An alarm aggregation method and apparatus

CN116346575BActive Publication Date: 2026-07-10ALIBABA CLOUD COMPUTING CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA CLOUD COMPUTING CO LTD
Filing Date
2023-02-17
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In cloud platforms, the massive number of alarms generated by user-rented resources leads to high viewing and processing costs, and the existing technology takes a long time to generate the largest connected subgraph, affecting the timeliness of alarm aggregation.

Method used

By generating a source map and utilizing the relationships between the root node, file node, and alarm node in the source map, a method of traversing from the end node to the root node is adopted to identify key branch nodes and directly associate them with event nodes, thereby reducing the number of node traversals and improving aggregation efficiency and timeliness.

Benefits of technology

It achieves efficient and low-cost alarm aggregation, reduces the number of nodes traversed, improves aggregation speed and timeliness, and reduces the time and labor costs of viewing and processing alarms.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116346575B_ABST
    Figure CN116346575B_ABST
Patent Text Reader

Abstract

The application provides an alarm aggregation method and device. In a trace graph, a first alarm node is traversed in a direction close to a root node. In a case where a branch file node is traversed in the direction close to the root node, the branch file node is traversed in a direction away from the root node in the trace graph, and a number of file nodes directly connected to the branch file node in the trace graph is greater than or equal to a preset number. In a case where an event node having at least one alarm node associated therewith is traversed in the direction away from the root node, the first alarm node is associated with the event node having at least one alarm node associated therewith in the trace graph. Through the application, the efficiency of alarm aggregation can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to an alarm aggregation method and apparatus. Background Technology

[0002] With the rapid development of technology, cloud platforms have been widely used. Cloud platforms have the ability to provide services to the outside world. Cloud platforms contain resources, which may include virtual servers, virtual terminals, virtual network cards, and virtual databases, etc. Users (including enterprises or individuals) can rent and use resources on cloud platforms. The resources rented by different users can be isolated from each other. Summary of the Invention

[0003] This application discloses an alarm aggregation method and apparatus.

[0004] In a first aspect, this application discloses an alarm aggregation method, the method comprising:

[0005] Obtain a source map, which is generated based on alarm data from at least multiple alarms of the user's resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's resources.

[0006] The source tracing graph is traversed from the first alarm node towards the root node;

[0007] When branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0008] When traversing in a direction away from the root node to find event nodes that are associated with at least one alarm node, the first alarm node is associated with the event node that is associated with at least one alarm node in the source graph.

[0009] In an optional implementation, the method further includes:

[0010] If no branch file nodes are traversed in the direction closer to the root node, an event node is created in the tracing graph and associated with the first alarm node and the created event node.

[0011] In an optional implementation, the method further includes:

[0012] If no event node associated with at least one alarm node is found when traversing in the direction away from the root node, an event node is created in the tracing graph and associated with the first alarm node and the created event node.

[0013] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node;

[0014] The traversal of the source map from the branch file node in the direction away from the root node includes:

[0015] In the source map, the path is traversed from the branch file node through the at least one intermediate node in the direction away from the root node.

[0016] In an optional implementation, the method further includes:

[0017] In the source map, a traversal path is established from the branch file node directly to the event node.

[0018] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node, and the tracing graph has a traversal path from the branch file node directly to the event node; the traversal path is established in advance in the tracing graph by traversing the branch file node from the second alarm node towards the root node and traversing the event node from the branch file node away from the root node.

[0019] The traversal of the source map from the branch file node in the direction away from the root node includes:

[0020] In the source map, the branch file node is traversed from the traversal path in the direction away from the root node.

[0021] In an optional implementation, the method further includes:

[0022] For any event node in the source tracing graph, generate a mapping relationship between the event node and the alarm node associated with the event node in the source tracing graph, and output the mapping relationship.

[0023] In an optional implementation, the method further includes:

[0024] Obtain the node information of the event node, which includes at least one of the following: the name of the event node, the number of alarm nodes associated with the event node, the total number of user resources involved in the alarm nodes associated with the event node, the occurrence time of the first occurrence of the alarm node associated with the event node, the occurrence time of the last occurrence of the alarm node associated with the event node, the risk level of the event node, the processing status of the alarm nodes associated with the event node, and processing controls for processing the event node.

[0025] Output the node information of the event node.

[0026] In an optional implementation, the method further includes:

[0027] After outputting the mapping relationship, if a user input indicating that the event node has been processed or the alarm node associated with the event node in the source map has been processed is received, the event node and the alarm node associated with the event node in the source map are deleted from the source map.

[0028] In one optional implementation, the traversal of the source map from the first alarm node towards the root node includes,

[0029] Within the target range of the source tracing map, traverse from the first alarm node towards the root node; the target range includes nodes whose layer number differs from the layer number of the first alarm node by a preset difference.

[0030] Secondly, this application discloses an alarm aggregation device, the device comprising:

[0031] The first acquisition module is used to acquire a source map, which is generated based on alarm data from at least multiple alarms of the user's resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's resources.

[0032] The first traversal module is used to traverse the source map from the first alarm node in the direction closer to the root node.

[0033] The second traversal module is used to traverse the source map from the branch file node to the direction away from the root node when branch file nodes are traversed in the direction closer to the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number.

[0034] The first association module is used to associate the first alarm node with the event node that is associated with at least one alarm node in the source map when traversing the event node that is associated with at least one alarm node in the direction away from the root node.

[0035] In an alternative implementation, the apparatus further includes:

[0036] The second association module is used to create an event node in the tracing graph and associate the first alarm node with the created event node when no branch file nodes are traversed in the direction closer to the root node.

[0037] In an alternative implementation, the apparatus further includes:

[0038] The third association module is used to create an event node in the tracing graph and associate the first alarm node with the created event node when no event node associated with at least one alarm node has been traversed in the direction away from the root node.

[0039] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node;

[0040] The second traversal module includes:

[0041] The first traversal unit is used to traverse the source map from the branch file node via the at least one intermediate node in the direction away from the root node.

[0042] In an optional implementation, the second traversal module further includes:

[0043] The establishment unit is used to establish a traversal path in the source map from the branch file node directly to the event node.

[0044] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node, and the tracing graph has a traversal path from the branch file node directly to the event node; the traversal path is established in advance in the tracing graph by traversing the branch file node from the second alarm node towards the root node and traversing the event node from the branch file node away from the root node.

