A network security alarm data research and judgment method, electronic equipment, storage medium and program product

By constructing a knowledge base of expert experience rules and large model technology, combined with RAG technology, we have achieved automated and intelligent analysis of network security alarm data, solving the problem of high false alarm rate and improving the accuracy and efficiency of analysis.

CN120639447BActive Publication Date: 2026-07-03BEIJING TOPSEC NETWORK SECURITY TECH +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING TOPSEC NETWORK SECURITY TECH
Filing Date
2025-07-11
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing network security systems have a high false alarm rate, with real attacks being overwhelmed by a massive number of false alarms, making it difficult for security operations personnel to analyze and respond to them.

Method used

A knowledge base based on expert experience rules is constructed. By combining large models and RAG technology, real-time alarm data is acquired and matched with the knowledge base. The judgment model is then used to achieve automated and intelligent alarm data judgment.

Benefits of technology

It improves the accuracy and efficiency of network security alarm data analysis, enabling quick and accurate determination of the nature of alarm data, reducing false alarm rates, and improving security operation efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120639447B_ABST
    Figure CN120639447B_ABST
Patent Text Reader

Abstract

The embodiment of the application provides a network security alarm data research and judgment method, an electronic device, a storage medium and a program product. The method comprises the following steps: acquiring real-time alarm data and a pre-stored knowledge base. The knowledge base comprises expert experience rules. The expert experience rules are used to determine whether the alarm data is data generated by a real attack or data generated by a non-real attack. A target expert experience rule corresponding to the real-time alarm data is determined from the knowledge base. The real-time alarm data and the target expert experience rule are input into a research and judgment model to obtain a research and judgment result for the real-time alarm data. The research and judgment result is used to indicate whether the real-time alarm data is data generated by a real attack or data generated by a non-real attack. The expert experience rules are used to provide guidance for research and judgment. The research and judgment model is combined to realize automatic and intelligent analysis, thereby improving the efficiency and accuracy of research and judgment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security, specifically to a method for analyzing network security alarm data, electronic devices, storage media, and program products. Background Technology

[0002] As cybersecurity infrastructure development progresses, an increasing number of devices and tools are being deployed for security detection and protection in enterprise security operations. While firewalls, traffic probes, and security analysis tools provide enhanced network security capabilities, they also generate a large number of false alarms. Due to the time differences between the attack and defense ends and the timeliness of detection rules, false alarms are unavoidable. These false alarms introduce significant complexity to security operations, as real attacks are often buried under a sea of ​​false alarms, creating a substantial workload and considerable difficulty for security operations personnel in analyzing and responding to threats. Summary of the Invention

[0003] The purpose of this application is to provide a method, electronic device, storage medium, and program product for network security alarm data analysis, so as to achieve the technical effect of improving the accuracy and efficiency of analysis.

[0004] The first aspect of this application provides a method for analyzing network security alarm data, the method comprising:

[0005] Acquire real-time alarm data and a pre-stored knowledge base, the knowledge base including expert experience rules, the expert experience rules being used to determine whether the alarm data is generated by a real attack or by a non-real attack;

[0006] The target expert experience rules corresponding to the real-time alarm data are determined from the knowledge base;

[0007] The real-time alarm data and the target expert experience rules are input into the judgment model to obtain the judgment result for the real-time alarm data. The judgment result is used to indicate whether the real-time alarm data is generated by a real attack or by a non-real attack.

[0008] In the above implementation process, real-time alarm data and a knowledge base containing expert experience rules are acquired to determine the corresponding target rules. Then, an analysis model is used to determine whether the alarm data represents a real attack. A complete analysis process is constructed, utilizing expert experience rules to guide the analysis and combining them with the analysis model to achieve automated and intelligent analysis. This enables rapid and accurate determination of the nature of network security alarm data, improving the efficiency and accuracy of the analysis.

[0009] Furthermore, the expert experience rules include structured language rules and / or unstructured knowledge. The structured language rules include non-real attack rules and real attack rules defined from the dimensions of network security domain, attack characteristics, and asset attributes. The unstructured knowledge includes security analysis reports, threat intelligence documents, and historical assessment records.

[0010] In the aforementioned implementation process, expert experience rules include structured language rules and unstructured knowledge. The structured language rules define rules for both real and non-real attacks from multiple dimensions, while the unstructured knowledge covers various security-related documents. This comprehensive rule structure enriches the knowledge base, enabling expert experience rules to describe cybersecurity characteristics from different angles and levels. This enhances the rules' coverage of various cybersecurity situations, thereby improving the comprehensiveness and accuracy of cybersecurity alert data analysis.

[0011] Furthermore, the expert experience rules are stored in the knowledge base in vector form; before acquiring real-time alarm data and the pre-stored knowledge base, the following steps are also included:

[0012] The initial expert experience rules are vectorized to obtain the knowledge base composed of the vectorized expert experience rules.

