Graph-based alarm event determination method and device, electronic equipment and storage medium

By converting security logs into target graph information and matching them with a graph database to generate alarm events, the problems of high false alarm rate and high resource consumption in existing technologies are solved, and efficient network security analysis is achieved.

CN115905303BActive Publication Date: 2026-06-26QI-ANXIN LEGENDSEC INFORMATION TECH (BEIJING) INC +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
QI-ANXIN LEGENDSEC INFORMATION TECH (BEIJING) INC
Filing Date
2022-10-11
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In existing technologies, network security protection solutions have a high false alarm rate during real-time matching, while offline analysis is time-consuming and resource-intensive, making it difficult to effectively deal with network attacks.

Method used

The security logs are converted into target graph information, and graph databases are used to match the graph information to generate alarm events. The first graph query statement is generated through graph rule configuration information to realize the correlation between security logs and the correlation analysis between multiple source security logs.

Benefits of technology

It reduced the false alarm rate, enabled low-time and low-resource-consumption security log correlation analysis, and improved the accuracy of alerts and the efficiency of responding to network attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115905303B_ABST
    Figure CN115905303B_ABST
Patent Text Reader

Abstract

Embodiments of the present application provide a kind of based on graph's alarm event determination method, device, electronic equipment and storage medium, method includes: the security log is converted into the target graph information corresponding to the security log;Based on the target graph information and the graph rule configuration information obtained in advance, generate first graph query statement;The graph rule configuration information at least includes: the rule for generating the first graph query statement;The graph information matching operation is carried out between the first graph query statement and the graph information in graph database;The graph database is used to store at least one kind of graph information;According to the graph information matched to the first graph query statement, generate alarm event.The embodiments of the present application realize the association of security log before and after and the association between multi-source security log by graph database, can effectively reduce false alarm rate;In addition, based on the high efficient query ability of the association relationship of graph database itself, the low time and low resource consumption of the association analysis of multiple security logs can be realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a graph-based alarm event determination method, apparatus, electronic device, and storage medium. Background Technology

[0002] The rapid development of internet technology and the deepening digital transformation of various industries have brought great convenience to people's lives and work, but at the same time, they are also facing more and more cyberattack risks. Therefore, how to effectively protect network security has become particularly important.

[0003] The first existing protection solution is to perform real-time single-event rule matching by combining logs collected from various security products with the experience of security experts; the second existing protection solution is to perform correlation analysis on massive log information stored in distributed file systems or relational databases through offline tasks.

[0004] While existing protection solutions, such as rule-based real-time matching, can ensure timely detection of abnormal events, they often suffer from high false positive rates due to a lack of contextual information or correlation between information from multiple security event sources. Furthermore, existing solutions, such as offline task analysis, can correlate different logs, but this process is time-consuming, potentially causing security analysts to miss opportunities in responding to network attacks. Moreover, when dealing with massive amounts of logs, correlating multiple security events or events from different sources based on conditions consumes enormous resources. Summary of the Invention

[0005] To address the problems in the prior art, embodiments of the present invention provide a graph-based alarm event determination method, apparatus, electronic device, and storage medium.

[0006] Specifically, the embodiments of the present invention provide the following technical solutions:

[0007] In a first aspect, embodiments of the present invention provide a graph-based alarm event determination method, the method comprising:

[0008] The security logs are converted into target graph information corresponding to the security logs; based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0009] The first graph query statement is matched with the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0010] An alarm event is generated based on the graph information matched by the first graph query statement.

[0011] Furthermore, the rule used to generate the first graph query statement includes a rule template, which includes at least one dynamic attribute. The dynamic attribute is used to be replaced by any one of the start time, end time, and starting node ID of the first graph query statement calculated based on the target graph information when generating the first graph query statement.

[0012] Furthermore, the graph rule configuration information also includes at least one of the following:

[0013] Security log identifier ID set;

[0014] Security log filtering rules;

[0015] Starting node type, used to indicate the type of the starting node of the first graph query statement;

[0016] The start time offset is used to represent the amount by which the start time of the first graph query statement is advanced relative to the occurrence time of the security log;

[0017] The end time offset is used to represent the amount by which the end time of the first graph query statement is relative to the occurrence time of the security log.

[0018] Calculate a window value to represent the effective time of the graph information matching operation;

[0019] The sliding window value is used to represent the interval time of the graph information matching operation.

[0020] Furthermore, the target map information includes at least one of the following:

[0021] The starting point ID; the starting point is a node obtained based on the relevant information of the first security subject in the security log, and the attributes of the starting point include at least one of the file path, name and MD5 value of the first security subject;

[0022] The endpoint ID; the endpoint is a node obtained based on the relevant information of the second security subject in the security log, and the attributes of the endpoint include the geographical information of the second security subject;

[0023] An edge; the edge is used to characterize the relationship between the first security subject and the second security subject, and the attributes of the edge include at least one of the following: the communication port, the communication protocol, and the occurrence time of the security log.

[0024] Further, the step of generating a first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes:

[0025] When the target graph information includes the ID of the starting point and the ID of the ending point, and the graph rule configuration information also includes the start time offset, the end time offset, and the starting node type, the start time and end time of the first graph query statement are determined based on the start time offset, the end time offset, and the occurrence time of the security log in the original information of the security log.