[0045] The second traversal module includes:

[0046] The second traversal unit is used to traverse the source graph from the branch file node via the traversal path in a direction away from the root node.

[0047] In an alternative implementation, the apparatus further includes:

[0048] The first output module is used to generate a mapping relationship between any event node in the source tracing graph and the alarm node associated with the event node in the source tracing graph, and output the mapping relationship.

[0049] In an alternative implementation, the apparatus further includes:

[0050] The second acquisition module is used to acquire the node information of the event node, the node information including at least one of the following: the name of the event node, the number of alarm nodes associated with the event node, the total number of user resources involved in the alarm nodes associated with the event node, the occurrence time of the first occurrence of the alarm node associated with the event node, the occurrence time of the last occurrence of the alarm node associated with the event node, the risk level of the event node, the processing status of the alarm nodes associated with the event node, and processing controls for processing the event node.

[0051] The second output module is used to output the node information of the event node.

[0052] In an alternative implementation, the apparatus further includes:

[0053] The deletion module is used to delete the event node and the alarm node associated with the event node in the source map in the source map after outputting the mapping relationship, if it receives user input indicating that the event node has been processed or that the alarm node associated with the event node in the source map has been processed.

[0054] In one optional implementation, the first traversal module includes,

[0055] The third traversal unit is used to traverse from the first alarm node towards the root node within the target range of the source map; the target range includes nodes whose layer number differs from the layer number of the first alarm node by a preset difference.

[0056] Thirdly, this application discloses a method for aggregating alarms for cloud computing resources, the method comprising:

[0057] A source map of cloud computing resources is obtained. The source map is generated based on alarm data from at least multiple alarms of the user's cloud computing resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involving the root node. The file node includes the attack target of the attack source node in the user's cloud computing resources.

[0058] The source tracing graph is traversed from the first alarm node towards the root node;

[0059] When branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0060] When traversing in a direction away from the root node to find event nodes that are associated with at least one alarm node, the first alarm node is associated with the event node that is associated with at least one alarm node in the source graph.

[0061] Fourthly, this application discloses a cloud platform, which includes:

[0062] The third acquisition module acquires a source map of cloud computing resources. The source map is generated based on alarm data from at least multiple alarms of the user's cloud computing resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's cloud computing resources.

[0063] The third traversal module traverses the source map from the first alarm node towards the direction closest to the root node.

[0064] The fourth traversal module, when branch file nodes are found in the direction closer to the root node, traverses the source map from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0065] The fourth association module, when traversing in the direction away from the root node to find event nodes that have been associated with at least one alarm node, associates the first alarm node with the event node that has been associated with at least one alarm node in the tracing graph.

[0066] Fifthly, this application discloses an electronic device comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to perform the methods shown in any of the foregoing aspects.

[0067] Sixthly, this application discloses a non-transitory computer-readable storage medium that, when the instructions in the storage medium are executed by a processor of an electronic device, enables the electronic device to perform the methods shown in any of the foregoing aspects.

[0068] In a seventh aspect, this application discloses a computer program product in which, when the instructions in the computer program product are executed by a processor of an electronic device, the electronic device is enabled to perform the methods shown in any of the foregoing aspects.

[0069] Compared with the prior art, this application has the following advantages:

[0070] In this application, a source map is obtained. The source map is generated based on alarm data from at least multiple alarms related to a user's resources. The source map includes at least one root node, which includes an attack source node. The last nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the last nodes of at least some branches involving the root node. The file node includes the attack target of the attacked source node in the user's resources. The source map is traversed from the first alarm node towards the root node. If a branch file node is found during the traversal towards the root node, the source map is traversed from the branch file node away from the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number. If an event node associated with at least one alarm node is found during the traversal away from the root node, the first alarm node is associated with the event node associated with at least one alarm node in the source map.

[0071] In this application, it is not necessary to traverse all nodes in the source graph. Instead, the traversal can start from the end node and proceed towards the root node. Once a key branch node is found, the traversal can proceed from the key branch node in a direction away from the root node to find the event node and complete the aggregation. Nodes between the key branch node and the root node do not need to be traversed, which reduces the number of nodes that need to be traversed and improves the aggregation efficiency. Furthermore, the aggregation operation can be performed in parallel for each alarm in the source graph, which can further improve the aggregation rate and shorten the time consumed by the entire aggregation process.

[0072] In the process of aggregating alarm nodes in the source tracing graph using this solution, if new alarm data is obtained in real time, it is not necessary to wait until the aggregation of alarm nodes in the source tracing graph is completed before adding the new alarm data to the source tracing graph and then using this solution to aggregate the new alarm nodes. The process of aggregating alarm nodes in the source tracing graph using this solution is time-efficient and fast, allowing for the aggregation of new alarm data obtained in real time in a short period, thus improving the timeliness of alarm aggregation.

[0073] In addition, the aggregation scheme of this application does not require the introduction of other computing platforms, which makes the aggregation scheme of this application low in cost and easy to maintain. Attached Figure Description

[0074] Figure 1 This is a flowchart of the alarm aggregation method of this application.

[0075] Figure 2 This is a schematic diagram of one of the tracing maps in this application.

[0076] Figure 3 This is a schematic diagram of one of the tracing maps in this application.

[0077] Figure 4 This is a flowchart illustrating the steps of a cloud computing resource alarm aggregation method according to this application.

[0078] Figure 5 This is a structural block diagram of an alarm aggregation device according to this application.

[0079] Figure 6 This is a structural block diagram of a cloud platform according to this application.

[0080] Figure 7 This is a structural block diagram of a device according to this application. Detailed Implementation

[0081] To make the above-mentioned objectives, features and advantages of this application more apparent and understandable, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments.

[0082] Sometimes, user-rented resources may generate alerts, also known as security alerts. These alerts refer to threats detected by the cloud platform through firewall interception / observation records. These threats can be attacks launched by a malicious IP address (Internet Protocol Address) against the user's resources, or abnormal situations where the resources have been compromised. For example, the user's resources may be executing malicious scripts or accessing malicious download sources. These can sometimes pose security threats to the user's resources, such as stealing private information from the user's rented resources or hindering the normal operation of the rented resources.

[0083] Therefore, users often need to check alerts, analyze the security threat situation of their resources based on the alerts, and promptly eliminate security threats when the security threat situation is serious.