[0013] In the above implementation process, the vectorization of rules facilitates efficient similarity calculation and data understanding analysis by computers, enabling them to quickly and accurately match the target expert experience rules corresponding to the real-time alarm data from the knowledge base.

[0014] Furthermore, the expert experience rules include multiple rules; the step of determining the target expert experience rule corresponding to the real-time alarm data from the knowledge base includes:

[0015] The real-time alarm data is vectorized to obtain vectorized real-time alarm data.

[0016] Calculate the similarity between the vectorized real-time alarm data and each of the expert experience rules, and determine the expert experience rules whose similarity meets the preset requirements as the target expert experience rules.

[0017] In the above implementation process, by vectorizing the real-time alarm data and calculating its similarity with each expert experience rule in the knowledge base to determine the target rule, the judgment of real-time alarm data can be made by leveraging the computer's ability to efficiently process vector data, and quickly and accurately filter out matching rules from the many rules in the knowledge base.

[0018] Further, the step of inputting the real-time alarm data and the target expert experience rules into the judgment model to obtain the judgment result for the real-time alarm data includes:

[0019] The real-time alarm data and the target expert experience rule are input into the judgment model. If the similarity between the vectorized real-time alarm data and the target expert experience rule exceeds a first threshold, the judgment conclusion in the target expert experience rule is determined as the judgment result.

[0020] If the similarity between the vectorized real-time alarm data and the target expert experience rule is lower than the first threshold, the confidence level of the judgment result is determined based on the real-time alarm data.

[0021] In the above implementation process, when the similarity exceeds the threshold, the judgment conclusion of the target expert experience rules is directly adopted, leveraging the reliability of expert experience to quickly and accurately provide results. When the similarity does not exceed the threshold, the data analysis and processing capabilities of the large model are used to provide the judgment result and confidence level, ensuring that a judgment can be made even in complex or unknown situations, and reflecting the credibility of the result through the confidence level.

[0022] Furthermore, the real-time alarm data includes attacker identifier, victim identifier, alarm type, and attack characteristics.

[0023] In the above implementation process, it is clear that real-time alarm data includes attacker identifier, victim identifier, alarm type, and attack characteristics, providing comprehensive and detailed basic information for analysis.

[0024] Furthermore, the method also includes:

[0025] If it is determined that there is no target expert experience rule corresponding to the real-time alarm data in the knowledge base, the knowledge base is adjusted to obtain an updated knowledge base, and the process returns to the step of determining the target expert experience rule corresponding to the real-time alarm data from the knowledge base.

[0026] In the above implementation process, the knowledge base is decoupled from the large model. When there are no corresponding expert experience rules in the knowledge base, the limitation of the knowledge base being fixed and unchanging is overcome by adjusting the knowledge base, so that the model can adapt to the ever-changing network security environment and ensure the model's ability to analyze various alarm data.

[0027] A second aspect of this application provides an electronic device, the electronic device comprising:

[0028] processor;

[0029] Memory used to store processor-executable instructions;

[0030] Wherein, when the processor invokes the executable instructions, it implements any of the methods described in the first aspect.

[0031] A third aspect of this application provides a computer-readable storage medium having computer instructions stored thereon, which, when executed by a processor, implement the steps of any of the methods described in the first aspect.

[0032] A fourth aspect of this application provides a computer program product, the computer program product including a computer program, which, when executed by a processor, implements any of the methods described in the first aspect. Attached Figure Description

[0033] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0034] Figure 1 A schematic diagram of an overall process provided for an embodiment of this application;

[0035] Figure 2 A flowchart illustrating a network security alarm data analysis method provided in this application embodiment;

[0036] Figure 3 This is a structural block diagram of an electronic device provided in an embodiment of this application. Detailed Implementation

[0037] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.

[0038] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0039] Among related technologies, large-scale model technology has some application in alarm analysis and noise reduction. However, due to the limitations of general-purpose large-scale models in terms of security capabilities, the noise reduction effect cannot be improved quickly and effectively. Many noise reduction strategies and experiences often exist in the manual operation experience of security service personnel and cannot be quickly applied in conjunction with the capabilities of large-scale model technology.

[0040] To this end, this application proposes a method for network security alarm data analysis. Starting from expert experience, it combines large models and RAG technology to build a process for alarm noise reduction processing. This process can quickly apply the expert experience of security service personnel and can be freely adjusted to improve the efficiency of alarm analysis and security operations.

[0041] Retrieval-augmented Generation (RAG) is one of the large-scale modeling techniques. RAG models combine language modeling and information retrieval techniques. Specifically, when the model needs to generate text or answer questions, it first retrieves relevant information from a large collection of documents, and then uses this retrieved information to guide text generation, thereby improving the quality and accuracy of predictions.