[0026] The starting node ID of the first graph query statement is determined based on the starting node type, the ID of the starting point, and the ID of the ending point.

[0027] The first graph query statement is obtained by replacing the dynamic attributes in the rule template with the start time, end time, and starting node ID of the first graph query statement.

[0028] Furthermore, before generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information, the method further includes:

[0029] Determine whether the security log ID of the security log is in the security log ID set;

[0030] The step of generating a first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes:

[0031] If the security log ID of the security log is in the security log ID set, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0032] Furthermore, before generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information, the method further includes:

[0033] The security logs are conditionally filtered using the security log filtering rules.

[0034] The step of generating a first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes:

[0035] If the security log satisfies the security log filtering rules, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0036] Furthermore, before performing the graph information matching operation between the first graph query statement and the graph information in the graph database, the method further includes:

[0037] Using the calculated window value and the occurrence time of the security log, the effective time range of the first graph query statement is calculated;

[0038] Using the sliding window value, the query interval time of the first graph query statement is calculated;

[0039] The step of matching the first graph query statement with graph information in the graph database includes:

[0040] Within the effective time range, at each query interval, the first graph query statement is matched with the graph information in the graph database.

[0041] Furthermore, after converting the security log into target graph information corresponding to the security log, the method further includes:

[0042] The target graph information is stored in the graph database.

[0043] Secondly, embodiments of the present invention also provide a graph-based alarm event determination device, comprising:

[0044] A conversion module is used to convert security logs into target graph information corresponding to the security logs; a determination module is used to generate a first graph query statement based on the target graph information and pre-acquired graph rule configuration information; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0045] The matching module is used to perform a graph information matching operation between the first graph query statement and the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0046] The generation module is used to generate alarm events based on the graph information matched by the first graph query statement.

[0047] Thirdly, embodiments of the present invention also provide an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the graph-based alarm event determination method as described in the first aspect.

[0048] Fourthly, embodiments of the present invention also provide a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the graph-based alarm event determination method as described in the first aspect.

[0049] Fifthly, embodiments of the present invention also provide a computer program product having executable instructions stored thereon, which, when executed by a processor, cause the processor to implement the graph-based alarm event determination method described in the first aspect.

[0050] The graph-based alarm event determination method, apparatus, electronic device, and storage medium provided in this invention convert security logs into target graph information corresponding to the security logs. Based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated. This first graph query statement is then matched with graph information in a graph database, and an alarm event is generated based on the matched graph information. This invention, through a graph database, achieves correlation between security logs and between multiple source security logs, effectively reducing the false alarm rate. Furthermore, the efficient query capability based on the graph database's own correlation relationships enables low-time and low-resource correlation analysis of various types of security logs. Attached Figure Description

[0051] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0052] Figure 1 This is one of the flowcharts illustrating the graph-based alarm event determination method provided in this embodiment of the invention;

[0053] Figure 2 This is a second flowchart illustrating the graph-based alarm event determination method provided in this embodiment of the invention.

[0054] Figure 3 This is the third flowchart of the graph-based alarm event determination method provided in this embodiment of the invention;

[0055] Figure 4 This is a schematic diagram of the structure of the graph-based alarm event determination device provided in an embodiment of the present invention;

[0056] Figure 5 This is a schematic diagram of the physical structure of the electronic device provided in an embodiment of the present invention. Detailed Implementation

[0057] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0058] The following description, in conjunction with the accompanying drawings, describes the graph-based alarm event determination method, apparatus, electronic device, and storage medium of the present invention.

[0059] To facilitate a clearer understanding of the various embodiments of the present invention, some relevant technical knowledge will be introduced as follows.

[0060] 1. Security events: Event information collected by security products, including device logs, application logs, operating system logs, and security rule matching.

[0061] 2. Graph Database: A data management system based on points and edges as basic storage units, designed for efficient storage and retrieval of graph data.

[0062] 3. Security Logs: These refer to at least one of the following collected by security products: device logs, application logs, and operating system logs.

[0063] Figure 1 This is one of the flowcharts illustrating the graph-based alarm event determination method provided in this embodiment of the invention, such as... Figure 1 As shown, the graph-based alarm event determination method includes the following steps:

[0064] Step 101: Convert the security log into target graph information corresponding to the security log;

[0065] The target graph information may include nodes, edges, etc. Nodes may correspond to relevant information of different security entities in the security log, and edges may be directed edges that connect nodes, reflecting the relationship between different security entities.

[0066] Step 102: Based on the target graph information and the pre-acquired graph rule configuration information, generate a first graph query statement; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0067] Step 103: Perform a graph information matching operation between the first graph query statement and the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0068] Optionally, the graph database can be used to store graph information corresponding to at least one type of security log.

[0069] Step 104: Generate an alarm event based on the graph information matched by the first graph query statement.

[0070] Specifically, in existing technologies, abnormal events can be detected by real-time single-event rule matching of logs collected from various security products combined with the experience of security experts. Although this can ensure the timeliness of detecting abnormal events, it often leads to a high false alarm rate due to the lack of information before and after the event or the correlation of information from multiple security event sources.

[0071] Offline tasks can also be used to perform correlation analysis on massive log information stored in distributed file systems or relational databases to discover abnormal events. Although different logs can be correlated, it takes a long time, which can easily cause security analysts to miss the opportunity to deal with network attacks. In addition, when dealing with massive logs, the resource consumption is also huge when correlation is performed on multiple security events or security events from different sources according to conditions.

