Emergency response processing method and device, electronic equipment and storage medium
By building an emergency response process library and matching it with target emergency response processes, the problem of low efficiency in handling cybersecurity emergency incidents has been solved, achieving efficient emergency response processing and visualization.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- QI AN XIN TECHNOLOGY GROUP INC
- Filing Date
- 2023-05-08
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies cannot effectively match emergency response procedures in handling cybersecurity incidents, resulting in low processing efficiency.
An emergency response process library is built. By acquiring the characteristics and instructions of the emergency events to be responded to, the target emergency response process is matched, and emergency response processes are built based on process orchestration templates and preset scenarios, so as to achieve efficient matching and processing of the process library.
It improves the efficiency of handling cybersecurity emergencies, ensuring the timely completion and visual presentation of emergency tasks.
Smart Images

Figure CN116545694B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to an emergency response processing method, apparatus, electronic device, and storage medium. Background Technology
[0002] With the development of technologies such as cloud computing, the Internet of Things, and artificial intelligence, cyberattack methods have evolved and upgraded, and cyber threats continue to evolve, leading to frequent cybersecurity incidents across multiple industries. Therefore, given the severe cybersecurity situation, it is necessary to deploy cybersecurity emergency response strategies to handle security incidents.
[0003] According to relevant technologies, in the process of handling cybersecurity incidents, the inability to match the emergency response process for an effective response results in low efficiency in handling cybersecurity incidents. Summary of the Invention
[0004] This invention provides an emergency response processing method, apparatus, electronic device, and storage medium, which can match the target emergency response process in the emergency process library and respond to the emergency event to be responded to, thereby improving the processing efficiency of network security emergency events.
[0005] This invention provides an emergency response processing method, the method comprising: acquiring an emergency event to be responded to; determining a target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library; and processing the emergency event to be responded to based on the target emergency response process, wherein the emergency response process library includes multiple emergency response processes.
[0006] According to an emergency response processing method provided by the present invention, the step of determining the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library specifically includes: obtaining a processing instruction, wherein the processing instruction includes emergency response process type filtering conditions; determining, based on the processing instruction, candidate emergency response processes that meet the emergency response process type filtering conditions in the emergency process library; and determining, based on the target event characteristics of the emergency event to be responded to, the target emergency response process that matches the target event characteristics from the candidate emergency response processes.
[0007] According to an emergency response method provided by the present invention, the emergency process library is constructed by: obtaining a process orchestration template, as well as preset scenarios and process customization requirements; constructing the emergency response process through process orchestration based on the process orchestration template, the preset scenarios, and the process customization requirements; and constructing the emergency process library based on multiple emergency response processes.
[0008] According to an emergency response processing method provided by the present invention, the process orchestration template includes multiple sub-task templates. The step of constructing the emergency response process through process orchestration based on the process orchestration template, the preset scenario, and the process customization requirements specifically includes: determining the relationship between each of the sub-task templates based on the preset scenario and the process customization requirements, wherein the relationship between the sub-task templates includes at least one of serial relationship, parallel relationship, and branch relationship; and orchestrating the process orchestration template based on the relationship between the sub-task templates to construct the emergency response process.
[0009] According to an emergency response processing method provided by the present invention, the emergency event to be responded to is obtained in the following manner: acquiring multiple alarm data; filtering the multiple alarm data to remove alarm data lacking preset fields, obtaining filtered alarm data; converting the multiple filtered alarm data into multiple standard alarm data, wherein the standard alarm data is alarm data that meets preset format requirements; aggregating the multiple standard alarm data to obtain a network security event; acquiring the number of target attacks on the network security event; and identifying network security events where the number of target attacks exceeds a threshold as emergency events to be responded to.
[0010] According to an emergency response processing method provided by the present invention, the step of aggregating multiple standard alarm data to obtain a network security event specifically includes: obtaining alarm information features of the standard alarm data, wherein the alarm information features are features shared or correlated among the alarm data constituting the network security event; and aggregating multiple standard alarm data based on the alarm information features to obtain a network security event.
[0011] According to an emergency response method provided by the present invention, the target attack count of the network security incident is obtained in the following manner: based on the attack source characteristics of the network security incident, the target attack source information of the network security incident is determined, wherein the target attack source information corresponds to the attack source characteristics; the target attack count corresponding to the target attack source information is determined in a pre-set attack source mapping table, wherein the attack source mapping table stores the mapping relationship between attack source information and attack count.
