Method and apparatus for adjusting network protection policy

By analyzing the similarity and periodic characteristics of the alarm logs generated by the firewall, the protection strategy of the WAF is automatically adjusted, which solves the problem of high false alarm rate of WAF and achieves efficient reduction of false alarm rate and saving of manual costs.

CN116800518BActive Publication Date: 2026-06-09CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
Filing Date
2023-07-13
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing Web Application Firewall (WAF) systems have high false alarm rates, which significantly impacts the normal operation of web applications. This requires a large number of technical professionals to analyze and adjust protection strategies, resulting in high manpower and time costs.

Method used

By analyzing multiple alarm logs generated by the firewall within a set time period, the network protection strategy is automatically adjusted based on the similarity and periodic characteristics of the alarm logs, thereby identifying and reducing the false alarm rate.

Benefits of technology

It enables automated identification of false alarms and adjustment of protection strategies, saving labor costs, improving the efficiency of false alarm identification, and reducing the false alarm rate.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116800518B_ABST
    Figure CN116800518B_ABST
Patent Text Reader

Abstract

The application discloses a network protection policy adjustment method and device, which is used for automatically adjusting the network protection policy to reduce the false positive rate and save the labor and time cost consumed by reducing the false positive rate. The method comprises the following steps: acquiring a plurality of alarm logs generated by a firewall for a first client in a set time period; each alarm log is generated by the firewall after intercepting an abnormal data from the first client; determining a false positive rate of a plurality of abnormal data from the first client according to the similarity of the contents of the plurality of alarm logs; the similarity is positively correlated with the false positive rate; and when the false positive rate is greater than a set threshold, adjusting the network protection policy according to the protection rules matched with the plurality of abnormal data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network information security technology, and in particular to a method and apparatus for adjusting network protection strategies. Background Technology

[0002] Web Application Firewalls (WAFs) are deployed before web applications. They analyze and validate user requests destined for web applications using regular expressions and machine learning algorithms to identify abnormal traffic. Current WAF protection methods rely on feature matching; when traffic contains features that match predefined rules, an alarm is triggered or the network is blocked. This can easily lead to false positives, where normal traffic is incorrectly flagged as abnormal. As attacks evolve and web applications become increasingly complex, the false positive rate of WAFs is rising, significantly impacting normal web application operations. Therefore, a substantial investment of technical personnel is needed to analyze false positives and maintain and refine WAF protection strategies. Summary of the Invention

[0003] This application provides a method and apparatus for adjusting network protection strategies, which can automatically adjust the protection strategies to reduce the false alarm rate. Compared with the traditional method of reducing the false alarm rate by technical personnel, the method of this application effectively saves the labor and time costs of reducing the false alarm rate.

[0004] Firstly, this application provides a method for adjusting a network protection strategy, wherein the network protection strategy includes multiple protection rules, and the method includes:

[0005] Obtain multiple alarm logs generated by the firewall for the first client within a set time period; each alarm log is generated by the firewall after intercepting an abnormal data from the first client;

[0006] The false alarm rate of multiple abnormal data from the first client is determined based on the similarity of the contents of the multiple alarm logs; wherein, the similarity is positively correlated with the false alarm rate.

[0007] When the false alarm rate exceeds a set threshold, the network protection strategy is adjusted according to the protection rules that match the multiple abnormal data.

[0008] In some embodiments, the method further includes:

[0009] The periodic characteristic value of the multiple alarm logs is determined based on their generation time; the first value of the periodic characteristic value indicates that the multiple alarm logs are generated periodically, and the second value of the periodic characteristic value indicates that the multiple alarm logs are not generated periodically.

[0010] The step of determining the false alarm rate of multiple abnormal data from the first client based on the similarity of the contents of the multiple alarm logs specifically includes:

[0011] The false alarm rate is determined based on the similarity and the periodic feature value; wherein the false alarm rate corresponding to the periodic feature value being a first value is greater than the false alarm rate corresponding to the periodic feature value being a second value.

[0012] In some embodiments, determining the similarity of the contents of the multiple alarm logs includes:

[0013] Extract the alarm types included in each alarm log and determine the number of alarm types involved in the multiple alarm logs;

[0014] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is negatively correlated with the similarity.

[0015] In some embodiments, determining the similarity of the contents of the multiple alarm logs includes:

[0016] Extract the Uniform Resource Identifier (URI) included in each alarm log, and determine the base URI from the extracted multiple URIs; the base URI is the longest URI among the multiple URIs.

[0017] Calculate the length of the longest common substring (LCS) between each extracted URI and the baseline URI, and determine the number of LCSs whose length is greater than the length threshold;

[0018] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is positively correlated with the similarity.