[0072] Based on the efficient graph information storage and query capabilities of graph databases, the embodiments of the present invention provide the following methods.

[0073] Specifically, it can receive security logs or security events collected by security devices, and convert the security logs or security events into target graph information corresponding to the security logs or security events according to specific generation logic.

[0074] Optionally, the target map information includes at least one of the following:

[0075] 1. The ID of the starting point; the starting point is a node obtained based on the relevant information of the first security subject in the security log, and the attributes of the starting point include at least one of the file path, name and MD5 value of the first security subject;

[0076] Specifically, in a process access event, the first security subject can be the process.

[0077] 2. The endpoint ID; the endpoint is a node obtained based on the relevant information of the second security subject in the security log, and the attributes of the endpoint include the geographical information of the second security subject;

[0078] Specifically, in a process access event, the second security subject can be the IP address of the process accessing the process.

[0079] 3. Edge; the edge is used to characterize the relationship between the first security subject and the second security subject, and the attributes of the edge include at least one of the following: communication port, communication protocol, and the occurrence time of the security log.

[0080] Optionally, after converting the security log into target graph information corresponding to the security log, the target graph information can be stored in the graph database. That is, the generated target graph information can be stored in the graph database. For example, the security log or security event can be converted into vertex and edge information in the graph database.

[0081] For example, if a process named test.exe communicates with the Internet Protocol (IP) on the external network, the security device can collect this communication event as a security log. The entire communication event can include information such as the process name "test.exe", the process's MD5 value, the process file path, the external IP information of the communication, the communication port, the communication protocol, and the IP geographical location.

[0082] By using pre-defined extraction logic, process-related information can be extracted as process nodes, IP-related information as IP nodes, and IP access behavior information as IP access edges in the graph. The process file path and process name are attributes of the process nodes, the process MD5 hash is the process node identifier (ID), the IP's geographical information is an attribute of the IP nodes, and the IP value is the IP node ID. For IP access behavior edges, the starting ID (process MD5 hash) and the ending ID (IP value) are included. The communication port, communication protocol, and communication event are attributes of the IP access edges. This process extracts the security logs of a process accessing an external IP into a directed target graph. Similarly, other security logs are also converted into target graph information. After conversion, the vertex and edge information can be written to the graph database in real time.

[0083] After converting the security logs into target graph information corresponding to the security logs, embodiments of the present invention can generate a first graph query statement based on the target graph information and pre-acquired graph rule configuration information. The first graph query statement is then matched with the graph information in the graph database. This can be understood as using the first graph query statement to query whether there is graph information in the graph database that matches the first graph query statement. Then, an alarm event is generated based on the graph information matched by the first graph query statement, and corresponding alarm notifications are issued based on the alarm event. Optionally, an alarm event can also be generated based on the security logs corresponding to the graph information matched by the first graph query statement.

[0084] Optionally, a graph database is used for storing and querying graph information, such as the Nebula Graph database.

[0085] It's important to note that a graph in graph theory is a graphical representation of a given set of points and lines connecting those points. This type of graph effectively describes specific relationships between things; points represent things, and lines connecting two points represent the relationship between them. Graph databases use graphs as their storage model, with points and edges as the basic storage units, providing efficient graph information storage and retrieval capabilities.

[0086] The graph-based alarm event determination method provided in this invention converts security logs into target graph information corresponding to the security logs. Based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated. This first graph query statement is then matched with graph information in a graph database, and an alarm event is generated based on the matched graph information. This invention, through a graph database, achieves correlation between security logs and between multiple source security logs, effectively reducing the false alarm rate. Furthermore, the efficient query capability based on the graph database's own correlation relationships enables low-time and low-resource correlation analysis of various types of security logs.

[0087] Optionally, the method for converting the security log into target graph information corresponding to the security log may include:

[0088] The security logs are extracted using a graph-based storage model to obtain the target graph information corresponding to the security logs.

[0089] Optionally, the rule for generating the first graph query statement may include a rule template, the rule template including at least one dynamic attribute, the dynamic attribute being replaced by any one of the start time, end time and starting node ID of the first graph query statement calculated based on the target graph information when generating the first graph query statement.

[0090] Specifically, a rule template can be a record of graph query statements that conform to graph statement specifications, written by security experts after analyzing security logs. The rule template may include dynamic attributes marked with curly braces. When graph information is needed, the target graph information corresponding to the security logs can be parsed to replace the dynamic attributes marked with curly braces.

[0091] Dynamic attributes include, for example, {vertexId}, which represents the graph node ID, i.e., the starting node ID for the graph rule query; dynamic attributes may also include {startTime}, which represents the start time of the security log in the graph query; dynamic attributes may also include {endTime}, which represents the end time of the graph query.

[0092] For example, a complete rule template can be as follows:

[0093] MATCH p=(v:Process)-[e*4..5]->(v2:InternetIP)

[0094] WHERE id(v)=='{vertexId}'AND ALL(l IN e WHERE l.behaviorTime>datetime('{startTime}')AND l.behaviorTime <datetime(‘{endTime}’))

[0095] RETURN p

[0096] The meaning of this rule template can be: the process node ID with node ID value {vertexId} is used as the starting node ID for graph rule query. After being associated with 4 or 5 edges, it accesses the external IP. The corresponding behavior time of the edge is greater than {startTime} and less than {endTime}. When a graph query is needed, the specific value will be extracted according to the corresponding logic to replace the dynamic attribute and generate the first graph query statement.