[0084] However, the inventors discovered that many users renting resources on cloud platforms are large users (such as large enterprises). For large users, the amount of data and data interaction is large. Sometimes, based on actual needs, these users will continuously rent more resources on the cloud platform. Over time, the number of resources rented by users on the cloud platform increases, and at the same time, the number of alarms generated for the user's rented resources also increases dramatically, usually reaching hundreds of thousands, millions, or tens of millions. In one method, alarms generated for the user's rented resources can be pushed to the user individually. However, the number of alarms that users need to view is often massive, which often leaves users at a loss as to how to view the massive number of alarms. If they view and process alarms one by one, it will often consume a huge amount of time and manpower, and it is usually impossible to process all the massive number of alarms in time, resulting in a massive accumulation of alarms. Gradually, users may become desensitized to alarms and no longer regard dealing with alarms as an important matter. In the long run, the massive accumulation of alarms will pose a great security risk to the user's resources.

[0085] Therefore, the need to "reduce the time and labor costs of viewing and processing alarms" was proposed.

[0086] In order to achieve the goal of "reducing the time and labor costs of viewing and processing alarms", the inventors found that the push behavior of each alarm in the massive number of alarms pushed to users by the above method is independent of each other. For users, the massive number of alarms received are independent of each other, and it is difficult to discover and there is no time to analyze the correlation between alarms and cluster alarms. Users can only view and process massive numbers of alarms one by one, resulting in high time and labor costs.

[0087] However, after analyzing a large number of alarms, the inventors discovered that some alarms were related. Therefore, they devised a solution: to notify users of a summary of the massive number of alarms, instead of individually notifying them of the details of each individual alarm.

[0088] Furthermore, the inventors discovered that a massive number of alerts from a user's resources can be aggregated based on similarity and summarized into a single alert summary. For example, n alerts triggered by the same attack source under a user's resources can be aggregated and summarized into a single alert summary. By handling this single alert summary, the user can achieve the same effect as handling n alerts. This not only saves the user's time and labor costs but also improves the user experience from a product perspective.

[0089] For example, cloud platforms have an "alarm tracing" function. Alarm tracing can be understood as: using a big data analysis engine to process, aggregate, and visualize the data related to resources in the cloud platform to form a chain diagram of the attack source intrusion, helping users to locate the cause of the intrusion and make emergency decisions in the shortest possible time.

[0090] Users can activate the "alarm tracing" function of the cloud platform to enable the cloud platform to trace the source of alarms related to the user's resources and aggregate alarms with the same source into a single event.

[0091] Same-origin alerts can be understood as security alerts triggered by the same attack behavior, or security alerts that are located in the same connected subgraph in the source tracing topology.

[0092] Aggregation can be understood as clustering, which is the process of grouping similar objects into the same category.

[0093] An event can be understood as a general term for a type of security alert with similar behavioral characteristics. It is the product of security alerts being clustered based on similarity, and it is also a security issue that users need to pay attention to and handle every day (such as a breach or a small number of high-risk events).

[0094] For example, if a user's resources contain three different mining programs and one anti-security program that generate alerts, and the cloud platform analyzes that these four alerts are caused by the same attack source, then these four alerts can be aggregated into one event and provided to the user. In this way, by starting from the perspective of "correlation", four independent alerts are turned into one related alert group (event), which makes it easier for users to analyze and take action more quickly.

[0095] What is provided to users are events, and one event involves multiple alarms. Thus, the total number of events a user receives is far less than the total number of alarms a user's resources have. As a result, users need to handle fewer events rather than a large number of alarms. By handling events, users can indirectly achieve the goal of handling a large number of alarms, thereby reducing the time and labor costs spent on viewing and handling alarms.

[0096] It is evident that how to aggregate alarms with the same origin is an urgent problem to be solved.

[0097] Furthermore, the inventors discovered that if two or more alarms are "from the same source", in the graph topology domain, it means that these two or more alarms (nodes) are in the same maximum connected subgraph. Therefore, the problem of "aggregating alarms from the same source" can be transformed into the problem of "generating the maximum connected subgraph of alarms".

[0098] However, finding the maximum connected subgraph in massive graph model data is extremely difficult. For example, the number of alarms often reaches hundreds of millions, and the alarm data occupies tens of billions of GB of space; the number of nodes in the entire source tracing graph often reaches tens of billions, and the nodes in the entire source tracing graph occupy tens of billions, and the edges ...

[0099] In the process of generating the maximum connected subgraph using the depth-first traversal Tarjan method, if new alarm data is obtained in real time, it is not possible to aggregate the new alarm data. It is necessary to wait until the maximum connected subgraph is generated by the depth-first traversal Tarjan method before adding the new alarm data to the source spectrum again. Only then can the new alarm data be aggregated using the depth-first traversal Tarjan method.

[0100] However, since the Tarjan method based on depth-first traversal takes a long time to generate the maximum connected subgraph, it will be impossible to aggregate alarm data of new alarms obtained in real time for a long time, resulting in poor timeliness of alarm aggregation.

[0101] Therefore, in order to improve accuracy and ensure real-time alarms for better timeliness, the inventors devised this solution, specifically, see [link to solution]. Figure 1 This paper illustrates an alarm aggregation method according to this application, which can be applied to cloud platforms, etc. The method includes:

[0102] In step S101, a source tracing graph is obtained. The source tracing graph is generated based on alarm data from at least multiple alarms related to the user's resources. The source tracing graph includes at least one root node, which includes the attack source node. The end nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. Between the root node and the end nodes of at least some branches involving the root node, there is at least one file node. The file node includes the attack target of the attack source node in the user's resources.

[0103] In this application, this solution may be executed periodically, or whenever the cloud platform receives a specific number of new alarm data, or when it receives an aggregation command input by a human based on actual needs.

[0104] The specific quantity may include 500, 1000 or 1500, etc., and the specific quantity can be determined according to the actual situation. This application does not limit it.

[0105] Within the same branch, file nodes farther from the root node belong to file nodes closer to the root node.

[0106] In the source graph, any file node can trace its origin to a root node when tracing towards the root node, and can only trace its origin to one root node.

[0107] Source graphs can include directed topological graphs, such as those pointing from the root node to the end nodes of each branch.