[0012] According to an emergency response processing method provided by the present invention, after responding to the emergency event to be responded to based on the target emergency response process, the method further includes: in response to receiving a visualization display instruction for the response processing result, visually displaying the response processing result.
[0013] The present invention also provides an emergency response processing device, the device comprising: a first module for acquiring an emergency event to be responded to; and a second module for determining a target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and processing the emergency event to be responded to based on the target emergency response process, wherein the emergency response process library includes multiple emergency response processes.
[0014] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the emergency response processing method as described above.
[0015] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the emergency response processing method as described above.
[0016] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the emergency response processing method as described above.
[0017] The emergency response processing method, apparatus, electronic device, and storage medium provided by this invention acquire an emergency event to be responded to, determine the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and process the emergency event to be responded to based on the target emergency response process. This realizes the effective response processing of the emergency event to be responded to by matching the target emergency response process in the emergency process library, thereby improving the processing efficiency of network security emergency events. Attached Figure Description
[0018] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0019] Figure 1 This is a flowchart illustrating the emergency response method provided by the present invention;
[0020] Figure 2 This is a flowchart illustrating how the present invention determines the target emergency response process corresponding to an emergency event to be responded to from a pre-built emergency process library.
[0021] Figure 3 This is a flowchart illustrating the process of acquiring emergency events to be responded to, provided by the present invention.
[0022] Figure 4 This is a schematic diagram of the emergency response processing device provided by the present invention;
[0023] Figure 5 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0024] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0025] The emergency response method provided by this invention can handle emergencies, drive the emergency process according to the programmed emergency response process (corresponding to the emergency response process), and visualize the handling status of emergency tasks to coordinate network security work as a whole and ensure the timely completion of emergency tasks.
[0026] Figure 1 This is a flowchart illustrating the emergency response method provided by the present invention.
[0027] The following will combine Figure 1 The process of emergency response and handling methods is explained.
[0028] In an exemplary embodiment of the present invention, combined with Figure 1 As can be seen, the emergency response method may include steps 110 and 120, which will be described in detail below.
[0029] In step 110, the emergency events to be responded to are obtained.
[0030] In step 120, the target emergency response process corresponding to the emergency event to be responded to is determined from the pre-built emergency process library, and the emergency event to be responded to is processed based on the target emergency response process.
[0031] The emergency response process library can include multiple emergency response processes. Emergency events awaiting response can be understood as events perceived by users as emergencies that require timely handling.
[0032] Furthermore, a target emergency response procedure corresponding to the emergency event to be responded to can be identified from a pre-built emergency procedure library. The emergency event to be responded to is then processed based on the target emergency response procedure. This achieves effective response processing of the emergency event by matching the target emergency response procedure in the emergency procedure library, thereby improving the efficiency of handling cybersecurity emergency events.
[0033] The emergency response processing method provided by this invention obtains the emergency event to be responded to, determines the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and processes the emergency event to be responded to based on the target emergency response process. This realizes the effective response processing of the emergency event to be responded to by matching the target emergency response process in the emergency process library, thereby improving the processing efficiency of network security emergency events.
[0034] Figure 2 This is a flowchart illustrating how the present invention determines the target emergency response process corresponding to the emergency event to be responded to from a pre-built emergency process library.
[0035] The following will combine Figure 2 The process of identifying the target emergency response procedure corresponding to the emergency event to be responded to from a pre-built emergency procedure library is described.
[0036] In an exemplary embodiment of the present invention, combined with Figure 2 As can be seen, determining the target emergency response process corresponding to the emergency event to be responded to in the pre-built emergency process library may include steps 210 to 230, which will be described in detail below.
[0037] In step 210, a processing instruction is obtained, wherein the processing instruction includes emergency response process type filtering conditions.
[0038] In step 220, based on the processing instructions, candidate emergency response procedures that meet the screening criteria for emergency response procedure types are determined from the emergency procedure library.
[0039] In step 230, based on the target event characteristics of the emergency event to be responded to, a target emergency response process that matches the target event characteristics is determined from the candidate emergency response processes.
[0040] In one embodiment, multiple candidate emergency response procedures that meet the screening criteria for emergency response procedure types can be determined from the emergency procedure library according to the processing instructions.
[0041] To further ensure that the selected candidate emergency response procedures can respond to and handle emergency events more efficiently, during application, a target emergency response procedure that matches the target event characteristics can be determined from the candidate procedures. This embodiment ensures that the target emergency response procedure both meets user requirements (corresponding to the emergency response procedure type selection criteria in the processing instructions) and matches the target event characteristics of the emergency event, thereby improving the efficiency of handling emergency events.