[0097] It should be noted that the dynamic attributes in the rule template are not actual values, but need to be replaced with specific values ​​later. After replacing the dynamic attributes, you can get the query statement shown in the first image.

[0098] Optionally, the graph rule configuration information may also include at least one of the following:

[0099] 1) Set of security log IDs;

[0100] Specifically, the security log ID can be a unique identifier used to mark the log type when a security device collects security logs.

[0101] 2) Security log filtering rules;

[0102] Specifically, security log filtering rules can record whether the security logs used for filtering meet the pre-filtering conditions calculated by the graph rule. Security log filtering rules specifically refer to the calculation logic combined by "AND" and "OR". For example, a security log filtering rule is: the file name contains "confidential" and the file size is greater than 20M, that is, (filename.contains('confidential')AND fileSize>20).

[0103] 3) Starting node type, used to indicate the type of the starting node of the query statement in the first graph;

[0104] Specifically, the starting node type can be used to generate the type of the starting node in the first graph query statement. For example, it can be used to generate the starting node ID in the first graph query statement, using either the ID of the starting point or the ID of the ending point in the target graph information.

[0105] For example, in the security log of a process accessing an external IP address, the extracted node IDs include the process node ID and the IP node ID. When the starting node type is configured as a process, the process node ID can be extracted as the starting node ID of the first graph query statement; otherwise, the IP node ID can be extracted as the starting node ID of the first graph query statement.

[0106] 4) Start time offset, used to represent the amount by which the start time of the first graph query statement is advanced relative to the occurrence time of the security log;

[0107] Specifically, the start time offset is used to represent the number of times prior to the occurrence of the security log, and its value can correspond to seconds in time units.

[0108] For example, if the occurrence time of the security log is t1, the time value obtained by subtracting the start time offset from t1 based on this configuration value can be used as the start time of the query statement in the first graph.

[0109] 5) End time offset, used to represent the amount by which the end time of the first graph query statement is relative to the occurrence time of the security log;

[0110] Specifically, the end time offset is used to represent the number of times that have been pushed back relative to the time the security log occurred, and its value can correspond to seconds in time units.

[0111] For example, if the occurrence time of the security log is t1, the time value obtained by adding the end time offset to t1 based on this configuration value can be used as the end time of the query statement in the first figure.

[0112] 6) Calculate the window value to represent the effective time of the graph information matching operation;

[0113] Specifically, the calculated window value can be used to represent the effective time size of the corresponding security log calculated by the graph rule, and its value can correspond to the time unit of seconds.

[0114] It is understandable that the above graph rule calculation can be considered as a graph information matching operation.

[0115] For example, if the occurrence time of a security log is t1, the end time can be calculated as t2 based on this configuration (t2 = t1 + calculation window value). If the current time is within the valid time range of the first graph query statement (between t1 and t2), the security log corresponding to the graph rule will be analyzed by the graph rule, that is, the graph information matching operation will be performed.

[0116] It should be noted that when setting the calculation window value, it is necessary to consider storing the target graph information corresponding to the security log in the graph database first, and then performing the graph information matching operation. If the calculation window value is set too small, the effective time of the graph information matching operation may end before the target graph information corresponding to the security log is stored in the graph database. Therefore, the calculation window value can be set to be greater than the preset value to ensure that the effective time of the graph information matching operation has not ended after the target graph information corresponding to the security log is stored in the graph database, at which point the graph information matching operation can be performed again.

[0117] 7) Sliding window value, used to represent the interval time of the graph information matching operation.

[0118] Specifically, the sliding window value is used to represent the interval time for calculating graph rules, and its value can correspond to the time unit of seconds.

[0119] For example, if the occurrence time of the security log is t1, then the subsequent graph rule calculation will use the sliding window time interval as the query interval to perform security analysis on the security log.

[0120] Optionally, the method for generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information may include:

[0121] When the target graph information includes the ID of the starting point and the ID of the ending point, and the graph rule configuration information also includes the start time offset, the end time offset, and the starting node type, the start time and end time of the first graph query statement are determined based on the start time offset, the end time offset, and the occurrence time of the security log in the original information of the security log.

[0122] The starting node ID of the first graph query statement is determined based on the starting node type, the ID of the starting point, and the ID of the ending point.

[0123] The first graph query statement is obtained by replacing the dynamic attributes in the rule template with the start time, end time, and starting node ID of the first graph query statement.

[0124] Specifically, when the graph rule configuration information includes start time offset, end time offset, and start node type, the start time and end time of the first graph query statement can be generated based on the start time offset, end time offset, and the occurrence time of the security log in the original information.

[0125] For example, if the security log occurred at time t1, the time value obtained by subtracting the start time offset from t1 can be used as the start time of the first graph query statement; and the time value obtained by adding the end time offset to t1 can be used as the end time of the first graph query statement.

[0126] It can also generate the starting node ID of the first graph query statement based on the starting node type in the graph rule configuration information, the starting point ID in the target graph information, and the ending point ID in the target graph information.