[0042] Based on large models and RAG technology, an intelligent agent can be designed to analyze alarms. This agent can automatically draw conclusions such as attack success or false alarm based on the input alarm context and the accumulated experience and knowledge of business experts such as security service providers (e.g., experience and knowledge provided by security service providers → "Scanning attacks from security domain A are all false alarms"). For example, the general analysis process is as follows:

[0043] (1) Input: Extract key information from alarms + analysis rule knowledge base;

[0044] (2) Business processing: Based on the above input, the prompt words are combined with the LLM (i.e., large language model) to give the judgment result;

[0045] (3) Output conclusion: Real attack / False alarm / Requires manual review.

[0046] In the specific implementation, the detailed analysis steps are as follows:

[0047] 1. Collect and store expert experience in a knowledge base:

[0048] Intelligent alerting analysis based on a rule base built on expert experience relies on the core idea of ​​automating conclusions through rule matching and contextual analysis. Its advantages include rules derived from expert experience, making them easy to understand and verify; rapid deployment without complex model training; and dynamic updates to quickly adapt to evolving threats. Implementation steps include:

[0049] The rules originate from two sources: structured language rules, such as existing expert rules (e.g., "The scan of security domain A is a false positive"), and unstructured knowledge, such as security analysis reports, threat intelligence documents, and historical assessment records. As an example, structured language rules are shown in Table 1 below:

[0050] Table 1

[0051]

[0052] The rules compiled by business experts can be vectorized using text embedding models such as bge-small-zh and stored in a vector database (such as milvus), which is the knowledge base.

[0053] 2. Alarm Context Extraction. Key information is extracted from raw alarm data (i.e., alarm log data) and correlated with external data (such as threat intelligence and assets) as context. Extracted key information includes the attacking IP, the attacked IP, the alarm type, attack characteristics and response content, attack stage, and time. Correlated external data includes attacker information from threat intelligence data and security domains and asset types from asset data, collectively forming the alarm's context information. For example: "Event Description: At 21:49:25 on February 24, 2025, the system detected a brute-force attack from public IP 9.7.20.28. This behavior may be an attacker cracking the system login password. Source IP: 9.7.20.28, security domain A. Destination IP: 192.168.23.5, from the DT security domain in Haidian District, Beijing. Kill chain stage: reconnaissance and tracking. Time of occurrence: from 21:49:25 on February 24, 2025 to 22:02:31 on February 24, 2025."

[0054] 3. Knowledge retrieval and large-scale model applications:

[0055] See Figure 1 , Figure 1 This is a schematic diagram of an overall process provided for an embodiment of this application. Based on a large model, the alarm context is used as input for knowledge retrieval, and the best-matching expert experience is used as the output judgment conclusion.

[0056] The prompt can be designed as shown in Table 2 below:

[0057] Table 2

[0058]

[0059] Through the above processing steps and analysis by the large model, the system will output a flag indicating whether the alarm is a confirmed attack or a false alarm, and provide corresponding expert experience rule information.

[0060] In summary, the system builds a knowledge base based on expert experience (by embedding or adding expert experience into the knowledge base), performs analysis based on large model technology, extracts results based on prompts, and provides clear judgment conclusions. It can automate the judgment process, effectively improving the efficiency of judgment. In addition, it can quickly accumulate and apply expert experience, and is easy to adjust or configure according to the actual project situation or on-site network environment, and can quickly produce judgment results.

[0061] Therefore, this application provides a method for analyzing network security alarm data. It applies the expert analysis experience of security service personnel to the alarm analysis and noise reduction process, minimizing reliance on adjustments based on the on-site environment and prioritizing pre-configuration to improve analysis effectiveness and efficiency. (Refer to...) Figure 2 , Figure 2 This is a flowchart illustrating a network security alarm data analysis method provided in an embodiment of this application.

[0062] In this embodiment, the method includes:

[0063] Step S10: Obtain real-time alarm data and a pre-stored knowledge base, wherein the knowledge base includes expert experience rules, and the expert experience rules are used to determine whether the alarm data is generated by a real attack or by a non-real attack.

[0064] It should be noted that this embodiment can be applied to the process of network security alarm analysis.

[0065] Real-time alert data refers to data generated in real time by various security monitoring devices (such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS)) during the operation of a network system, indicating potential security threats or anomalies. For example, if a firewall detects that an external IP address has initiated a large number of connection requests to multiple ports of an internal server within a short period of time, it will generate an alert, which may include information such as the attacking IP, the attacked IP, the attack time, and the attacking port.

[0066] A pre-built knowledge base refers to a database that stores knowledge related to the analysis of network security alerts. The knowledge base includes expert experience rules, which are rules developed by network security experts based on practical experience and research into various attack patterns and abnormal behaviors. These rules serve as the logic for determining whether alert data indicates a real attack or a non-real attack.

[0067] Step S20: Determine the target expert experience rule corresponding to the real-time alarm data from the knowledge base;

[0068] Understandably, the target expert experience rule refers to the expert experience rule in the pre-stored knowledge base that best matches the currently acquired real-time alarm data and is applicable to the analysis and judgment of the real-time alarm data.