[0108] In one embodiment of this application, the source tracing map can be generated in real time based on alarm data from at least multiple alarms of the user's resources, or it can be generated in advance based on alarm data from at least multiple alarms of the user's resources and stored in the cloud platform, and this step directly obtains the stored source tracing map.

[0109] A user's resources may include resources rented by the user in the cloud platform, such as virtual servers, virtual terminals, virtual network cards, and virtual databases.

[0110] The alarm data may include alarm context information, which includes: the alarm name, the alarm log (including the log of the host targeted by the alarm and the traffic log of the alarm, etc.), the name of the file targeted by the alarm, the name of the parent file cascaded by the file targeted by the alarm, the name of the process involved in the alarm, the login account involved in the alarm, and the IP address involved in the alarm, etc. Of course, depending on the actual situation, the alarm context information may also include other necessary information. This application does not limit this and will not provide examples of each.

[0111] The method for generating a source map based on alarm data from multiple alarms of a user's resources can refer to existing methods, and this application does not limit it in this regard.

[0112] The alarm data for multiple alarms related to a user's resources includes: alarm data for each of the user's hosts, alarm data for each of the user's accounts, and alarm data for various types of alarms within the user's resources.

[0113] The example provided is intended to illustrate the solution of this application, but is not intended to limit the scope of protection of this application.

[0114] In one example, the source map can be seen in... Figure 2 As shown, in Figure 2 In the diagram, the root node is the attack source node "attack source 123".

[0115] The next level node directly connected to the attack source node "attack source 123" includes the file node "JAVA".

[0116] The next level nodes directly connected to the file node "JAVA" include file nodes "1.jsp", "2.jsp", "3.jsp", and "4.jsp", etc.

[0117] The file node "1.jsp" is directly connected to the alarm node "Alarm A". The alarm node "Alarm A" is directly connected to the event node "Event 101".

[0118] The next level node directly connected to the file node "4.jsp" is the alarm node "Alarm B".

[0119] Thus, from Figure 2 As can be seen from the example, the attack source node targets the next level nodes cascaded from the file node "JAVA": file node "1.jsp" and file node "4.jsp", and file node "1.jsp" and file node "4.jsp" respectively generated alarms.

[0120] In step S102, the source map is traversed from the first alarm node toward the direction closest to the root node.

[0121] The first alarm node is one of the alarm nodes included in the source tracing map. This application executes steps S102 to S104 for each alarm node included in the source tracing map.

[0122] For example, suppose the first alarm node is in Figure 2The alarm node "Alarm B" in the source tracing map shown can be found in... Figure 2 The source tracing graph shown traverses from the alarm node "Alarm B" in the direction of the attack source node "Attack Source 123" which is closer to the root node.

[0123] In step S103, when branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0124] In this application, the preset quantity may include 3, 4 or 5, etc., and the specific quantity can be determined according to the actual situation. This application does not limit it.

[0125] In one example, assuming the preset quantity is 3, in Figure 2 In the source tracing graph shown, traversing from the alarm node "Alarm B" towards the attack source node "Attack Source 123" (which is the root node), we reach the file node "4.jsp". The nodes directly connected to file node "4.jsp" (nodes closer to the root node) include the file node "JAVA". It is evident that the number of nodes directly connected to file node "4.jsp" is 1, less than the preset number of 3. Therefore, we can determine that file node "4.jsp" is not a branching file node. Continuing from file node "4.jsp" towards the attack source node... The traversal proceeds in the direction of the attack source node "Attack Source 123", reaching the file node "JAVA". The file node "JAVA" is directly connected to files "1.jsp", "2.jsp", "3.jsp", and "4.jsp", etc. It's evident that the number of nodes directly connected to "JAVA" is greater than the preset number of 3. Therefore, the file node "JAVA" can be considered a branching file node. Then, the traversal continues from the file node "JAVA" in the direction away from the attack source node "Attack Source 123" which is the root node.

[0126] In step S104, when traversing the event nodes that are associated with at least one alarm node in the direction away from the root node, the first alarm node is associated with the event node that is associated with at least one alarm node in the tracing graph.

[0127] In one embodiment, the first alarm node can be recorded in the node information of an event node that is already associated with at least one alarm node in the source tracing graph. This allows the first alarm node to be associated with the event node that is already associated with at least one alarm node in the source tracing graph. The node information of the event node that is already associated with at least one alarm node also records the attack source node, so that the user can know which attack source caused the alarm associated with the event node that is already associated with at least one alarm node.

[0128] exist Figure 2 In the source tracing graph shown, the traversal starts from the file node "JAVA" and moves away from the attack source node "attack source 123" which is the root node. The traversal will reach the file node "1.jsp". The file node "1.jsp" is directly connected to the alarm node "alarm A". Then, the traversal continues from the alarm node "alarm A" and moves away from the attack source node "attack source 123" which is the root node. The traversal will reach the event node "event 101". The event node "event 101" is the last node and is associated with the alarm node "alarm A".

[0129] Since alarm node "Alarm B" and alarm node "Alarm A" are associated through the file node "JAVA", it can be determined that event node "Event 101" and alarm node "Alarm B" are associated. Thus, event node "Event 101" and alarm node "Alarm B" can be associated in the source map. For example, "Alarm B" can be recorded in the node information of event node "Event 101".

[0130] In this application, a source map is obtained. The source map is generated based on alarm data from at least multiple alarms related to a user's resources. The source map includes at least one root node, which includes an attack source node. The last nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the last nodes of at least some branches involving the root node. The file node includes the attack target of the attacked source node in the user's resources. The source map is traversed from the first alarm node towards the root node. If a branch file node is found during the traversal towards the root node, the source map is traversed from the branch file node away from the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number. If an event node associated with at least one alarm node is found during the traversal away from the root node, the first alarm node is associated with the event node associated with at least one alarm node in the source map.

[0131] In this application, it is not necessary to traverse all nodes in the source graph. Instead, the traversal can start from the end node and proceed towards the root node. Once a key branch node is found, the traversal can proceed from the key branch node in a direction away from the root node to find the event node and complete the aggregation. Nodes between the key branch node and the root node do not need to be traversed, which reduces the number of nodes that need to be traversed and improves the aggregation efficiency. Furthermore, the aggregation operation can be performed in parallel for each alarm in the source graph, which can further improve the aggregation rate and shorten the time consumed by the entire aggregation process.