[0127] Then, using the start time, end time, and starting node ID of the query statement in the first graph, replace the dynamic attributes in the rule template to obtain the query statement in the first graph.

[0128] Specifically, you can replace {startTime} in the rule template with the start time of the query statement in the first diagram, replace {endTime} in the rule template with the end time of the query statement in the first diagram, and replace {vertexId} with the starting node ID of the query statement in the first diagram to obtain the query statement in the first diagram.

[0129] It should be noted that the original information can include not only the occurrence time of the security log, but also other information used for the logical calculation of security log filtering rules. After the logical calculation of the security log filtering rules is performed, the security logs that meet the filtering conditions can be matched with graph information through the first graph query statement. This is to filter out the security logs that do not meet the filtering conditions, thereby reducing the amount of data in the subsequent graph information matching operations.

[0130] Optionally, before generating the first graph query statement based on the target graph information and the pre-acquired graph rule configuration information, it can be determined whether the security log ID of the security log is in the security log ID set;

[0131] The method for generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information may include:

[0132] If the security log ID of the security log is in the security log ID set, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0133] Specifically, when the graph rule configuration information includes a set of security log IDs, it can be determined whether the security log ID of the security log is in the set of security log IDs. If the security log ID of the security log is in the set of security log IDs, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information, so as to perform graph information matching operation based on the first graph query statement.

[0134] In this embodiment of the invention, pre-filtering using security event IDs can reduce the computational load of subsequent graph information matching operations.

[0135] Optionally, before generating the first graph query statement based on the target graph information and the pre-acquired graph rule configuration information, the security log can be conditionally filtered using the security log filtering rules;

[0136] The method for generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information may include:

[0137] If the security log satisfies the security log filtering rules, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0138] Specifically, if the graph rule configuration information includes security log filtering rules, the security logs can be filtered conditionally using the security log filtering rules. If the security logs meet the security log filtering rules, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information, and graph information matching is performed based on the first graph query statement.

[0139] In this embodiment of the invention, conditional filtering through security log filtering rules can reduce the computational load of subsequent graph information matching operations.

[0140] In one embodiment, pre-filtering can be performed using security event IDs, followed by conditional filtering using security log filtering rules, which can further reduce the computational load of subsequent graph information matching operations.

[0141] Optionally, before performing the graph information matching operation between the first graph query statement and the graph information in the graph database, the effective time range of the first graph query statement can be calculated using the calculated window value and the occurrence time of the security log.

[0142] Then, using the sliding window value, the query interval time of the first graph query statement is calculated;

[0143] The method for implementing the graph information matching operation between the first graph query statement and the graph information in the graph database may include:

[0144] Within the effective time range, at each query interval, the first graph query statement is matched with the graph information in the graph database.

[0145] Specifically, when the graph rule configuration information includes a calculated window value and a sliding window value, the effective time range of the first graph query statement can be calculated first using the calculated window value and the occurrence time of the security log; then, the query interval time of the first graph query statement can be calculated using the effective time range and the sliding window value. Based on the calculated query interval time, the effective time range can be divided, thereby enabling multiple graph information matching operations to be performed within the effective time range.

[0146] In one embodiment, a calculated window value and a sliding window value can be set simultaneously. In this case, the sliding window value must be smaller than the calculated window value. That is, this embodiment of the invention can perform graph information matching operations multiple times by setting both the calculated and sliding window values. For example, if the occurrence time t1 of the security log is 10:00:00 on September 6, 2022, and the calculated window value t3 is set to 900 seconds (15 minutes), then the effective time range of the security log is t1 to t2, where the end time t2 = t1 + t3. Therefore, the effective time range of the security log is 10:00:00 on September 6, 2022 to 10:15:00 on September 6, 2022. If the current time is within the effective time range t1 to t2, the graph information matching operation can be triggered in the form of a first graph query statement.

[0147] The sliding window value is used to calculate the interval for triggering graph information matching operations. For example, if the sliding window is set to 300 seconds, or 5 minutes, then:

[0148] The graph information matching operation was triggered for the first time at 10:00:00 on September 6, 2020.

[0149] At 10:05:00 on September 6, 2022, the graph information matching operation was triggered for the second time;

[0150] At 10:15:00 on September 6, 2022, the graph information matching operation was triggered for the third time;

[0151] At 10:20:00 on 2022-09-06, since this time is outside the valid time range of the security log, the graph information matching operation is not triggered.

[0152] The following example illustrates the graph-based alarm event determination method provided by an embodiment of the present invention.

[0153] one, Figure 2This is a second flowchart illustrating the graph-based alarm event determination method provided in this embodiment of the invention, as shown below. Figure 2 As shown.

[0154] Embodiments of the present invention may include the following modules:

[0155] The graph information extraction module is used to receive security logs collected by security devices, and convert the security logs into point and edge information (target graph information) in the graph database according to specific generation logic. The target graph information is written into the graph database in real time, and the target graph information corresponding to the security log, the ID of the starting point and the ID of the ending point of the security log generation are sent to the graph rule analysis module.

[0156] The graph rule analysis module is used to perform near real-time security log correlation analysis based on the graph rule information set by the graph rule management module and the information sent by the graph information extraction module. It generates corresponding alarm events for security logs that conform to the graph rule information and sends them to the alarm module.