[0069] For example, the characteristics of real-time alert data (such as attack type, attack source, attack frequency, etc.) are compared and filtered against the applicability conditions of expert experience rules in the knowledge base. For instance, if the real-time alert data shows characteristics of an SQL injection attack, then expert experience rules specifically targeting SQL injection attack judgment are identified from the knowledge base as the target expert experience rules.

[0070] Suppose a knowledge base contains an expert rule that states, "When a large number of requests containing special characters (such as single quotes, semicolons, etc.) are detected within a short period of time for specific parameters of a web application, it is determined that an SQL injection attack may exist." If real-time alert data shows that a web server received a large number of parameter requests containing special characters within a short period of time, then this rule is the corresponding target expert rule.

[0071] Step S30: Input the real-time alarm data and the target expert experience rules into the judgment model to obtain the judgment result for the real-time alarm data. The judgment result is used to indicate whether the real-time alarm data is generated by a real attack or by a non-real attack.

[0072] It should be noted that the analysis model can be a large language model (LLM).

[0073] Real attack: This means that the situation reflected in the real-time alert data is a real security threat.

[0074] Non-real attack: This indicates that the real-time alarm data may be generated due to system false alarms, misjudgments caused by normal business operations, or other reasons, and is not an actual security attack. For example, a data packet retransmission caused by network congestion may be mistakenly identified as an attack by security devices, resulting in an alarm.

[0075] In this embodiment, by acquiring real-time alarm data and a knowledge base containing expert experience rules, corresponding target rules are determined, and then a judgment model is used to determine whether the alarm data represents a real attack. A complete judgment process based on RAG technology is constructed. On the one hand, expert experience rules provide guidance for the judgment, and combined with the judgment model, automated and intelligent analysis is achieved, which can quickly and accurately determine the nature of network security alarm data, improving the efficiency and accuracy of the judgment. On the other hand, this process retrieves relevant rule information from a large document set (i.e., a knowledge base composed of expert experience rules), and uses this retrieved rule information to guide text generation, improving the effect of large model technology in alarm judgment noise reduction.

[0076] Based on any of the above embodiments, the expert experience rules include structured language rules and / or unstructured knowledge. The structured language rules include non-real attack rules and real attack rules defined from the dimensions of network security domain, attack characteristics, and asset attributes. The unstructured knowledge includes security analysis reports, threat intelligence documents, and historical assessment records.

[0077] It should be noted that structured language rules are rules organized and expressed in a structured manner, with a clear format and logical structure. Structured language rules define rules for both real and non-real attacks from multiple dimensions, including network security domains, attack characteristics, and asset attributes.

[0078] As an example, structured language rules use structured statements like "If (the network security domain is an internal network) and (the attack characteristics are normal business traffic patterns) and (the asset attributes are ordinary office terminals), then it is determined to be a non-real attack."

[0079] It should be understood that network security domain dimension: A network security domain is a logical area divided according to factors such as network security requirements and business functions. Different domains have different security policies and access control requirements.

[0080] As an example, the non-real attack rule is: if the alarm data indicates that the source and target of the attack are in the same internal security domain, and normal communication is allowed between devices in that domain, and there are no other abnormal characteristics, it can be determined as a non-real attack.

[0081] Real Attack Rule: When an alert indicates that traffic from an untrusted external network security domain is attempting to access critical assets in the internal core security domain, and this access does not comply with the preset security policy, it is determined to be a real attack.

[0082] It should be understood that attack signature dimension: attack signature refers to the unique patterns, behaviors, or data characteristics exhibited by attack behavior, such as specific protocol anomalies, packet content patterns, etc.

[0083] As an example, the non-real attack rule states that if the attack characteristics in the alert are normal scanning behavior generated by common network scanning tools (such as port scanning frequency within a reasonable range and no subsequent malicious operations), it can be determined as a non-real attack.

[0084] Real attack rules: When an alert detects an attack with characteristics of malware propagation, such as specific exploit code or malicious file transfer patterns, it is determined to be a real attack.

[0085] It should be understood that the asset attribute dimension is a characteristic description of various assets in the network (such as servers, terminal devices, data, etc.), which may include the importance of the asset, its purpose, operating system type, etc.

[0086] As an example, the non-real attack rule states that if an alert targets an abandoned and no longer used asset, and there are no other related abnormal activities, it can be determined as a non-real attack.

[0087] Real Attack Rule: When an alarm involves a core server of a critical business system, and the server's asset attributes show that it stores sensitive data, and the attack characteristics indicate an attempt to steal data, it is determined to be a real attack.

[0088] Understandably, unstructured knowledge refers to knowledge information that lacks a predefined data model or fixed format. Unstructured knowledge includes security analysis reports, threat intelligence documents, and historical assessment records, which contain a wealth of cybersecurity experience and case information.

[0089] Unstructured knowledge is used to supplement and expand structured language rules. By analyzing this unstructured knowledge, we can discover potential attack patterns, emerging threat trends, and judgment experience in special situations, thereby further improving the accuracy and comprehensiveness of the judgment.