[0019] In some embodiments, determining the similarity of the contents of the multiple alarm logs includes:

[0020] Extract the descriptive text included in each alarm log and determine the statement vector corresponding to each descriptive text;

[0021] The similarity of the contents of the multiple alarm logs is determined based on the distance between multiple statement vectors; wherein the distance is positively correlated with the similarity.

[0022] In some embodiments, obtaining multiple alarm logs generated by the firewall for the first client within a set time period includes:

[0023] Obtain the alarm logs generated by the firewall within the specified time period;

[0024] The alarm logs obtained were identified as containing alarms whose source IP address was the IP address of the first client and whose user agent UA was the UA of the first client.

[0025] In some embodiments, adjusting the network protection policy according to protection rules matching the plurality of abnormal data includes:

[0026] Stop using the protection rules included in the network protection rules that match the multiple abnormal data.

[0027] Secondly, this application provides a device for adjusting a network protection strategy, wherein the network protection strategy includes multiple protection rules, and the device includes:

[0028] The acquisition unit is used to acquire multiple alarm logs generated by the firewall for the first client within a set time period; wherein each alarm log is generated by the firewall after intercepting an abnormal data from the first client;

[0029] The processing unit is configured to execute:

[0030] The false alarm rate of multiple abnormal data from the first client is determined based on the similarity of the contents of the multiple alarm logs; wherein, the similarity is positively correlated with the false alarm rate.

[0031] When the false alarm rate exceeds a set threshold, the network protection strategy is adjusted according to the protection rules that match the multiple abnormal data.

[0032] In some embodiments, the processing unit is further configured to:

[0033] The periodic characteristic value of the multiple alarm logs is determined based on their generation time; the first value of the periodic characteristic value indicates that the multiple alarm logs are generated periodically, and the second value of the periodic characteristic value indicates that the multiple alarm logs are not generated periodically.

[0034] The processing unit, when determining the false alarm rate of multiple abnormal data from the first client based on the similarity of the contents of the multiple alarm logs, is specifically used for:

[0035] The false alarm rate is determined based on the similarity and the periodic feature value; wherein the false alarm rate corresponding to the periodic feature value being a first value is greater than the false alarm rate corresponding to the periodic feature value being a second value.

[0036] In some embodiments, the processing unit is specifically used for:

[0037] Extract the alarm types included in each alarm log and determine the number of alarm types involved in the multiple alarm logs;

[0038] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is negatively correlated with the similarity.

[0039] In some embodiments, the processing unit is specifically used for:

[0040] Extract the Uniform Resource Identifier (URI) included in each alarm log, and determine the base URI from the extracted multiple URIs; the base URI is the longest URI among the multiple URIs.

[0041] Calculate the length of the longest common substring (LCS) between each extracted URI and the baseline URI, and determine the number of LCSs whose length is greater than the length threshold;

[0042] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is positively correlated with the similarity.

[0043] In some embodiments, the processing unit is specifically used for:

[0044] Extract the descriptive text included in each alarm log and determine the statement vector corresponding to each descriptive text;

[0045] The similarity of the contents of the multiple alarm logs is determined based on the distance between multiple statement vectors; wherein the distance is positively correlated with the similarity.

[0046] In some embodiments, the acquisition unit is specifically used for:

[0047] Obtain the alarm logs generated by the firewall within the specified time period;

[0048] The alarm logs obtained were identified as containing alarms whose source IP address was the IP address of the first client and whose user agent UA was the UA of the first client.

[0049] In some embodiments, the processing unit is specifically used for:

[0050] Stop using the protection rules included in the network protection rules that match the multiple abnormal data.

[0051] Thirdly, an electronic device is provided, comprising a controller and a memory. The memory stores computer-executable instructions, and the controller executes the computer-executable instructions in the memory to perform operational steps of any possible implementation of the method of the first aspect using hardware resources in the controller.

[0052] Fourthly, a computer-readable storage medium is provided, which stores instructions that, when executed on a computer, cause the computer to perform the methods described above.

[0053] This application leverages the randomness and variability of malicious attack data, and the uniformity and regularity of normal data. By analyzing alarm logs generated from multiple abnormal data points originating from the same client, and determining the similarity of these logs, it identifies whether the multiple abnormal data points from the same client exhibit characteristics of malicious attack data, thus determining whether they are false alarms. If a false alarm is identified, network protection strategies can be adjusted promptly to reduce the false alarm rate. Compared to traditional methods that rely on professional analysis to reduce false alarm rates, this application's solution effectively saves on labor costs and time. Attached Figure Description

[0054] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0055] Figure 1 A schematic diagram of a system architecture provided for an embodiment of this application;

[0056] Figure 2 A flowchart illustrating a method for adjusting a network protection strategy as provided in this application embodiment;

[0057] Figure 3 A flowchart illustrating another method for adjusting a network protection strategy provided in this application embodiment;

[0058] Figure 4 A schematic diagram of the structure of a network protection strategy adjustment device provided in an embodiment of this application;

[0059] Figure 5 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0060] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings of the embodiments of this application. Obviously, the described embodiments are only some embodiments of the technical solutions of this application, and not all embodiments. Based on the embodiments recorded in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the technical solutions of this application.