[0157] The graph rule management module is used to manage graph rule information. Specifically, it retrieves the required graph rule information from the database and sends it to the graph rule analysis module.

[0158] The alarm module is used to receive alarm events generated by the graph rule analysis module and to send corresponding alarm notifications.

[0159] A graph database is used for storing and querying graph information. In this embodiment of the invention, the Nebula Graph database can be used as a graph database.

[0160] II. Based on the graph rule information configured by the security experts, the analysis process of the graph rule analysis module can be as follows. Figure 3 This is the third flowchart illustrating the graph-based alarm event determination method provided in this embodiment of the invention, as shown below. Figure 3 As shown, the graph-based alarm event determination method includes steps 301 to 309; wherein:

[0161] Step 301: Load graph rule configuration information.

[0162] Specifically, when the graph rule analysis module starts up, it can load the configured graph rule information from the database into the service memory.

[0163] Step 302: Receive information sent by the graph information extraction module in real time.

[0164] Specifically, it receives information such as security logs, start point IDs, and end point IDs sent by the graph information extraction module in real time.

[0165] Step 303: After the interval indicated by the sliding window value in the graph rule configuration information is reached, perform graph information matching operation based on the graph rule configuration information and the information received within the window time.

[0166] Step 304: Determine whether the security log ID is in the security log ID set of the graph rule configuration information. If yes, proceed to step 305; otherwise, proceed to step 309.

[0167] Specifically, it checks whether the security log ID exists in the security log ID set of the graph rule configuration information. If it exists, the next calculation step is performed; otherwise, the process ends. Pre-filtering using the security log ID reduces the computational load of subsequent graph information matching operations.

[0168] Step 305: Use security log filtering rules to determine whether the security log meets the conditions. If yes, proceed to step 306; otherwise, proceed to step 309.

[0169] Specifically, security logs existing in the security log ID set within the graph rule configuration information can be filtered using the security log filtering rules specified in the graph rule configuration information. If the conditions of the filtering rules are met, the next step of the calculation logic is performed; otherwise, the process ends directly. This step also aims to reduce the computational load of subsequent graph information matching operations.

[0170] Step 306: Use the first graph query statement to perform graph information matching operations from the graph database.

[0171] Specifically, the logic for graph information matching is as follows:

[0172] 1) Calculate the start and end times of the first graph query statement based on the start time offset, end time offset, and security log occurrence time in the graph rule configuration information;

[0173] 2) Based on the starting node type in the graph rule configuration information and the starting point ID and ending point ID calculated by the graph information extraction module, select the starting point ID or the ending point ID as the starting node ID of the first graph query statement;

[0174] 3) The start time, end time and starting node ID of the first graph query statement were calculated through the first two steps. Then, these three values ​​were used to replace the corresponding {vertexId}, {startTime} and {endTime} in the rule template of the graph rule configuration information to obtain the actual first graph query statement.

[0175] 4) After obtaining the first graph query statement of the security log, perform graph information matching operation through the graph database. Specifically, graph statement query matching can be performed, and the next step of judgment can be made based on the query matching results.

[0176] Step 307: Determine whether the result matching the query statement in the first figure is empty. If yes, proceed to step 309; otherwise, proceed to step 308.

[0177] Step 308: Based on the matched security logs, generate corresponding alarm events and send them to the alarm module;

[0178] Specifically, step 306 obtains the matching result of the query statement in the first graph, and then it can be determined whether the matching result is empty. If it is empty, the process ends directly; if it is not empty, based on the security log matching the query statement in the first graph, a corresponding alarm event is generated and sent to the alarm module for appropriate alarm notification.

[0179] Step 309, End.

[0180] In this embodiment of the invention, a graph-based storage model (graph database) is used to extract security logs into points and edges with clear relationships through a graph information extraction module. This effectively constructs the relationships between security logs. The graph rules-based approach enables the correlation between security logs and the correlation between multiple sources of security logs, effectively improving the accuracy of alarms and reducing the false alarm rate of security log alarms. Furthermore, the graph database's own efficient query capability based on the correlation relationships enables efficient correlation analysis of multiple types of security logs with low time consumption and low resource consumption.

[0181] In addition, embodiments of the present invention can use curly braces to mark dynamic attributes and perform dynamic value replacement when performing graph queries to obtain dynamic graph query statements for graph information matching operations;

[0182] It should also be noted that the embodiments of the present invention extract and store security logs in a graph database in real time. At the same time, by combining a specified window (calculating window value) and a sliding window (sliding window value), abnormal matching of graph query statements can be dynamically performed, realizing near real-time correlation analysis of multiple types of security logs.

[0183] The graph-based alarm event determination device provided by the present invention will be described below. The graph-based alarm event determination device described below and the graph-based alarm event determination method described above can be referred to in correspondence.

[0184] Figure 4 This is a schematic diagram of the graph-based alarm event determination device provided in an embodiment of the present invention, as shown below. Figure 4 As shown, the graph-based alarm event determination device 400 includes:

[0185] The conversion module 401 is used to convert the security log into target graph information corresponding to the security log; the determination module 402 is used to generate a first graph query statement based on the target graph information and pre-acquired graph rule configuration information; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0186] The matching module 403 is used to perform a graph information matching operation between the first graph query statement and the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0187] The generation module 404 is used to generate an alarm event based on the graph information matched by the first graph query statement.