[0042] In another embodiment, based on user needs, process definitions can be modeled using Business Process Management (BPM). Then, based on the established process definitions, BPM provides interfaces for creating, starting, and suspending process instances, thereby enabling the processing of each business transaction related to the process. In yet another example, when executing a process, BPM can automatically execute it or call different external APIs to keep the process in a corresponding state; the state transitions of the process form the lifecycle of the process instance.
[0043] It should be noted that process orchestration provides a process that can be pre-arranged, executed automatically or manually for process-driven business systems. It also supports modifying the orchestration content and node flow order that have not been run in the process orchestration during runtime after the process has started. The orchestrated process supports process orchestration composed of stages, means, logical nodes and connection relationships.
[0044] In another embodiment, an emergency response process can be built based on process orchestration using a process engine. After orchestration by the process engine, supplementary emergency response measures are used to ensure the continuity and availability of related business operations, thereby reducing the degree of damage caused by attacks.
[0045] In another embodiment, a processing instruction can be understood as an instruction to process the emergency event to be responded to according to a target preset requirement. Here, the target preset requirement is a user requirement. During application, when a user's processing instruction is received, the target emergency response process corresponding to the processing instruction can be determined from the emergency response process library. It is understood that the target emergency response process is one of the constructed emergency response processes. Furthermore, the emergency event to be responded to can be processed according to the target emergency response process. Since the processing instruction is an instruction to process the emergency event to be responded to according to the target preset requirement, it can be ensured that the emergency event to be responded to can be processed according to user requirements, thereby improving the efficiency of handling network security emergency events.
[0046] In yet another exemplary embodiment of the present invention, the emergency response procedure library can be constructed in the following manner:
[0047] Obtain process orchestration templates, as well as preset scenarios and process customization requirements;
[0048] Based on process orchestration templates, preset scenarios, and process customization requirements, the emergency response process is constructed through process orchestration.
[0049] An emergency response process library is built based on multiple emergency response procedures.
[0050] In one embodiment, a process orchestration template, preset scenarios, and process customization requirements can be obtained, wherein the process customization requirements are determined based on the user's actual needs. Furthermore, based on the process orchestration template, preset scenarios, and process customization requirements, an emergency response process is constructed through process orchestration. During application, multiple emergency response processes can be built into an emergency process library.
[0051] In another exemplary embodiment of the present invention, the process orchestration template may include multiple sub-task templates. The emergency response process can be constructed through process orchestration based on the process orchestration template, preset scenarios, and process customization requirements, in the following manner:
[0052] Based on the preset scenarios and process customization requirements, the relationship between each subtask template in the process orchestration template is determined. The relationship between the subtask templates includes at least one of the following: serial relationship, parallel relationship, and branch relationship.
[0053] Based on the relationships between subtask templates, the process orchestration template is used to orchestrate the process in order to construct an emergency response process.
[0054] In one embodiment, the relationship between various sub-task templates in the process orchestration template can be determined based on preset scenarios and process customization requirements. This allows one or more preset task templates to be customized into an emergency response process according to preset scenarios and requirements (corresponding to user demand instructions). Since the relationship between the sub-task templates is determined based on preset scenarios and process customization requirements, it also ensures that the constructed emergency response process matches the preset scenarios and process customization requirements, thus laying the foundation for responding to emergency events according to user needs.
[0055] In another exemplary embodiment of the present invention, multiple subtask templates can be arranged into one or more of the following relationships: serial, parallel, and branching, according to preset scenarios and process customization requirements. By arranging the subtask templates into serial, parallel, and branching relationships according to preset scenarios and process customization requirements, it can be ensured that the resulting emergency response process meets user needs.
[0056] Figure 3 This is a flowchart illustrating the process of obtaining emergency events to be responded to, provided by the present invention.
[0057] The following will combine Figure 3 The process for obtaining emergency events to be responded to is explained.
[0058] In an exemplary embodiment of the present invention, combined with Figure 3 As can be seen, obtaining emergency events to be responded to may include steps 310 to 360, and each step will be described below.
[0059] In step 310, multiple alarm data are acquired.
[0060] In step 320, multiple alarm data are filtered to remove alarm data that lack preset fields, resulting in filtered alarm data.
[0061] In step 330, the multiple filtered alarm data are converted into multiple standard alarm data, wherein the standard alarm data are alarm data that meet the preset format requirements.