[0061] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention described herein can be implemented in sequences other than those illustrated or described herein. Furthermore, the term "and / or" herein is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, and B alone. Additionally, the character " / " herein, unless otherwise specified, generally indicates that the preceding and following related objects have an "or" relationship.

[0062] To facilitate understanding of the solutions proposed in this application, the technical terms used in the embodiments of this application will first be introduced:

[0063] (1) User Agent (UA): A part of the Hypertext Transfer Protocol (HTTP) and a component of the header field. The website server uses the UA to determine the operating system version, processor type, browser version, and other information applicable to each user, so that the website server can send different pages to different users based on the information determined above.

[0064] (2) Uniform Resource Identifier (URI): A string used to identify the name of an Internet resource. This identifier allows users to interact with any resource (including local and Internet resources) through a specific protocol. Simply put, every resource available on the Web—documents, images, video clips, and programs, etc.—is located by a URI.

[0065] (3) Term Frequency–Inverse Document Frequency (TF-IDF) algorithm: A statistical method for evaluating the importance of a word to a document in a document set or corpus. The importance of a word increases proportionally to the number of times it appears in a document, but decreases inversely proportionally to its frequency in the corpus. The main idea of ​​TF-IDF is: if a word or phrase appears frequently in one article but rarely in other articles, then this word or phrase is considered to have good class distinguishing ability and is suitable for classification.

[0066] Web Application Firewall (WAF), as a protection module for web applications, primarily verifies traffic destined for the web application server based on preset protection policies. These policies include multiple protection rules, each with one or more feature fields. The WAF can then perform feature matching on received traffic to determine if it contains the feature fields included in the protection rules. If so, the traffic is identified as abnormal and blocked. Furthermore, based on the protection rules matching the abnormal traffic, the attack type of the abnormal traffic is determined, generating corresponding alarm or block logs. This feature-matching-based protection strategy is prone to misclassifying normal traffic as abnormal, resulting in a high false positive rate. To reduce this rate, professional technicians need to periodically extract and analyze the alarm and block logs generated by the WAF to identify falsely flagged abnormal traffic and the protection rules matching those falsely flagged traffic. Adjustments to the protection policy are then made to disable the rules that generated the false positives. This approach requires significant time and manpower and is inefficient.

[0067] Based on this, this application proposes a method and apparatus for adjusting network protection strategies. Taking into account the randomness and variability of network attacks, and the regularity and uniformity of regular access, the method automatically acquires and analyzes alarm logs generated by the firewall for multiple abnormal data (or abnormal traffic) from the same source within a certain period. The similarity between the multiple logs determines whether the multiple abnormal traffic streams are false alarms. Higher similarity indicates a higher false alarm rate. If a false alarm is detected, the appropriate protection rules for the multiple abnormal data streams can be determined, thereby adjusting the network protection strategy to reduce the false alarm rate. Compared to traditional methods of identifying false alarms, which require significant manual labor and time, this application's solution automates both false alarm identification and protection strategy adjustment, saving labor costs and improving the efficiency of false alarm identification and strategy adjustment.

[0068] To facilitate understanding of the solution presented in this application, the system architecture to which this solution applies will first be described. See [link to relevant documentation]. Figure 1 This is a schematic diagram of a system architecture provided in an embodiment of this application, including a client, a protection engine, and an analysis engine. The protection engine, also known as a firewall, is used to determine whether data from the client is abnormal based on pre-configured network protection policies. Specifically, the network protection policies configured in the protection engine include multiple protection rules, each including at least one feature field. The protection engine determines whether the received data is abnormal based on whether it includes the feature field. The protection engine also determines the attack type of data based on the protection rules matching the data when it determines that a certain data is abnormal, and then generates an interception log or alarm log corresponding to that data.

[0069] Figure 1The system includes an analysis engine that periodically retrieves intercepted abnormal data and alarm logs generated for each abnormal data point from the protection engine. The analysis engine aggregates the acquired abnormal data based on its source, extracts multiple abnormal data points belonging to the same source, and determines whether these extracted abnormal data points are false alarms based on their transmission time and the content of the corresponding alarm logs. If a false alarm is determined, the analysis engine also instructs the protection engine to adjust its network protection strategy. It should be noted that... Figure 1 As an example only, this application does not limit the number of analysis engines, protection engines, and clients.