[0132] In the process of aggregating alarm nodes in the source tracing graph using this solution, if new alarm data is obtained in real time, it is not necessary to wait until the aggregation of alarm nodes in the source tracing graph is completed before adding the new alarm data to the source tracing graph and then using this solution to aggregate the new alarm nodes. The process of aggregating alarm nodes in the source tracing graph using this solution is time-efficient and fast, allowing for the aggregation of new alarm data obtained in real time in a short period, thus improving the timeliness of alarm aggregation.

[0133] In addition, the aggregation scheme of this application does not require the introduction of other computing platforms, which makes the aggregation scheme of this application low in cost and easy to maintain.

[0134] In addition, the alarm aggregation scheme of this application is based on the source graph. The attack source node in the source graph, the cascading relationship between the file attacked by the attack source node and its parent file, and the relationship between the file that generates the alarm and the alarm are comprehensive and accurate. This makes the massive alarm aggregation results of this application for user assets more accurate and comprehensive.

[0135] In another embodiment of this application, if no branch file nodes are traversed in the direction closer to the root node, it means that the first alarm node cannot be associated with an existing event node. In this case, an event node can be created for the first alarm node. For example, an event node can be created in the source map and associated with the first alarm node, so that the first alarm node can be associated with an event node.

[0136] Alternatively, in another embodiment of this application, if no event node associated with at least one alarm node is found when traversing in the direction away from the root node, it means that the first alarm node cannot be associated with an existing event node. In this case, an event node can be created for the first alarm node. For example, an event node can be created in the source map and associated with the first alarm node, so that the first alarm node can be associated with an event node.

[0137] In another embodiment of this application, the branch file node and the event node are connected through at least one intermediate node. The intermediate node includes at least one file node, and of course, there may also be alarm nodes, etc. In this way, when traversing from the branch file node to the direction away from the root node in the source map, the traversal can be performed from the branch file node to the direction away from the root node via at least one intermediate node in the source map.

[0138] For example, Figure 2 The file node "JAVA", which serves as a branch file node, is connected to the event node "Event 101" through two intermediate nodes, namely the file node "1.jsp" and the alarm node "Alarm A".

[0139] Thus, when traversing from the branch file node in the source graph in the direction away from the root node, we can first traverse from the file node "JAVA" which is the branch file node to the file node "1.jsp", then from the file node "1.jsp" to the alarm node "alarm A", and then from the alarm node "alarm A" to the event node "event 101".

[0140] However, the inventors discovered that in the tracing graph, the process of traversing from the branch file node to the event node in the direction away from the root node through at least one intermediate node requires passing through at least one intermediate node, which results in high time consumption, low efficiency, and high computational resource consumption.

[0141] For example, the process of traversing from the file node "JAVA" (which acts as a branch file node) to the file node "1.jsp", then from the file node "1.jsp" to the alarm node "Alarm A", and then from the alarm node "Alarm A" to the event node "Event 101" involves two intermediate nodes: the file node "1.jsp" and the alarm node "Alarm A". This results in the process of traversing from the file node "JAVA" (which acts as a branch file node) to the event node "Event 101" being time-consuming, inefficient, and consuming a lot of computing resources.

[0142] Therefore, in order to save time, improve efficiency, and save computing resources, in another embodiment of this application, when traversing event nodes that are associated with at least one alarm node in a direction away from the root node, a traversal path can be established in the tracing graph from the branch file node directly to the event node.

[0143] For example, the file node "JAVA" is created as a branch file node and directly points to the traversal path between the event node "Event 101".

[0144] For example, see Figure 3The traversal path between the file node "JAVA" (which is a branch file node) and the event node "Event 101" can be found in [reference needed]. Figure 3 The dotted line in the middle points directly from the file node "JAVA" to the event node "Event 101".

[0145] To facilitate subsequent aggregation operations on other alarm nodes, after traversing from other alarm nodes towards the root node in the source graph to the branch file node, if it is necessary to traverse from the branch file node away from the root node in the source graph, the traversal from the branch file node away from the root node can be performed without passing through at least one intermediate node. Instead, it can be performed by traversing from the branch file node away from the root node via a traversal path. This allows the process of traversing from the branch file node away from the root node to the event node in the source graph to bypass at least one intermediate node, and directly traverse from the branch file node to the event node (without passing through other intermediate nodes), thereby saving time, improving efficiency, and conserving computational resources.

[0146] On the other hand, in another embodiment, the branch file node and the event node are connected through at least one intermediate node, and the tracing graph has a traversal path that directly points from the branch file node to the event node. The traversal path is established beforehand in the tracing graph after traversing the branch file nodes from the second alarm node towards the root node and traversing the event nodes from the branch file nodes away from the root node. Thus, when traversing from the branch file node towards the root node in the tracing graph in step S103, traversal can be performed from the branch file node in the tracing graph via the traversal path towards the root node.

[0147] In this application, each alarm node in the source tracing graph is executed separately. Figure 1 The embodiment shown allows each alarm node in the tracing graph to be associated with an event node (the event nodes associated with each alarm node may not be the same).

[0148] Furthermore, relevant alarm information can be provided to users for viewing and processing. For example, for any event node in the source map, a mapping relationship between that event node and the alarm nodes associated with it in the source map can be generated and output for users to view. The same applies to every other event node in the source map. In this way, users can view each event node within this mapping relationship, understand the specific situation, and facilitate appropriate action.

[0149] In addition, node information of event nodes can be obtained. The node information includes at least one of the following: the name of the event node, the number of alarm nodes associated with the event node, the total number of user resources involved in the alarm nodes associated with the event node, the occurrence time of the first occurrence of the alarm node associated with the event node, the occurrence time of the last occurrence of the alarm node associated with the event node, the risk level of the event node, the processing status of the alarm nodes associated with the event node, and the processing controls used to process the event node. The node information of the event node can also be output so that users can more easily and comprehensively understand the relevant situation of the event node and the alarm nodes associated with the event node based on the node information of the event node.

[0150] After outputting the mapping relationship, the user may process a specific event node or an alarm node associated with that event node in the source map. After processing, the user will input an indication to the cloud platform that the event node or the associated alarm node in the source map has been processed. The cloud platform will receive this indication from the user, confirming that the user has completed processing the event node or the associated alarm node in the source map. Consequently, the cloud platform no longer needs to retain the event node and its associated alarm node in the source map. This simplifies the source map by deleting the event node and its associated alarm node, ensuring that all alarm nodes and event nodes in the source map are those that require user processing, thus avoiding redundancy in the source map.