[0090] Security Analysis Report: A report written by cybersecurity experts after in-depth analysis of specific cybersecurity incidents, system vulnerabilities, attack trends, etc. It may include incident background, attack process analysis, impact assessment, and recommended countermeasures.

[0091] Specifically, a security analysis report details a new type of ransomware attack, including its propagation methods, infection characteristics, and encryption algorithms. When similar alert data appears, the information in this report can be consulted to determine whether it is this new type of ransomware attack.

[0092] Threat intelligence documents are collections of information about potential or existing cyber threats, including threat sources, targets, attack methods, and malware samples. Threat intelligence documents can come from various sources, such as security vendors, open-source communities, and government agencies.

[0093] Specifically, if a threat intelligence document indicates that a hacker group is conducting targeted attacks against companies in a specific industry, using specific attack tools and techniques, then when a company's network security system detects alerts matching these characteristics, it can analyze the threat intelligence document to determine whether the attack is indeed carried out by that hacker group.

[0094] Historical analysis records: Information recorded after analyzing past network security alarm data, including the basic information of the alarm, the analysis process, and the analysis results.

[0095] Historical analysis records can serve as a database of experience, providing a reference for new alarm analysis.

[0096] Specifically, when handling a similar historical alarm, the analysis log at the time indicated that the alarm was a false alarm caused by a system configuration error, and the specific details of the configuration error and its solution were recorded. When a similar alarm occurs again, the historical analysis log can be consulted to quickly determine whether it is the same configuration problem, thus improving analysis efficiency.

[0097] In this embodiment, the expert experience rules include structured language rules and unstructured knowledge. The structured language rules define rules for both real and non-real attacks from multiple dimensions, while the unstructured knowledge covers various security-related documents. This comprehensive rule structure enriches the knowledge base, enabling expert experience rules to describe network security characteristics from different angles and levels. This enhances the rules' coverage of various network security situations, thereby improving the comprehensiveness and accuracy of network security alert data analysis.

[0098] Based on any of the above embodiments, the expert experience rules are stored in the knowledge base in vector form; before acquiring real-time alarm data and the pre-stored knowledge base, the method further includes:

[0099] The initial expert experience rules are vectorized to obtain the knowledge base composed of the vectorized expert experience rules.

[0100] It should be noted that the initial expert experience rules are those that have not undergone vectorization, including structured language rules and unstructured knowledge. These rules exist in the form of natural language text, which is difficult for computers to understand and process directly.

[0101] Transforming expert experience rules into vector form enables computers to process and analyze these rules more efficiently, facilitating mathematical operations and similarity comparisons, thereby quickly determining the degree of matching between real-time alarm data and expert experience rules.

[0102] Specifically, the initial expert experience rules can be vectorized using a text embedding model to obtain the knowledge base composed of the vectorized expert experience rules.

[0103] Text embedding models are machine learning models that map text data to a low-dimensional vector space. They capture semantic information in text, mapping texts with similar semantics to similar positions in the vector space. Text embedding models can be Word2Vec, GloVe, BERT, and their variants (such as the bge-small-zh model, a smaller version of the BAAI General Embedding series designed specifically for Chinese semantic vector representation, characterized by high accuracy and efficiency, suitable for Chinese retrieval, classification, and clustering tasks, and supporting fast inference on CPUs and NPUs; combined with frameworks like LangChain, bge-small-zh can be used to build knowledge bases, supporting sparse retrieval and multi-vector retrieval, without the high cost of training large-scale vertical models). Text embedding models learn vector representations of words or sentences in text by training on large-scale text corpora.

[0104] Understandably, converting initial expert experience rules (whether structured rule text or unstructured knowledge text) into vector form allows these rules to be represented and computed in a vector space.

[0105] For example, regarding structured language rules: although structured language rules have certain formats and logic, they are essentially still text descriptions. The text embedding model takes the entire rule as input and, through its internal encoding mechanism, converts each word or phrase into a vector. These vectors are then combined to obtain the vector representation of the entire rule. For instance, for the rule "If (the network security domain is an internal network) and (the attack characteristics are normal business traffic patterns) and (the asset attribute is a regular office terminal), then it is determined to be a non-real attack," the model analyzes the keywords and semantic relationships to generate corresponding vectors.

[0106] For unstructured knowledge, such as security analysis reports and threat intelligence documents, text embedding models can perform preprocessing operations such as word segmentation and word vector initialization. Then, they can use a multi-layer neural network structure (such as the Transformer architecture) to perform deep encoding on the text, extract semantic features, and finally generate a fixed-dimensional vector to represent the entire document or report. For example, for a security analysis report, the model will analyze the event descriptions, attack method analyses, impact assessments, etc., and convert them into vectors.

[0107] It should be understood that a knowledge base is a database that stores vectorized expert rules of experience. This knowledge base can be updated and maintained as needed, such as adding new expert rules of experience or deleting outdated rules.