[0070] Below, in conjunction with Figure 1 The system shown provides a detailed description of the solution in this application. See also... Figure 2 This is a flowchart illustrating a method for adjusting a network protection strategy according to an embodiment of this application. Exemplarily, this method can be executed by a web application server, or by a specific processor, processing chip, or processing module within the web application server. For example, this method can be executed by… Figure 1 The system shown includes an analysis engine for execution. The following explanation uses the analysis engine as the primary execution mechanism. Figure 2 The method flow shown specifically includes:

[0071] 201, retrieves multiple alarm logs generated by the web application server's protection engine for the first client within a set time period.

[0072] Each alarm log is generated by the protection engine after intercepting an abnormal data entry from the first client. The alarm log includes fields such as the corresponding abnormal data, the source of the abnormal data (e.g., source IP address, UA), destination IP address, HOST, the timestamp of generation, the alarm type of the abnormal data, and the payload.

[0073] Optionally, the analysis engine can obtain all alarm logs generated by the protection engine within a set time period. These alarm logs include those for abnormal data sent by multiple clients. The analysis engine can aggregate alarm logs from different sources, that is, identify alarm logs belonging to the same client from all the alarm logs. For example, the analysis engine can aggregate alarm logs belonging to the same source using the source IP address and User Agent (UA) as a basis (or primary key). Thus, the analysis engine can identify alarm logs from all the alarm logs that include those with the source IP being the IP address of the first client and the UA being the UA of the first client. It should be noted that the first client in this application refers to any one of multiple clients sending data to the Web application server, and is not a specific client.

[0074] 202. Determine the false alarm rate of multiple abnormal data based on the similarity of the contents of multiple alarm logs.

[0075] The higher the similarity between multiple alarm log entries, the higher the false positive rate for the corresponding anomaly data. Higher similarity indicates a greater regularity and uniformity among the anomaly data, thus leading to a higher false positive rate. There is a positive correlation between false positive rate and similarity.

[0076] Optionally, one or more of the alarm type, URI, and description text can be extracted from each alarm log, and the false alarm rate can be determined based on the similarity of the extracted content. For example, when there are a large number of alarm logs with the same alarm type, the false alarm rate can be determined to be high. Or, when the semantic similarity of the description texts of multiple alarm logs is high, the false alarm rate can be determined to be high. Of course, in the scheme of this application, the information used to determine the false alarm rate can be more than just the above three items. For example, it can also include the destination IP address in the alarm log. The more alarm logs with the same destination IP address, the higher the corresponding false alarm rate.

[0077] 203. When the false alarm rate exceeds the set threshold, adjust the network protection strategy based on the protection rules matched by multiple abnormal data.

[0078] Among them, the protection rule that is successfully matched is the protection rule that incorrectly identifies the data from the first client as abnormal data. In other words, the protection rule that is successfully matched is the protection rule used by the protection engine when it intercepts multiple abnormal data from the first client.

[0079] Optionally, when adjusting the analysis engine's protection policy based on the successfully matched protection rules, a network protection policy adjustment instruction can be sent to the protection engine. The network protection policy adjustment instruction is used to instruct the protection engine to stop using the successfully matched protection rules.

[0080] Based on the above scheme, this application, leveraging the randomness and variability of malicious attack data and the uniformity and regularity of normal data, analyzes alarm logs generated from multiple abnormal data points originating from the same client. By assessing the similarity of these alarm logs, it determines whether the multiple abnormal data points match the characteristics of malicious attack data, thereby identifying whether they are false alarms. If determined to be false alarms, network protection strategies can be adjusted promptly to reduce the false alarm rate. Compared to traditional methods of reducing false alarm rates through professional analysis, this application's solution effectively saves labor costs and time.

[0081] In some scenarios, when determining whether multiple abnormal data entries intercepted from a first client are false alarms, the analysis engine can also consider whether the sending time of these abnormal data entries conforms to a periodic characteristic. Since periodic data is generally generated by users regularly accessing the web application server, while malicious attack data is not sent periodically, this application proposes using periodicity as a feature for judging false alarms. For example, after obtaining the alarm logs generated by the analysis engine for multiple abnormal data entries from the first client, the analysis engine can determine the generation time of each alarm log based on the timestamp information carried in the alarm logs, and thus determine the periodic characteristic value of the alarm logs based on their generation time. Specifically, when the periodic characteristic value is the first value, it indicates that the multiple alarm logs are generated periodically; conversely, when the periodic characteristic value is the second value, it indicates that the multiple alarm logs are not generated periodically.