[0151] In step S102, when traversing the source map from the first alarm node towards the root node, the traversal can be performed within a target range in the source map. The target range includes nodes whose layer number differs from the layer number of the first alarm node by a preset difference.

[0152] The preset difference can be a specific value, such as 3, 4 or 5, which can be determined according to the actual situation. This application does not limit it.

[0153] For example, in Figure 2 In the source map shown, assume that the attack source node "Attack Source 123" is at layer 0, the event node "JAVA" is at layer 1, the event nodes "1.jsp", "2.jsp", "3.jsp" and "4.jsp" are at layer 2, and the alarm nodes "Alarm A" and "Alarm B" are at layer 3.

[0154] Assuming a preset difference of 3, the difference between layer number 3 of alarm node "Alarm B" and layer number 1 of event node "JAVA" is 2, which is less than the preset difference. Therefore, event node "JAVA" is within the target range and can be used as a branch file node. This application reduces the traversal range from the first alarm node towards the root node to the target range, avoiding traversing too many nodes in the source graph. This minimizes the number of traversed nodes from exceeding the cloud platform's memory capacity, thus preventing memory overflow.

[0155] Memory overflow refers to the existence of unrecoverable memory or excessive memory usage in the system, which ultimately causes the memory required for program execution to exceed the maximum available memory, resulting in the inability to generate the maximum connected subgraph or the generation of an inaccurate maximum connected subgraph.

[0156] Accordingly, when more than two event nodes are obtained in the end, for any two event nodes, it can be determined whether the attack source of the alarm associated with each of the two events is the same attack source.

[0157] If the attack source associated with the alarms of the two events is the same, the two events can be merged into one event. For example, the alarm associated with one of the two events can be associated with the other of the two events, and the one event can be deleted.

[0158] See Figure 4 This application illustrates a method for aggregating alarms for cloud computing resources. This method can be applied to cloud platforms, etc., and includes:

[0159] In step S201, a source map of cloud computing resources is obtained. The source map is generated based on alarm data from at least multiple alarms of the user's cloud computing resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. There is at least one file node between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attacked source node in the user's cloud computing resources.

[0160] In step S202, the source traversal is performed from the first alarm node toward the direction closest to the root node in the source tracing graph;

[0161] In step S203, when branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0162] In step S204, when traversing the event nodes that are associated with at least one alarm node in the direction away from the root node, the first alarm node is associated with the event node that is associated with at least one alarm node in the tracing graph.

[0163] It should be noted that, for the sake of simplicity, the method embodiments are all described as a series of actions. However, those skilled in the art should understand that this application is not limited to the described order of actions, because according to this application, some steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also understand that the embodiments described in the specification are all optional embodiments, and the actions involved are not necessarily required by this application.

[0164] Reference Figure 5 The diagram shows a structural block diagram of an alarm aggregation device according to this application, the device comprising:

[0165] The first acquisition module 11 is used to acquire a source map, which is generated based on alarm data of at least multiple alarms of the user's resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's resources.

[0166] The first traversal module 12 is used to traverse the source map from the first alarm node towards the direction closest to the root node.

[0167] The second traversal module 13 is used to traverse the source map from the branch file node to the direction away from the root node when branch file nodes are traversed in the direction closer to the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number.

[0168] The first association module 14 is used to associate the first alarm node with the event node that has been associated with at least one alarm node in the tracing graph when traversing the event node that has been associated with at least one alarm node in the direction away from the root node.

[0169] In an alternative implementation, the apparatus further includes:

[0170] The second association module is used to create an event node in the tracing graph and associate the first alarm node with the created event node when no branch file nodes are traversed in the direction closer to the root node.

[0171] In an alternative implementation, the apparatus further includes:

[0172] The third association module is used to create an event node in the tracing graph and associate the first alarm node with the created event node when no event node associated with at least one alarm node has been traversed in the direction away from the root node.

[0173] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node;

[0174] The second traversal module includes:

[0175] The first traversal unit is used to traverse the source map from the branch file node via the at least one intermediate node in the direction away from the root node.

[0176] In an optional implementation, the second traversal module further includes:

[0177] The establishment unit is used to establish a traversal path in the source map from the branch file node directly to the event node.

[0178] In an optional implementation, the branch file node and the event node are connected through at least one intermediate node, and the tracing graph has a traversal path from the branch file node directly to the event node; the traversal path is established in advance in the tracing graph by traversing the branch file node from the second alarm node towards the root node and traversing the event node from the branch file node away from the root node.

[0179] The second traversal module includes:

[0180] The second traversal unit is used to traverse the source graph from the branch file node via the traversal path in a direction away from the root node.

[0181] In an alternative implementation, the apparatus further includes:

[0182] The first output module is used to generate a mapping relationship between any event node in the source tracing graph and the alarm node associated with the event node in the source tracing graph, and output the mapping relationship.

[0183] In an alternative implementation, the apparatus further includes:

[0184] The second acquisition module is used to acquire the node information of the event node, the node information including at least one of the following: the name of the event node, the number of alarm nodes associated with the event node, the total number of user resources involved in the alarm nodes associated with the event node, the occurrence time of the first occurrence of the alarm node associated with the event node, the occurrence time of the last occurrence of the alarm node associated with the event node, the risk level of the event node, the processing status of the alarm nodes associated with the event node, and processing controls for processing the event node.

[0185] The second output module is used to output the node information of the event node.

[0186] In an alternative implementation, the apparatus further includes:

[0187] The deletion module is used to delete the event node and the alarm node associated with the event node in the source map in the source map after outputting the mapping relationship, if it receives user input indicating that the event node has been processed or that the alarm node associated with the event node in the source map has been processed.

[0188] In one optional implementation, the first traversal module includes,

[0189] The third traversal unit is used to traverse from the first alarm node towards the root node within the target range of the source map; the target range includes nodes whose layer number differs from the layer number of the first alarm node by a preset difference.