[0062] In one embodiment, multiple alarm data can be added to a message queue. During application, alarm data can be subscribed to from the message queue and filtered, for example, by performing a data cleaning operation to remove alarm data lacking preset fields, resulting in filtered alarm data. Further, the multiple filtered alarm data are then format-converted to obtain multiple standard alarm data. The preset format requirements can be adjusted according to actual conditions and are not specifically limited in this embodiment. Standard alarm data are alarm data that meet the preset format requirements.
[0063] In another example, standard alarm data may include information such as alarm time, alarm device type, attack type, alarm request name, alarm source address, alarm source port, alarm destination address, alarm destination port, risk level, traffic direction, whether it was blocked, and the original alarm. In other words, alarm data that meets the preset format requirements can be alarm data that includes the aforementioned information.
[0064] In step 340, multiple standard alarm data are aggregated to obtain network security events.
[0065] In yet another exemplary embodiment of the present invention, the aggregation of multiple standard alarm data to obtain a network security event can be achieved in the following manner:
[0066] Obtain alarm information characteristics from standard alarm data. These alarm information characteristics are those shared or correlated among alarm data constituting a network security event.
[0067] Based on the characteristics of alarm information, multiple standard alarm data are aggregated to obtain network security events.
[0068] In another embodiment, multiple standard alarm data can be aggregated based on alarm information such as the name and attributes of the alarm information to obtain a network security event.
[0069] In step 350, the number of target attacks on the network security incident is obtained.
[0070] In step 360, cybersecurity events where the number of attacks against a target exceeds a threshold are identified as emergency events to be responded to.
[0071] In another embodiment, the number of target attacks on a network security event can be obtained, and network security events with a target attack count exceeding a threshold can be designated as emergency response events. The threshold can be adjusted according to actual circumstances; however, this embodiment does not impose a specific limit on the threshold.
[0072] In yet another exemplary embodiment of the present invention, the number of target attacks in a network security event can be obtained in the following manner:
[0073] Based on the attack source characteristics of network security incidents, the target attack source information of network security incidents is determined, wherein the target attack source information corresponds to the attack source characteristics;
[0074] The number of target attacks corresponding to the target attack source information is determined in a pre-set attack source mapping table, where the attack source mapping table stores the mapping relationship between attack source information and attack count.
[0075] In one embodiment, the target attack source information of a network security incident can be determined based on the attack source characteristics of the incident. Further, the number of target attacks corresponding to the target attack source information is determined based on an attack source mapping table. During application, when the number of target attacks exceeds a threshold, the network security incident can be treated as a pending emergency event.
[0076] In another embodiment, taking the attack source characteristic as the network attack event type as an example, the corresponding attack source information can be determined based on the determined network attack event type. Then, the attack source information is matched with pre-generated attack records (corresponding to an attack source mapping table) to determine the number of target attacks corresponding to the attack source information.
[0077] In yet another exemplary embodiment of the present invention, continuing with Figure 1 The above embodiment is used as an example for illustration. After processing the emergency event to be responded to based on the target emergency response process (corresponding to step 120), the emergency response processing method further includes:
[0078] In response to receiving a command to visualize the response processing results, the response processing results will be visualized.
[0079] In one embodiment, the response processing results can also be visualized based on the received command to visualize the response processing results. This allows for the visualization of the emergency response status, enabling overall coordination of cybersecurity work and ensuring the timely completion of emergency response tasks.
[0080] The emergency response method provided by this invention can orchestrate a complete process flow based on customized business processes tailored to specific business needs (corresponding to preset scenarios and process customization requirements), and confirm the execution rules for special scenarios. Through the orchestrated emergency response process, business processes with specific business attributes can be converted into BPMN-compliant flowcharts recognizable by the underlying process engine Flowable. The process platform's general logic is then used to initiate the business process, triggering transitions and executing customized business logic. The application response process can be stored on the process platform. Furthermore, the business process (corresponding to the emergency response process) built based on the orchestration is completed through automated code, effectively improving the development efficiency of business processes and laying the foundation for improving the efficiency of handling cybersecurity emergencies.
[0081] As described above, the emergency response processing method provided by the present invention acquires the emergency event to be responded to, determines the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and processes the emergency event to be responded to based on the target emergency response process. This realizes the effective response processing of the emergency event to be responded to by matching the target emergency response process in the emergency process library, thereby improving the processing efficiency of network security emergency events.