[0082] Furthermore, when calculating the false positive rate, the analysis engine can determine the false positive rate of multiple abnormal data based on the similarity of alarm logs and the periodic feature value. With the similarity remaining constant, the false positive rate corresponding to the first periodic feature value is greater than the false positive rate corresponding to the second periodic feature value. As an optional approach, when calculating the false positive rate of multiple abnormal data based on the similarity of multiple alarm log contents and the periodic feature value, the analysis engine can obtain pre-configured weights corresponding to the similarity and the periodic feature value, and use the weighted sum of the similarity and periodic feature values ​​as the false positive rate of the multiple abnormal data.

[0083] In one possible implementation, the analysis engine can determine the similarity of multiple alert log contents by determining one or more of the similarity of attack types, URIs, and descriptive texts included in the multiple alert logs. For ease of description, the following example uses a combination of attack type, URI, and descriptive text to determine the similarity. Alternatively, the analysis engine can calculate the alert type ratio based on the number of alert types involved in the multiple alert logs, calculate the URI duplication ratio based on the length of the longest common substring (LCS) in the URIs included in the alert logs, and determine semantic similarity based on the distance between the statement vectors corresponding to the descriptive text in the alert logs. Thus, the similarity of the multiple alert log contents can be determined jointly based on the alert type ratio, URI duplication ratio, and semantic similarity. Optionally, corresponding weights can be configured for each parameter, and the weighted sum of the alert type ratio, URI duplication ratio, and semantic similarity can be used as the similarity of the multiple alert log contents. The following details the process of calculating the alert type ratio, URI duplication ratio, and semantic similarity.

[0084] Example 1: Calculating URI duplication ratio.

[0085] For example, the longest URI can be first determined from the URIs included in multiple alarm logs as the base URI. Further, the LCS (Limited Cross Section) between each of the remaining URIs and the base URI can be obtained, and the length of each LCS can be determined. Further still, the similarity between each URI and the base URI can be determined based on the length of each LCS. Thus, the URI duplication ratio can be determined based on the similarity between each URI and the base URI. As an example, the similarity between each URI and the base URI can be calculated using the following formula (1).

[0086]

[0087] Where, URI sim LCS is the similarity ratio between the i-th URI and the base URI. i Length is the length of the LCS between the i-th URI and the base URI, where Length is the length of the base URI.

[0088] When determining the URI duplication ratio based on the similarity between each URI and the base URI, the following formula (2) can be used to calculate the URI duplication ratio.

[0089]

[0090] Among them, Rep uri is the URI duplication ratio, N is the total number of URIs, and m is the number of URIs whose similarity to the baseline URI exceeds a preset similarity threshold.

[0091] It's important to know that the higher the URI duplication rate, the higher the false alarm rate for the abnormal data corresponding to multiple alarm logs.

[0092] Example 2: Calculate the ratio of alarm types.

[0093] Based on the characteristics of diverse attack types in malicious attack data and relatively simple attack types triggered by normal data, the attack type ratio is calculated by examining the number of attack types involved in multiple abnormal data sets, thereby determining whether multiple abnormal data sets are misjudged. For example, the attack type ratio of multiple abnormal data sets can be calculated using the following formula (3):

[0094]

[0095] In formula (3), Rate blackThis represents the attack type ratio across multiple anomaly data points, where N is the number of anomaly data points and m is the number of attack types involved in the anomaly data points. It can be seen that the attack type ratio ranges from 0 to 1; a higher value indicates a higher false positive rate across multiple anomaly data points.

[0096] Example 3: Calculating semantic similarity.

[0097] For example, the descriptive text included in each alarm log can first be converted into statement vectors. For instance, the TF-IDF algorithm can be used to convert the descriptive text into statement vectors. Further, the cosine distance between any two statement vectors can be calculated, and this cosine distance can be used as the semantic similarity between the two descriptive texts. Further still, the average of the calculated semantic similarities can be used to determine the semantic similarity between multiple descriptive texts. For example, the semantic similarity of the descriptive texts of multiple alarm logs can be calculated using the following formula (4):

[0098]

[0099] In formula (4), sim represents the semantic similarity of the text describing multiple alarm logs, n represents the number of alarm logs, and s represents the number of alarm logs. i,j Let be the semantic similarity between the description text of the i-th alarm log and the description text of the j-th alarm log.

[0100] A higher semantic similarity indicates a greater degree of similarity in the descriptive text of multiple alarm logs, and a higher false alarm rate for the corresponding multiple abnormal data.