[0190] In this application, a source map is obtained. The source map is generated based on alarm data from at least multiple alarms related to a user's resources. The source map includes at least one root node, which includes an attack source node. The last nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the last nodes of at least some branches involving the root node. The file node includes the attack target of the attacked source node in the user's resources. The source map is traversed from the first alarm node towards the root node. If a branch file node is found during the traversal towards the root node, the source map is traversed from the branch file node away from the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number. If an event node associated with at least one alarm node is found during the traversal away from the root node, the first alarm node is associated with the event node associated with at least one alarm node in the source map.

[0191] In this application, it is not necessary to traverse all nodes in the source graph. Instead, the traversal can start from the end node and proceed towards the root node. Once a key branch node is found, the traversal can proceed from the key branch node in a direction away from the root node to find the event node and complete the aggregation. Nodes between the key branch node and the root node do not need to be traversed, which reduces the number of nodes that need to be traversed and improves the aggregation efficiency. Furthermore, the aggregation operation can be performed in parallel for each alarm in the source graph, which can further improve the aggregation rate and shorten the time consumed by the entire aggregation process.

[0192] In the process of aggregating alarm nodes in the source tracing graph using this solution, if new alarm data is obtained in real time, it is not necessary to wait until the aggregation of alarm nodes in the source tracing graph is completed before adding the new alarm data to the source tracing graph and then using this solution to aggregate the new alarm nodes. The process of aggregating alarm nodes in the source tracing graph using this solution is time-efficient and fast, allowing for the aggregation of new alarm data obtained in real time in a short period, thus improving the timeliness of alarm aggregation.

[0193] In addition, the aggregation scheme of this application does not require the introduction of other computing platforms, which makes the aggregation scheme of this application low in cost and easy to maintain.

[0194] In addition, the alarm aggregation scheme of this application is based on the source graph. The attack source node in the source graph, the cascading relationship between the file attacked by the attack source node and its parent file, and the relationship between the file that generates the alarm and the alarm are comprehensive and accurate. This makes the massive alarm aggregation results of this application for user assets more accurate and comprehensive.

[0195] Reference Figure 6 The diagram illustrates a structural block diagram of a cloud platform according to this application, the cloud platform comprising:

[0196] The third acquisition module 21 acquires a source map of cloud computing resources. The source map is generated based on alarm data from at least multiple alarms of the user's cloud computing resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's cloud computing resources.

[0197] The third traversal module 22 traverses the source map from the first alarm node toward the direction closest to the root node.

[0198] The fourth traversal module 23, when branch file nodes are traversed in the direction closer to the root node, traverses in the source map from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number.

[0199] The fourth association module 24, when traversing in the direction away from the root node to find the event node that has been associated with at least one alarm node, associates the first alarm node with the event node that has been associated with at least one alarm node in the tracing graph.

[0200] This application also provides a non-volatile readable storage medium storing one or more modules (programs). When these modules are applied to a device, they enable the device to execute the instructions for the method steps in this application.

[0201] This application provides one or more machine-readable media storing instructions that, when executed by one or more processors, cause an electronic device to perform one or more methods as described in the above embodiments. In this application, the electronic device includes a server, a gateway, sub-devices, etc., and the sub-devices are devices such as Internet of Things (IoT) devices.

[0202] Embodiments of this disclosure can be implemented as an apparatus with any suitable hardware, firmware, software, or any combination thereof, configured as desired. This apparatus may include electronic devices such as servers (clusters) and terminal devices such as IoT devices.

[0203] Figure 7 An exemplary apparatus 1300 is schematically shown that can be used to implement the various embodiments of this application.

[0204] In one embodiment, Figure 7 An exemplary device 1300 is shown, which includes one or more processors 1302, a control module (chipset) 1304 coupled to at least one of the processors 1302, a memory 1306 coupled to the control module 1304, a non-volatile memory (NVM) / storage device 1308 coupled to the control module 1304, one or more input / output devices 1310 coupled to the control module 1304, and a network interface 1312 coupled to the control module 1304.

[0205] Processor 1302 may include one or more single-core or multi-core processors, and processor 1302 may include any combination of general-purpose processors or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, device 1300 can function as a server device such as a gateway in the embodiments of this application.

[0206] In some embodiments, apparatus 1300 may include one or more computer-readable media (e.g., memory 1306 or NVM / storage device 1308) having instructions 1314 and one or more processors 1302 that are combined with the one or more computer-readable media and configured to execute the instructions 1314 to implement the module and thus perform the actions in this disclosure.

[0207] In one embodiment, the control module 1304 may include any suitable interface controller to provide any suitable interface to at least one of the processors 1302 and / or any suitable device or component communicating with the control module 1304.

[0208] The control module 1304 may include a memory controller module to provide an interface to the memory 1306. The memory controller module may be a hardware module, a software module, and / or a firmware module.

[0209] Memory 1306 may be used, for example, to load and store data and / or instructions 1314 for device 1300. In one embodiment, memory 1306 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, memory 1306 may include double data rate quad synchronous dynamic random access memory (DDR4 SDRAM).

[0210] In one embodiment, the control module 1304 may include one or more input / output controllers to provide interfaces to the NVM / storage device 1308 and (one or more) input / output devices 1310.

[0211] For example, NVM / storage device 1308 may be used to store data and / or instructions 1314. NVM / storage device 1308 may include any suitable non-volatile memory (e.g., flash memory) and / or may include any suitable (one or more) non-volatile storage devices (e.g., one or more hard disk drives (HDDs), one or more optical disc drives (CDs), and / or one or more digital universal optical disc (DVD) drives).

[0212] NVM / storage device 1308 may include storage resources that are physically part of a device on which device 1300 is mounted, or that can be accessed by the device without needing to be part of the device. For example, NVM / storage device 1308 may be accessed via a network via one or more input / output devices 1310.

[0213] One or more input / output devices 1310 may provide an interface for device 1300 to communicate with any other suitable device. Input / output devices 1310 may include communication components, pinyin components, sensor components, etc. Network interface 1312 may provide an interface for device 1300 to communicate via one or more networks. Device 1300 may wirelessly communicate with one or more components of a wireless network according to any of one or more wireless network standards and / or protocols, such as accessing wireless networks based on communication standards, such as WiFi, 2G, 3G, 4G, 5G, etc., or combinations thereof.