[0188] The graph-based alarm event determination device provided in this embodiment of the invention comprises a conversion module that converts security logs into target graph information corresponding to the security logs, a determination module that generates a first graph query statement based on the target graph information and pre-acquired graph rule configuration information, a matching module that performs graph information matching operation between the first graph query statement and graph information in the graph database, and a generation module that generates an alarm event based on the matched graph information. This embodiment of the invention, through the graph database, realizes the correlation between security logs and the correlation between multiple source security logs, which can effectively reduce the false alarm rate; in addition, based on the efficient query capability of the graph database's own correlation relationships, it can achieve low-time and low-resource-consumption correlation analysis of multiple types of security logs.

[0189] Optionally, the rule for generating the first graph query statement includes a rule template, which includes at least one dynamic attribute. The dynamic attribute is used to be replaced by any one of the start time, end time, and starting node ID of the first graph query statement calculated based on the target graph information when generating the first graph query statement.

[0190] Optionally, the graph rule configuration information may further include at least one of the following:

[0191] 1) Set of security log identifier IDs;

[0192] 2) Security log filtering rules;

[0193] 3) Starting node type, used to indicate the type of the starting node of the query statement in the first graph;

[0194] 4) Start time offset, used to indicate the amount by which the start time of the first graph query statement is advanced relative to the occurrence time of the security log;

[0195] 5) End time offset, used to represent the amount by which the end time of the first graph query statement is relative to the occurrence time of the security log;

[0196] 6) Calculate the window value to represent the effective time of the graph information matching operation;

[0197] 7) Sliding window value, used to represent the interval time of the graph information matching operation.

[0198] Optionally, the target map information includes at least one of the following:

[0199] 1. The ID of the starting point; the starting point is a node obtained based on the relevant information of the first security subject in the security log, and the attributes of the starting point include at least one of the file path, name and MD5 value of the first security subject;

[0200] 2. The endpoint ID; the endpoint is a node obtained based on the relevant information of the second security subject in the security log, and the attributes of the endpoint include the geographical information of the second security subject;

[0201] 3. Edge; the edge is used to characterize the relationship between the first security subject and the second security subject, and the attributes of the edge include at least one of the following: communication port, communication protocol, and the occurrence time of the security log.

[0202] Optionally, the determination module 402 is specifically used for:

[0203] When the target graph information includes the ID of the starting point and the ID of the ending point, and the graph rule configuration information also includes the start time offset, the end time offset, and the starting node type, the start time and end time of the first graph query statement are determined based on the start time offset, the end time offset, and the occurrence time of the security log in the original information of the security log.

[0204] The starting node ID of the first graph query statement is determined based on the starting node type, the ID of the starting point, and the ID of the ending point.

[0205] The first graph query statement is obtained by replacing the dynamic attributes in the rule template with the start time, end time, and starting node ID of the first graph query statement.

[0206] Optionally, the graph-based alarm event determination device 400 further includes a pre-filtering module, which is used for:

[0207] Determine whether the security log ID of the security log is in the security log ID set;

[0208] The determination module 402 is also specifically used for:

[0209] If the security log ID of the security log is in the security log ID set, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0210] Optionally, the pre-filter module is also used for:

[0211] The security logs are conditionally filtered using the security log filtering rules.

[0212] The determination module 402 is also specifically used for:

[0213] If the security log satisfies the security log filtering rules, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

[0214] Optionally, the graph-based alarm event determination device 400 further includes a calculation module, which is used for:

[0215] Using the calculated window value and the occurrence time of the security log, the effective time range of the first graph query statement is calculated;

[0216] Using the sliding window value, the query interval time of the first graph query statement is calculated;

[0217] The matching module 403 is specifically used to: within the effective time range, perform graph information matching operations between the first graph query statement and the graph information in the graph database at each query interval.

[0218] Optionally, the graph-based alarm event determination device 400 further includes:

[0219] A storage module is used to store the target graph information into the graph database.

[0220] Figure 5 This is a schematic diagram of the physical structure of the electronic device provided in the embodiments of the present invention, such as... Figure 5 As shown, the electronic device 500 may include a processor 510, a communications interface 520, a memory 530, and a communication bus 540, wherein the processor 510, the communications interface 520, and the memory 530 communicate with each other via the communication bus 540. The processor 510 can call logical instructions in the memory 530 to execute the following methods:

[0221] The security logs are converted into target graph information corresponding to the security logs; based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0222] The first graph query statement is matched with the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0223] An alarm event is generated based on the graph information matched by the first graph query statement.

[0224] Furthermore, the logical instructions in the aforementioned memory 530 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, essentially, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0225] On the other hand, embodiments of the present invention also provide a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the following method:

[0226] The security logs are converted into target graph information corresponding to the security logs; based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0227] The first graph query statement is matched with the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0228] An alarm event is generated based on the graph information matched by the first graph query statement.

[0229] In another aspect, embodiments of the present invention also provide a computer program product, the computer program product including a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, which, when executed by a computer, implement the following method:

[0230] The security logs are converted into target graph information corresponding to the security logs; based on the target graph information and pre-acquired graph rule configuration information, a first graph query statement is generated; wherein, the graph rule configuration information includes at least: rules for generating the first graph query statement;

[0231] The first graph query statement is matched with the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information;

[0232] An alarm event is generated based on the graph information matched by the first graph query statement.