[0101] In some embodiments, after determining the alarm type ratio, URI duplication ratio, and semantic similarity of the description text, the periodic feature values ​​of multiple alarm logs can be combined to jointly determine whether multiple abnormal data are false alarms. As one possible implementation, pre-set weights corresponding to the URI duplication ratio, attack type ratio, semantic similarity of the description text, and periodic feature values ​​can be obtained, and the weighted sum of the URI duplication ratio, attack type ratio, semantic similarity of the description text, and periodic feature values ​​can be used as the comprehensive false alarm score for multiple abnormal data. When the comprehensive false alarm score is higher than a set threshold, multiple abnormal data are determined to be false alarms. For example, the comprehensive false alarm score can be determined using the following formula (5).

[0102] score = c t *Rep uri +c s *Rate black +c q *T per +c p *sim; Formula (5)

[0103] Where, score is the overall false positive score, Rep uri c represents the URI repetition rate. t Rate is the weight corresponding to the URI duplication rate. black c represents the ratio of attack types across multiple abnormal data sets. s T represents the weights corresponding to the number of attack types. per c is a periodic eigenvalue. q Here, is the weight corresponding to the periodic feature value, sim represents the semantic similarity of the text describing multiple alarm logs, and c... p Weights are assigned to the semantic similarity of the text descriptions for multiple alarm logs.

[0104] The following description, in order to further understand the solution of this application, is provided in conjunction with specific embodiments. See also... Figure 3 This is a flowchart illustrating a method for adjusting a network protection strategy provided in this application. This method can be executed by an analysis engine and specifically includes:

[0105] 301, retrieves the alarm logs generated by the protection engine for intercepted abnormal data within a set time period.

[0106] The intercepted abnormal data can come from multiple clients.

[0107] 302, Identify alarm logs generated from multiple abnormal data from the first client from the acquired alarm logs.

[0108] The first client can be any one of the multiple clients.

[0109] 303, determine the URI duplication rate of multiple alarm logs based on the URIs included in multiple alarm logs.

[0110] The specific process for determining the URI duplication ratio can be found in Example 1 above, and will not be repeated here.

[0111] 304. Based on the attack types included in multiple alarm logs, determine the alarm type category ratio.

[0112] The specific process for determining the alarm type ratio can be found in Example 2 above, and will not be repeated here.

[0113] 305. Determine the semantic similarity of the description texts based on the description texts included in multiple alarm logs.

[0114] For details on the process of determining semantic similarity, please refer to Example 3 above, which will not be repeated here.

[0115] 306. Determine the periodic characteristic value of multiple alarm logs based on the timestamps included in the multiple alarm logs.

[0116] 307. The false alarm score for multiple abnormal data is determined based on the URI duplication ratio, attack type ratio, semantic similarity ratio of description text, and periodic feature value.

[0117] The process of calculating the false alarm composite score can be found in formula (5) above.

[0118] 308. When the overall false alarm score is higher than the set threshold, identify the target protection rule that matches multiple abnormal data and instruct the protection module to disable the target protection rule.

[0119] Based on the same concept as the method described above, see [link to relevant documentation]. Figure 4 This application provides a network protection strategy adjustment device 400. The device 400 is used to implement the various steps included in the above method embodiments; to avoid repetition, these steps will not be described again here. The device 400 includes: an acquisition unit 401 and a processing unit 402.

[0120] The acquisition unit 401 is used to acquire multiple alarm logs generated by the firewall for the first client within a set time period; wherein each alarm log is generated by the firewall after intercepting an abnormal data from the first client;

[0121] Processing unit 402 is configured to execute:

[0122] The false alarm rate of multiple abnormal data from the first client is determined based on the similarity of the contents of the multiple alarm logs; wherein, the similarity is positively correlated with the false alarm rate.

[0123] When the false alarm rate exceeds a set threshold, the network protection strategy is adjusted according to the protection rules that match the multiple abnormal data.

[0124] In some embodiments, the processing unit 402 is further configured to:

[0125] The periodic characteristic value of the multiple alarm logs is determined based on their generation time; the first value of the periodic characteristic value indicates that the multiple alarm logs are generated periodically, and the second value of the periodic characteristic value indicates that the multiple alarm logs are not generated periodically.

[0126] The processing unit 402, when determining the false alarm rate of multiple abnormal data from the first client based on the similarity of the contents of the multiple alarm logs, is specifically used for:

[0127] The false alarm rate is determined based on the similarity and the periodic feature value; wherein the false alarm rate corresponding to the periodic feature value being a first value is greater than the false alarm rate corresponding to the periodic feature value being a second value.