[0082] Based on the same concept, the present invention also provides an emergency response processing device.
[0083] The emergency response processing device provided by the present invention is described below. The emergency response processing device described below can be referred to in correspondence with the emergency response processing method described above.
[0084] Figure 4 This is a schematic diagram of the emergency response processing device provided by the present invention.
[0085] In yet another exemplary embodiment of the present invention, combined with Figure 4 As can be seen, the emergency response and handling device may include a first module 410 and a second module 420, and each module will be described in detail below.
[0086] The first module 410 can be configured to acquire emergency events to be responded to.
[0087] The second module 420 can be configured to determine the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and to process the emergency event to be responded to based on the target emergency response process, wherein the emergency response process library includes multiple emergency response processes.
[0088] In an exemplary embodiment of the present invention, the second module 420 may determine the target emergency response process corresponding to the emergency event to be responded to from a pre-built emergency process library in the following manner:
[0089] Obtain processing instructions, which include emergency response process type filtering conditions;
[0090] Based on the processing instructions, candidate emergency response procedures that meet the screening criteria for emergency response procedure types are identified in the emergency procedure library.
[0091] Based on the characteristics of the target event of the emergency to be responded to, a target emergency response process that matches the characteristics of the target event is determined from the candidate emergency response processes.
[0092] In an exemplary embodiment of the present invention, the second module 420 may also construct the emergency procedure library in the following manner:
[0093] Obtain process orchestration templates, as well as preset scenarios and process customization requirements;
[0094] Based on process orchestration templates, preset scenarios, and process customization requirements, the emergency response process is constructed through process orchestration.
[0095] An emergency response process library is built based on multiple emergency response procedures.
[0096] In an exemplary embodiment of the present invention, the process orchestration template may include multiple sub-task templates. The second module 420 may construct an emergency response process based on the process orchestration template, preset scenarios, and process customization requirements through process orchestration in the following manner:
[0097] Based on the preset scenarios and process customization requirements, the relationship between each subtask template is determined. The relationship between the subtask templates includes at least one of the following: serial relationship, parallel relationship and branch relationship.
[0098] Based on the relationships between subtask templates, the process orchestration template is used to orchestrate the process in order to construct an emergency response process.
[0099] In an exemplary embodiment of the present invention, the first module 410 may acquire the emergency event to be responded to in the following manner:
[0100] Obtain multiple alarm data;
[0101] Multiple alarm data are filtered to remove alarm data that lack preset fields, resulting in filtered alarm data.
[0102] Multiple filtered alarm data are converted into multiple standard alarm data, which are alarm data that meet the preset format requirements.
[0103] Multiple standard alarm data are aggregated to obtain network security events;
[0104] Obtain the number of targeted attacks in a cybersecurity incident;
[0105] Cybersecurity incidents where the number of attacks on a target exceeds a certain threshold are identified as emergency incidents requiring immediate response.
[0106] In an exemplary embodiment of the present invention, the second module 420 can aggregate multiple standard alarm data to obtain a network security event in the following manner:
[0107] Obtain alarm information characteristics from standard alarm data. These alarm information characteristics are those shared or correlated among alarm data constituting a network security event.
[0108] Based on the characteristics of alarm information, multiple standard alarm data are aggregated to obtain network security events.
[0109] In an exemplary embodiment of the present invention, the second module 420 may obtain the number of target attacks on a network security event in the following manner:
[0110] Based on the attack source characteristics of network security incidents, the target attack source information of network security incidents is determined, wherein the target attack source information corresponds to the attack source characteristics;
[0111] The number of target attacks corresponding to the target attack source information is determined in a pre-set attack source mapping table, where the attack source mapping table stores the mapping relationship between attack source information and attack count.
[0112] In an exemplary embodiment of the present invention, the second module 420 may further be configured to:
[0113] In response to receiving a command to visualize the response processing results, the response processing results will be visualized.
[0114] Figure 5 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 5 As shown, the electronic device may include a processor 510, a communications interface 520, a memory 530, and a communication bus 540. The processor 510, communications interface 520, and memory 530 communicate with each other via the communication bus 540. The processor 510 can invoke logical instructions from the memory 530 to execute an emergency response processing method. This method includes: acquiring an emergency event to be responded to; determining the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library; and processing the emergency event to be responded to based on the target emergency response process. The emergency response process library includes multiple emergency response processes.