[0108] Vectorized rules can better capture semantic information, making the judgment process more accurate.

[0109] In this embodiment, the vectorization of rules facilitates efficient similarity calculation and data understanding analysis by the computer, enabling it to quickly and accurately match the target expert experience rules corresponding to the real-time alarm data from the knowledge base.

[0110] Based on any of the above embodiments, the expert experience rules include multiple rules; determining the target expert experience rule corresponding to the real-time alarm data from the knowledge base includes:

[0111] The real-time alarm data is vectorized to obtain vectorized real-time alarm data.

[0112] Calculate the similarity between the vectorized real-time alarm data and each of the expert experience rules, and determine the expert experience rules whose similarity meets the preset requirements as the target expert experience rules.

[0113] It's important to note that cybersecurity scenarios are complex and diverse, and different attack types, system environments, and business scenarios require different judgment rules. Multiple expert-established rules can cover a wider range of cybersecurity situations, improving the accuracy and comprehensiveness of analysis of various real-time alert data. For example, different rules are needed for accurate judgment of different types of network attacks (such as DDoS attacks, SQL injection attacks, Trojan infections, etc.) and assets of varying importance (such as core servers, ordinary terminal devices, etc.).

[0114] Since the expert rules in the knowledge base are stored in vector form, the real-time alarm data also needs to be converted into vector form in order to perform similarity calculations with these rules. Vectorized real-time alarm data can be mathematically operated on and compared with the expert rule vectors in vector space to determine their similarity. The reason for converting both expert rules and real-time alarm data into vector form for similarity calculation is that similarity calculation can take into account the semantic relationship between the two, rather than just surface-level text matching, thereby improving matching accuracy.

[0115] For example, if the real-time alarm data contains natural language descriptions (such as textual descriptions of attack types, event descriptions, etc.), text preprocessing is required first, which may include operations such as word segmentation, stop word removal, and stemming. For instance, for the description "a possible SQL injection attack was detected" in the alarm data, word segmentation may yield words such as "detected," "possibly," "of," "SQL," "injection," and "attack." After removing the stop words "of" and "possibly," the key information "a possible SQL injection attack was detected" is retained.

[0116] Furthermore, features can be extracted from the processed text or directly from the structured information of the alarm data. For structured information, such as event occurrence time, source IP, and target port, these can be directly used as features; for text information, the text can be converted into a numerical feature vector.

[0117] Understandably, by calculating similarity, the degree of matching between real-time alarm data and each expert rule can be quantified. The higher the similarity, the more the real-time alarm data matches the rule, and the more likely the rule is to be applied for analysis.

[0118] Optionally, the preset requirement can be a pre-defined second threshold, which is lower than the first threshold. For example, if the similarity threshold is 0.8, then the rule is only identified as the target expert experience rule when the similarity between the real-time alarm data and a certain expert experience rule is greater than or equal to 0.8.

[0119] In this embodiment, by vectorizing the real-time alarm data and calculating its similarity to each expert experience rule in the knowledge base, the target rule is determined. This enables the analysis of real-time alarm data to leverage the computer's ability to efficiently process vector data, quickly and accurately selecting matching rules from the numerous rules in the knowledge base.

[0120] Based on any of the above embodiments, the step of inputting the real-time alarm data and the target expert experience rules into the judgment model to obtain the judgment result for the real-time alarm data includes:

[0121] The real-time alarm data and the target expert experience rule are input into the judgment model. If the similarity between the vectorized real-time alarm data and the target expert experience rule exceeds a first threshold, the judgment conclusion in the target expert experience rule is determined as the judgment result.

[0122] If the similarity between the vectorized real-time alarm data and the target expert experience rule is lower than the first threshold, the confidence level of the judgment result is determined based on the real-time alarm data.

[0123] It should be noted that the first threshold can be determined according to the actual situation. For example, the first threshold can be 0.9.

[0124] In practical implementation, if the target expert experience rule is clearly matched (i.e., the similarity between the alarm data and the target expert experience rule exceeds the first threshold), the model can directly output a conclusion (the conclusion can be a real attack, a false alarm, or require manual verification). This conclusion is extracted from the target expert experience rule. If the identified target expert experience rule includes multiple rules that conflict with each other, or if the identified target expert experience rule is ambiguous and does not point to a clear judgment conclusion, the model needs to analyze the context of the alarm data and provide a confidence level (e.g., "80% likely to be a false alarm"). In addition to the judgment result and confidence level, the model output can also include a brief explanation of the judgment.

[0125] In this embodiment, when the similarity exceeds the threshold, the judgment conclusion based on the expert's experience rules is directly adopted, leveraging the reliability of expert experience to provide a quick and accurate result. When the similarity does not exceed the threshold, the data analysis and processing capabilities of the large model are utilized to provide the judgment result and confidence level, ensuring that a judgment can be made even in complex or unknown situations, and reflecting the credibility of the result through the confidence level.