[0128] In some embodiments, the processing unit 402 is specifically used for:

[0129] Extract the alarm types included in each alarm log and determine the number of alarm types involved in the multiple alarm logs;

[0130] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is negatively correlated with the similarity.

[0131] In some embodiments, the processing unit 402 is specifically used for:

[0132] Extract the Uniform Resource Identifier (URI) included in each alarm log, and determine the base URI from the extracted multiple URIs; the base URI is the longest URI among the multiple URIs.

[0133] Calculate the length of the longest common substring (LCS) between each extracted URI and the baseline URI, and determine the number of LCSs whose length is greater than the length threshold;

[0134] The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is positively correlated with the similarity.

[0135] In some embodiments, the processing unit 402 is specifically used for:

[0136] Extract the descriptive text included in each alarm log and determine the statement vector corresponding to each descriptive text;

[0137] The similarity of the contents of the multiple alarm logs is determined based on the distance between multiple statement vectors; wherein the distance is positively correlated with the similarity.

[0138] In some embodiments, the acquisition unit 401 is specifically used for:

[0139] Obtain the alarm logs generated by the firewall within the specified time period;

[0140] The alarm logs obtained were identified as containing alarms whose source IP address was the IP address of the first client and whose user agent UA was the UA of the first client.

[0141] In some embodiments, the processing unit 402 is specifically used for:

[0142] Stop using the protection rules included in the network protection rules that match the multiple abnormal data.

[0143] Figure 5A schematic diagram of the structure of an electronic device 500 provided in an embodiment of this application is shown. The electronic device 500 in this embodiment may further include a communication interface 503, such as a network port, through which the electronic device can transmit data.

[0144] In this embodiment, the memory 502 stores instructions that can be executed by at least one controller 501. By executing the instructions stored in the memory 502, the at least one controller 501 can perform various steps in the above-described method. For example, the controller 501 can implement the above-described... Figure 4 The functions of the acquisition unit 401 and the processing unit 402 in the process.

[0145] The controller 501 is the control center of the electronic device, capable of connecting various parts of the device via various interfaces and lines. It executes instructions stored in the memory 502 and retrieves data stored in the memory 502. Optionally, the controller 501 may include one or more processing units. The controller 501 may integrate an application controller and a modem controller. The application controller primarily handles the operating system and applications, while the modem controller primarily handles wireless communication. It is understood that the modem controller may not be integrated into the controller 501. In some embodiments, the controller 501 and the memory 502 may be implemented on the same chip; in other embodiments, they may be implemented on separate chips.

[0146] Controller 501 can be a general-purpose controller, such as a central processing unit (CPU), digital signal controller, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose controller can be a microcontroller or any conventional controller. The steps performed by the data statistics platform disclosed in the embodiments of this application can be directly executed by the hardware controller, or executed by a combination of hardware and software modules within the controller.

[0147] Memory 502, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory 502 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), magnetic storage, magnetic disk, optical disk, etc. Memory 502 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. In the embodiments of this application, memory 502 can also be a circuit or any other device capable of implementing storage functions for storing program instructions and / or data.

[0148] By designing and programming the controller 501, for example, the code corresponding to the method described in the foregoing embodiment can be embedded into the chip, so that the chip can execute the steps of the foregoing method when running. How to design and program the controller 501 is a well-known technique to those skilled in the art, and will not be described in detail here.

[0149] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0150] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a controller of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions, which execute via the controller of the computer or other programmable data processing device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0151] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0152] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0153] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.

[0154] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method for adjusting a network protection strategy, characterized in that, The network protection strategy includes multiple protection rules, and the method includes: Obtain multiple alarm logs generated by the firewall for the first client within a set time period; wherein each alarm log is generated by the firewall after intercepting an abnormal data from the first client, and the multiple alarm logs are alarm logs whose source IP address is the IP address of the first client and whose user agent UA is the UA of the first client; The periodic characteristic value of the multiple alarm logs is determined based on their generation time; the first value of the periodic characteristic value indicates that the multiple alarm logs are generated periodically, and the second value of the periodic characteristic value indicates that the multiple alarm logs are not generated periodically. The false alarm rate of multiple abnormal data from the first client is determined based on the similarity of the contents of the multiple alarm logs; wherein, the similarity is positively correlated with the false alarm rate. When the false alarm rate exceeds a set threshold, the network protection strategy is adjusted according to the protection rules that match the multiple abnormal data. The step of determining the false alarm rate of multiple abnormal data from the first client based on the similarity of the contents of the multiple alarm logs specifically includes: The false alarm rate is determined based on the similarity and the periodic feature value; wherein the false alarm rate corresponding to the periodic feature value being a first value is greater than the false alarm rate corresponding to the periodic feature value being a second value.