[0233] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0234] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0235] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A graph-based alarm event determination method, characterized in that, include: The security logs are converted into target graph information corresponding to the security logs; Based on the target graph information and the pre-acquired graph rule configuration information, a first graph query statement is generated; wherein, the graph rule configuration information includes at least: a rule for generating the first graph query statement; the rule for generating the first graph query statement includes a rule template, the rule template includes at least one dynamic attribute, the dynamic attribute being used to be replaced by any one of the start time, end time, and starting node ID of the first graph query statement calculated based on the target graph information when generating the first graph query statement; The first graph query statement is matched with the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information; An alarm event is generated based on the graph information matched by the first graph query statement.

2. The graph-based alarm event determination method according to claim 1, characterized in that, The graph rule configuration information also includes at least one of the following: Security log identifier ID set; Security log filtering rules; Starting node type, used to indicate the type of the starting node of the first graph query statement; The start time offset is used to represent the amount by which the start time of the first graph query statement is advanced relative to the occurrence time of the security log; The end time offset is used to represent the amount by which the end time of the first graph query statement is relative to the occurrence time of the security log. Calculate a window value to represent the effective time of the graph information matching operation; The sliding window value is used to represent the interval time of the graph information matching operation.

3. The graph-based alarm event determination method according to claim 2, characterized in that, The target map information includes at least one of the following: The starting point ID; the starting point is a node obtained based on the relevant information of the first security subject in the security log, and the attributes of the starting point include at least one of the file path, name and MD5 value of the first security subject; The endpoint ID; the endpoint is a node obtained based on the relevant information of the second security subject in the security log, and the attributes of the endpoint include the geographical information of the second security subject; An edge; the edge is used to characterize the relationship between the first security subject and the second security subject, and the attributes of the edge include at least one of the following: the communication port, the communication protocol, and the occurrence time of the security log.

4. The graph-based alarm event determination method according to claim 3, characterized in that, The rule used to generate the first graph query statement includes a rule template, the rule template including at least one dynamic attribute, and the step of generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes: When the target graph information includes the ID of the starting point and the ID of the ending point, and the graph rule configuration information also includes the start time offset, the end time offset, and the starting node type, the start time and end time of the first graph query statement are determined based on the start time offset, the end time offset, and the occurrence time of the security log in the original information of the security log. The starting node ID of the first graph query statement is determined based on the starting node type, the ID of the starting point, and the ID of the ending point. The first graph query statement is obtained by replacing the dynamic attributes in the rule template with the start time, end time, and starting node ID of the first graph query statement.

5. The graph-based alarm event determination method according to claim 2, characterized in that, Before generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information, the method further includes: Determine whether the security log ID of the security log is in the security log ID set; The step of generating a first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes: If the security log ID of the security log is in the security log ID set, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

6. The graph-based alarm event determination method according to claim 2, characterized in that, Before generating the first graph query statement based on the target graph information and pre-acquired graph rule configuration information, the method further includes: The security logs are conditionally filtered using the security log filtering rules. The step of generating a first graph query statement based on the target graph information and pre-acquired graph rule configuration information includes: If the security log satisfies the security log filtering rules, a first graph query statement is generated based on the target graph information and the pre-acquired graph rule configuration information.

7. The graph-based alarm event determination method according to claim 2, characterized in that, The graph rule configuration information also includes the calculated window value and the sliding window value. Before performing the graph information matching operation between the first graph query statement and the graph information in the graph database, the method further includes: Using the calculated window value and the occurrence time of the security log, the effective time range of the first graph query statement is calculated; Using the sliding window value, the query interval time of the first graph query statement is calculated; The step of matching the first graph query statement with graph information in the graph database includes: Within the effective time range, at each query interval, the first graph query statement is matched with the graph information in the graph database.

8. The graph-based alarm event determination method according to any one of claims 1 to 7, characterized in that, After converting the security log into target graph information corresponding to the security log, the method further includes: The target graph information is stored in the graph database.

9. A graph-based alarm event determination device, characterized in that, include: The conversion module is used to convert security logs into target graph information corresponding to the security logs; The determining module is used to generate a first graph query statement based on the target graph information and pre-acquired graph rule configuration information; wherein, the graph rule configuration information includes at least: a rule for generating the first graph query statement; the rule for generating the first graph query statement includes a rule template, the rule template includes at least one dynamic attribute, the dynamic attribute being used to be replaced by any one of the start time, end time, and starting node ID of the first graph query statement calculated based on the target graph information when generating the first graph query statement; The matching module is used to perform a graph information matching operation between the first graph query statement and the graph information in the graph database; wherein, the graph database is used to store at least one type of graph information; The generation module is used to generate alarm events based on the graph information matched by the first graph query statement.

10. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the graph-based alarm event determination method as described in any one of claims 1 to 8.

11. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When executed by a processor, the computer program implements the graph-based alarm event determination method as described in any one of claims 1 to 8.

12. A computer program product having executable instructions stored thereon, characterized in that, When executed by the processor, this instruction causes the processor to implement the graph-based alarm event determination method as described in any one of claims 1 to 8.