[0126] Based on any of the above embodiments, the real-time alarm data includes attacker identifier, victim identifier, alarm type, and attack characteristics.

[0127] It's important to note that an attacker's identifier is information used to uniquely identify the entity that launched the cyberattack. The purpose of determining the attacker's identifier is to accurately trace and locate the source of the attack. The attacker's identifier can refer to the attacker's IP address. By analyzing information such as the geographical location and network to which this IP address belongs, a preliminary assessment of the possible source and nature of the attack can be made.

[0128] Victim Identifier: Information used to uniquely identify an entity that has suffered a cyberattack. It helps determine the target of the attack, thereby assessing the extent of the attack's impact on systems and operations. The victim identifier can refer to the victim's IP address.

[0129] Alert type: A classification description of network security incidents, used to summarize the nature and characteristics of an attack. Different alert types correspond to different types of network security threats. Alert types may include, but are not limited to: Intrusion Detection Alarms: When a Network Intrusion Detection System (IDS) or Host Intrusion Detection System (HIDS) detects abnormal network activity or host behavior, an intrusion detection alarm will be triggered. For example, detecting port scanning, buffer overflow attacks, or other such behaviors will generate corresponding intrusion detection alarms. Exploitation alerts: Security systems issue exploit alerts when attackers exploit known vulnerabilities in a system or application. For example, an exploit alert is generated when an attack request targeting an unpatched vulnerability in a web application is detected. Malware alerts: Security software will issue a malware alert when it detects malware (such as viruses, Trojans, worms, etc.) in the system. For example, antivirus software will trigger a malware alert when it finds suspicious malicious code while scanning system files.

[0130] Attack characteristics: Information describing the specific features and patterns of attack behavior, providing a more detailed reflection of the attack methods and means. Attack characteristics may include, but are not limited to: Packet characteristics include the source port, destination port, protocol type, packet size, and packet content pattern. For example, some DDoS attacks send a large number of UDP packets with specific source and destination ports; analyzing these packet characteristics can help identify DDoS attacks. Behavioral characteristics: such as the attacker's operation sequence, access frequency, access time, etc. For example, when hackers are conducting password cracking attacks, they may frequently try different username and password combinations. By analyzing this frequent attempt behavior, password cracking attacks can be detected. File characteristics: If the attack involves the spread of malicious files, file characteristics can include the file's hash value, file size, file type, code snippets within the file, etc. For example, by calculating the file's hash value and comparing it with a database of known malicious file hash values, it is possible to quickly determine whether a file is malicious.

[0131] In a specific implementation, the real-time alarm data includes attacker identifier, victim identifier, alarm type, attack characteristics, attack response content, attack stage, alarm time, attacker information in threat intelligence data, security domain of the level to which the asset data belongs, and asset type.

[0132] In this embodiment, the real-time alarm data is explicitly defined to include attacker identifier, victim identifier, alarm type, and attack characteristics, providing comprehensive and detailed basic information for analysis.

[0133] Based on any of the above embodiments, the method further includes:

[0134] If it is determined that there is no target expert experience rule corresponding to the real-time alarm data in the knowledge base, the knowledge base is adjusted to obtain an updated knowledge base, and the process returns to the step of determining the target expert experience rule corresponding to the real-time alarm data from the knowledge base.

[0135] It should be noted that the actual network environment, business systems, and security requirements vary greatly across different sites. A fixed knowledge base is difficult to adapt to various unique environments, and continuous adjustment and optimization based on the actual site conditions are necessary to improve the comprehensiveness of the knowledge base. New business launches, system upgrades, and changes in the security threat landscape may all lead to changes in the rules, and the knowledge base also needs continuous optimization to keep up with these dynamic changes.

[0136] When it is determined that there are no target expert experience rules in the current knowledge base, it indicates that the rules in the current knowledge base cannot cover the network security situation represented by the real-time alarm data. Therefore, the knowledge base needs to be further adjusted to enhance its analytical capabilities.

[0137] Optionally, the knowledge base can be adjusted by adding new rules. For example, new expert experience rules can be obtained from multiple sources, such as security researchers' analysis reports on new types of attacks, threat intelligence sharing within the industry, and experience accumulated from historical assessments that has not yet been included in the knowledge base.

[0138] After acquiring new expert experience rules, they need to be vectorized and stored in the knowledge base to expand the knowledge base, so that they can be represented and computed in the same vector space as the existing rule vectors in the knowledge base.

[0139] Optionally, the knowledge base can be adjusted by modifying existing rules. For example, if it is found that there are cases where expert experience rules that meet the preset requirements cannot be determined from the knowledge base, or if the determined target expert experience rules are found to be inaccurate or incomplete in the judgment process, it is necessary to modify the existing rules in the knowledge base. For instance, as the network environment changes, some attack characteristics change, and the original rules may not be able to accurately match the new attack situations. In this case, the structured language description or unstructured knowledge content of the rules can be modified according to the actual situation, then re-vectorized, and the corresponding rule vectors in the knowledge base can be updated.