2. The method according to claim 1, characterized in that, Determining the similarity of the contents of the multiple alarm logs includes: Extract the alarm types included in each alarm log and determine the number of alarm types involved in the multiple alarm logs; The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is negatively correlated with the similarity.

3. The method according to claim 1, characterized in that, Determining the similarity of the contents of the multiple alarm logs includes: Extract the Uniform Resource Identifier (URI) included in each alarm log, and determine the base URI from the extracted multiple URIs; the base URI is the longest URI among the multiple URIs. Calculate the length of the longest common substring (LCS) between each extracted URI and the baseline URI, and determine the number of LCSs whose length is greater than the length threshold; The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is positively correlated with the similarity.

4. The method according to claim 1, characterized in that, Determining the similarity of the contents of the multiple alarm logs includes: Extract the descriptive text included in each alarm log and determine the statement vector corresponding to each descriptive text; The similarity of the contents of the multiple alarm logs is determined based on the distance between multiple statement vectors; wherein the distance and the similarity are positively correlated.

5. The method according to claim 1, characterized in that, The acquisition of multiple alarm logs generated by the firewall for the first client within a set time period includes: Obtain the alarm logs generated by the firewall within the specified time period; The alarm logs obtained were identified as containing the source IP address of the first client and the user agent UA of the first client.

6. The method according to claim 1, characterized in that, Adjusting the network protection strategy according to the protection rules matching the multiple abnormal data, including: Stop using the protection rules included in the protection rules that match the multiple abnormal data.

7. A device for adjusting a network protection strategy, characterized in that, The network protection strategy includes multiple protection rules, and the device includes: The acquisition unit is used to acquire multiple alarm logs generated by the firewall for the first client within a set time period; wherein each alarm log is generated by the firewall after intercepting an abnormal data from the first client, and the multiple alarm logs are alarm logs whose source IP address is the IP address of the first client and whose user agent UA is the UA of the first client; The processing unit is configured to execute: The periodic characteristic value of the multiple alarm logs is determined based on their generation time; the first value of the periodic characteristic value indicates that the multiple alarm logs are generated periodically, and the second value of the periodic characteristic value indicates that the multiple alarm logs are not generated periodically. The false alarm rate of multiple abnormal data from the first client is determined based on the similarity of the contents of the multiple alarm logs; wherein, the similarity is positively correlated with the false alarm rate. When the false alarm rate exceeds a set threshold, the network protection strategy is adjusted according to the protection rules that match the multiple abnormal data. The processing unit, when determining the false alarm rate of multiple abnormal data from the first client based on the similarity of the contents of the multiple alarm logs, is specifically used for: The false alarm rate is determined based on the similarity and the periodic feature value; wherein the false alarm rate corresponding to the periodic feature value being a first value is greater than the false alarm rate corresponding to the periodic feature value being a second value.

8. The apparatus according to claim 7, characterized in that, The processing unit is specifically used for: Extract the alarm types included in each alarm log and determine the number of alarm types involved in the multiple alarm logs; The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is negatively correlated with the similarity.

9. The apparatus according to claim 7, characterized in that, The processing unit is specifically used for: Extract the Uniform Resource Identifier (URI) included in each alarm log, and determine the base URI from the extracted multiple URIs; the base URI is the longest URI among the multiple URIs. Calculate the length of the longest common substring (LCS) between each extracted URI and the baseline URI, and determine the number of LCSs whose length is greater than the length threshold; The similarity of the contents of the multiple alarm logs is determined based on the quantity; wherein the quantity is positively correlated with the similarity.

10. The apparatus according to claim 7, characterized in that, The processing unit is specifically used for: Extract the descriptive text included in each alarm log and determine the statement vector corresponding to each descriptive text; The similarity of the contents of the multiple alarm logs is determined based on the distance between multiple statement vectors; wherein the distance and the similarity are positively correlated.

11. The apparatus according to claim 7, characterized in that, The acquisition unit is specifically used for: Obtain the alarm logs generated by the firewall within the specified time period; The alarm logs obtained were identified as containing the source IP address of the first client and the user agent UA of the first client.

12. The apparatus according to claim 7, characterized in that, The processing unit is specifically used for: Stop using the protection rules included in the protection rules that match the multiple abnormal data.

13. An electronic device, characterized in that, include: Memory and controller; Memory, used to store program instructions; A controller is configured to invoke program instructions stored in the memory and execute the method of any one of claims 1-6 according to the obtained program instructions.

14. A computer storage medium storing computer-executable instructions, characterized in that, The computer-executable instructions are used to perform the method as described in any one of claims 1-6.