[0115] Furthermore, the logical instructions in the aforementioned memory 530 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, essentially, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0116] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the emergency response processing method provided by the above methods. The method includes: acquiring an emergency event to be responded to; determining a target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library; and processing the emergency event to be responded to based on the target emergency response process. The emergency response process library includes multiple emergency response processes.
[0117] In another aspect, the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon. When executed by a processor, the computer program is implemented to perform the emergency response processing methods provided by the above methods. The method includes: acquiring an emergency event to be responded to; determining a target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library; and processing the emergency event to be responded to based on the target emergency response process. The emergency response process library includes multiple emergency response processes.
[0118] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0119] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0120] It is further understood that although the operations are described in a specific order in the accompanying drawings in the embodiments of the present invention, this should not be construed as requiring these operations to be performed in the specific order or serial order shown, or requiring all the operations shown to obtain the desired result. In certain environments, multitasking and parallel processing may be advantageous.
[0121] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. An emergency response method, characterized in that, The method includes: Acquire pending emergency events; The target emergency response process corresponding to the emergency event to be responded to is determined from a pre-built emergency response process library, and the emergency event to be responded to is processed based on the target emergency response process. The emergency response process library includes multiple emergency response processes, and is constructed in the following manner: Obtain process orchestration templates, as well as preset scenarios and process customization requirements; Based on the process orchestration template, the preset scenario, and the process customization requirements, the emergency response process is constructed through process orchestration. Based on multiple emergency response procedures, an emergency response procedure library is constructed. The procedure orchestration template includes multiple sub-task templates. The construction of the emergency response procedure through procedure orchestration, based on the procedure orchestration template, the preset scenario, and the procedure customization requirements, specifically includes: Based on the preset scenario and the process customization requirements, the relationship between each of the subtask templates is determined. The relationship between the subtask templates includes at least one of the following: serial relationship, parallel relationship and branch relationship. Based on the relationship between the subtask templates, the process orchestration template is arranged to construct the emergency response process.
2. The emergency response method according to claim 1, characterized in that, The step of determining the target emergency response procedure corresponding to the emergency event to be responded to from the pre-built emergency procedure library specifically includes: Obtain processing instructions, wherein the processing instructions include emergency response process type filtering conditions; Based on the processing instructions, candidate emergency response processes that meet the screening conditions for the emergency response process type are determined in the emergency process library. Based on the target event characteristics of the emergency event to be responded to, the target emergency response process that matches the target event characteristics is determined from the candidate emergency response processes.
3. The emergency response method according to claim 1, characterized in that, The emergency events to be responded to are obtained in the following ways: Obtain multiple alarm data; Multiple alarm data are filtered to remove alarm data that lack preset fields, resulting in filtered alarm data. The filtered alarm data are converted into multiple standard alarm data, wherein the standard alarm data are alarm data that meet the preset format requirements. Multiple standard alarm data are aggregated to obtain network security events; Obtain the number of target attacks for the aforementioned network security incident; Network security incidents where the number of attacks on the target exceeds a threshold are identified as emergency events requiring a response.
4. The emergency response method according to claim 3, characterized in that, The aggregation of multiple standard alarm data to obtain a network security event specifically includes: The alarm information features of the standard alarm data are those features that are common to or correlated among the alarm data constituting a network security event. Based on the alarm information characteristics, multiple standard alarm data are aggregated to obtain network security events.
5. The emergency response method according to claim 3, characterized in that, The number of target attacks in the cybersecurity incident was obtained using the following methods: Based on the attack source characteristics of the network security incident, the target attack source information of the network security incident is determined, wherein the target attack source information corresponds to the attack source characteristics; The number of target attacks corresponding to the target attack source information is determined in a pre-set attack source mapping table, wherein the attack source mapping table stores the mapping relationship between attack source information and attack count.
6. The emergency response method according to claim 1, characterized in that, After responding to the emergency event based on the target emergency response procedure, the method further includes: In response to receiving a command to visualize the response processing result, the response processing result is visualized.
7. An emergency response processing device, characterized in that, The apparatus is used to implement the emergency response processing method according to any one of claims 1 to 6, and the apparatus comprises: The first module is used to acquire emergency events that need to be responded to. The second module is used to determine the target emergency response process corresponding to the emergency event to be responded to in a pre-built emergency process library, and to process the emergency event to be responded to based on the target emergency response process. The emergency response process library includes multiple emergency response processes.
8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the emergency response processing method as described in any one of claims 1 to 6.
9. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the emergency response processing method as described in any one of claims 1 to 6.