[0140] Optionally, the knowledge base can be adjusted by deleting outdated existing rules. For example, over time, some cybersecurity threats may no longer exist or become less important, rendering the corresponding expert experience rules worthless. For instance, attack rules corresponding to vulnerabilities that have been widely patched no longer need to be retained in the knowledge base. In this case, these outdated rule vectors can be deleted from the knowledge base to reduce its size and improve retrieval and matching efficiency.

[0141] It should be understood that after the knowledge base is updated, the updated knowledge base is deployed. Alarm data is acquired in real time and analyzed using the updated knowledge base until a target expert rule corresponding to the alarm data is determined from the updated knowledge base. Otherwise, the knowledge base is updated again until the condition for termination of the loop is met (i.e., a target expert rule is determined from the updated knowledge base). This helps ensure that for any real-time alarm data, a suitable rule can eventually be found for accurate analysis by continuously adjusting the knowledge base. Optionally, real-time alarm data that previously could not match the target expert rule can also be re-analyzed, because the updated knowledge base may contain new or modified rules that can match the real-time alarm data.

[0142] In this embodiment, the knowledge base is decoupled from the large model. When there are no corresponding expert experience rules in the knowledge base, the limitation of the knowledge base being fixed and unchanging is overcome by adjusting the knowledge base, so that the model can adapt to the ever-changing network security environment and ensure the model's ability to analyze various alarm data.

[0143] Based on the methods described in any of the above embodiments, this application also provides, as follows: Figure 3 The diagram shows the structure of an electronic device. Figure 3 At the hardware level, the electronic device includes a processor, an internal bus, a network interface, memory, and non-volatile memory, and may also include other hardware required for business operations. The processor reads the corresponding computer program from the non-volatile memory into memory and then runs it to implement the methods described in any of the above embodiments.

[0144] Based on the methods described in any of the above embodiments, this application also provides a computer storage medium storing a computer program, which, when executed by a processor, can be used to perform the methods described in any of the above embodiments.

[0145] Based on the methods described in any of the above embodiments, this application also provides a computer program product, which includes one or more computer programs or instructions. The computer program or instructions may be stored in a computer-readable storage medium or transferred from one computer-readable storage medium to another. When executed by a processor, the computer program implements the methods described in any of the above embodiments.

[0146] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can also be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram and / or flowchart, and combinations of blocks in block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.

[0147] In addition, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

[0148] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0149] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0150] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0151] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

Claims

1. A method for analyzing network security alarm data, characterized in that, The method includes: The system acquires real-time alarm data and a pre-stored knowledge base, which includes expert experience rules. These expert experience rules are used to determine whether the alarm data is generated by a real attack or by a non-real attack. The expert experience rules include structured language rules defined from the dimensions of network security domain, attack characteristics, and asset attributes. The real-time alarm data is vectorized to obtain vectorized real-time alarm data. Calculate the similarity between the vectorized real-time alarm data and each of the expert experience rules in the knowledge base, and determine the expert experience rules whose similarity meets the preset requirements as the target expert experience rules corresponding to the real-time alarm data; The real-time alarm data and the target expert experience rule are input into the judgment model to obtain the judgment result for the real-time alarm data, including: if the similarity between the vectorized real-time alarm data and the target expert experience rule exceeds a first threshold, the judgment conclusion in the target expert experience rule is determined as the judgment result for the real-time alarm data; if the similarity between the vectorized real-time alarm data and the target expert experience rule is lower than the first threshold, the judgment result and the confidence level of the judgment result are generated by the judgment model based on the real-time alarm data and the target expert experience rule. The judgment result is used to indicate whether the real-time alarm data is generated by a real attack or by a non-real attack.

2. The method according to claim 1, characterized in that, The expert experience rules also include unstructured knowledge, which includes security analysis reports, threat intelligence documents, and historical assessment records.

3. The method according to claim 1 or 2, characterized in that, The expert experience rules are stored in the knowledge base in vector form; Before acquiring real-time alarm data and the pre-stored knowledge base, the following is also included: The initial expert experience rules are vectorized to obtain the knowledge base composed of the vectorized expert experience rules.

4. The method according to claim 1, characterized in that, The real-time alarm data includes attacker identifier, victim identifier, alarm type, and attack characteristics.

5. The method according to claim 1, characterized in that, The method further includes: If it is determined that there is no target expert experience rule corresponding to the real-time alarm data in the knowledge base, the knowledge base is adjusted to obtain an updated knowledge base, and the process returns to the step of determining the target expert experience rule corresponding to the real-time alarm data from the knowledge base.

6. An electronic device, characterized in that, The electronic device includes: processor; Memory used to store processor-executable instructions; Wherein, when the processor invokes the executable instructions, it implements the method according to any one of claims 1-5.

7. A computer-readable storage medium, characterized in that, It stores computer instructions that, when executed by a processor, implement the steps of any of the methods described in claims 1-5.

8. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the method described in any one of claims 1-5.