, based on existing node information and association information, as well as continuously recorded new node information and association information, recursively update the ancestor node of the target alarm and the ancestor node of the alarm records passed through in the disjoint-set processing using a disjoint-set processing method; after the update is completed, alarms with the same ancestor node are associated alarms with a relationship to each other.

13. An electronic device, characterized in that, include: processor; A memory for storing a computer program that is executed by a processor to perform the method described in any one of claims 1-11.

14. A computer storage medium, characterized in that, The computer storage medium stores a computer program that is executed by a processor to perform the method described in any one of claims 1-11.