[0214] In one embodiment, at least one of the processors 1302 may be logically packaged with one or more controllers (e.g., memory controller modules) of the control module 1304. In one embodiment, at least one of the processors 1302 may be logically packaged with one or more controllers of the control module 1304 to form a system-in-package (SiP). In one embodiment, at least one of the processors 1302 may be integrated with the logic of one or more controllers of the control module 1304 on the same die. In one embodiment, at least one of the processors 1302 may be integrated with the logic of one or more controllers of the control module 1304 on the same die to form a system-on-a-chip (SoC).

[0215] In various embodiments, device 1300 may be, but is not limited to, a server, desktop computing device, or mobile computing device (e.g., laptop computing device, handheld computing device, tablet computer, netbook, etc.). In various embodiments, device 1300 may have more or fewer components and / or different architectures. For example, in some embodiments, device 1300 includes one or more cameras, a keyboard, a liquid crystal display (LCD) screen (including a touchscreen display), a non-volatile memory port, multiple antennas, a graphics chip, an application-specific integrated circuit (ASIC), and a speaker.

[0216] This application provides an electronic device, including: one or more processors; and one or more machine-readable media having instructions stored thereon, which, when executed by the one or more processors, cause the electronic device to perform one or more methods as described in this application.

[0217] As the device embodiment is basically similar to the method embodiment, the description is relatively simple, and relevant parts can be found in the description of the method embodiment.

[0218] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.

[0219] This application describes embodiments with reference to flowchart illustrations and / or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable information processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable information processing terminal device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0220] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable information processing terminal device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0221] These computer program instructions can also be loaded onto a computer or other programmable information processing terminal equipment, causing a series of operational steps to be performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable terminal equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0222] Although preferred embodiments of the present application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the embodiments of the present application.

[0223] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes the element.

[0224] The alarm aggregation method and apparatus provided in this application have been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this application. The description of the above embodiments is only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. An alarm aggregation method, characterized in that, The method includes: Obtain a source map, which is generated based on alarm data from at least multiple alarms of the user's resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's resources. The source tracing graph is traversed from the first alarm node towards the root node; When branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number. When traversing in a direction away from the root node to find event nodes that are associated with at least one alarm node, the first alarm node is associated with the event node that is associated with at least one alarm node in the source graph.

2. The method according to claim 1, characterized in that, The method further includes: If no branch file nodes are traversed in the direction closer to the root node, an event node is created in the tracing graph and associated with the first alarm node and the created event node.

3. The method according to claim 1, characterized in that, The method further includes: If no event node associated with at least one alarm node is found when traversing in the direction away from the root node, an event node is created in the tracing graph and associated with the first alarm node and the created event node.

4. The method according to claim 1, characterized in that, The branch file node and the event node are connected through at least one intermediate node; The traversal of the source map from the branch file node in the direction away from the root node includes: In the source map, the path is traversed from the branch file node through the at least one intermediate node in the direction away from the root node.

5. The method according to claim 4, characterized in that, The method further includes: In the source map, a traversal path is established from the branch file node directly to the event node.

6. The method according to claim 1, characterized in that, The branch file node and the event node are connected through at least one intermediate node. The tracing graph has a traversal path from the branch file node directly to the event node. The traversal path is established in advance in the tracing graph by traversing the branch file node from the second alarm node towards the root node and traversing the event node from the branch file node away from the root node. The traversal of the source map from the branch file node in the direction away from the root node includes: In the source map, the branch file node is traversed from the traversal path in the direction away from the root node.

7. The method according to claim 1, characterized in that, The method further includes: For any event node in the source tracing graph, generate a mapping relationship between the event node and the alarm node associated with the event node in the source tracing graph, and output the mapping relationship.

8. The method according to claim 7, characterized in that, The method further includes: Obtain the node information of the event node, which includes at least one of the following: the name of the event node, the number of alarm nodes associated with the event node, the total number of user resources involved in the alarm nodes associated with the event node, the occurrence time of the first occurrence of the alarm node associated with the event node, the occurrence time of the last occurrence of the alarm node associated with the event node, the risk level of the event node, the processing status of the alarm nodes associated with the event node, and processing controls for processing the event node. Output the node information of the event node.

9. The method according to claim 7 or 8, characterized in that, The method further includes: After outputting the mapping relationship, if a user input indicating that the event node has been processed or the alarm node associated with the event node in the source map has been processed is received, the event node and the alarm node associated with the event node in the source map are deleted from the source map.

10. The method according to claim 1, characterized in that, The process involves traversing the source map from the first alarm node towards the root node. include, Within the target range of the source tracing map, traverse from the first alarm node towards the root node; the target range includes nodes whose layer number differs from the layer number of the first alarm node by a preset difference.

11. A method for aggregating alarms for cloud computing resources, characterized in that, The method includes: A source map of cloud computing resources is obtained. The source map is generated based on alarm data from at least multiple alarms of the user's cloud computing resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involving the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involving the root node. The file node includes the attack target of the attack source node in the user's cloud computing resources. The source tracing graph is traversed from the first alarm node towards the root node; When branch file nodes are traversed in the direction closer to the root node, the source map is traversed from the branch file nodes in the direction farther from the root node, and the number of file nodes directly connected to the branch file nodes in the source map is greater than or equal to a preset number. When traversing in a direction away from the root node to find event nodes that are associated with at least one alarm node, the first alarm node is associated with the event node that is associated with at least one alarm node in the source graph.

12. An alarm aggregation device, characterized in that, The device includes: The first acquisition module is used to acquire a source map, which is generated based on alarm data from at least multiple alarms of the user's resources. The source map includes at least one root node, which includes an attack source node. The end nodes of at least some branches involved in the root node include alarm nodes or event nodes associated with alarm nodes. At least one file node is included between the root node and the end nodes of at least some branches involved in the root node. The file node includes the attack target of the attack source node in the user's resources. The first traversal module is used to traverse the source map from the first alarm node in the direction closer to the root node. The second traversal module is used to traverse the source map from the branch file node to the direction away from the root node when branch file nodes are traversed in the direction closer to the root node. The number of file nodes directly connected to the branch file node in the source map is greater than or equal to a preset number. The first association module is used to associate the first alarm node with the event node that is associated with at least one alarm node in the source map when traversing the event node that is associated with at least one alarm node in the direction away from the root node.

13. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, The processor executes the steps of the method as claimed in any one of claims 1 to 11 when executing the program.

14. A computer-readable storage medium, characterized in that, A computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method as claimed in any one of claims 1 to 11.