Safety risk early warning method based on three-dimensional visualization

By constructing a three-dimensional visualization-based security risk early warning method, the problem of insufficient standardization and uniformity of log data is solved. It realizes standardized quantitative constraints and unified spatial verification of key behavioral data, improves the overall protection capability of the system, and can effectively identify hidden risk behaviors.

CN122160200APending Publication Date: 2026-06-05TIANJIN ANHUAYI TECH DEV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
TIANJIN ANHUAYI TECH DEV
Filing Date
2026-05-09
Publication Date
2026-06-05

Smart Images

  • Figure CN122160200A_ABST
    Figure CN122160200A_ABST
Patent Text Reader

Abstract

The application discloses a safety risk early warning method based on three-dimensional visualization and relates to the technical field of big data analysis, and comprises the following steps: obtaining three-dimensional correlation parameters of to-be-unified logs by using a format analysis method; obtaining a safety risk area in a three-dimensional risk coordinate system and dividing the safety risk area by using a risk division method; and sequentially executing a safety early warning method by using a safety risk area corresponding to each log, so that the method can solve the problems that, in the existing safety risk early warning method, there is no method for standardizing and quantifying various log data and uniformly checking space, key behavior data is scattered, independent and weakly correlated, an effective risk early warning system cannot be formed, and hidden risk behaviors are difficult to be identified.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of big data analytics, specifically to a security risk early warning method based on three-dimensional visualization. Background Technology

[0002] Security risk early warning is a mechanism that monitors and analyzes potential threat information to issue warnings in advance of possible security incidents, aiming to gain emergency response time and minimize losses. For example, in the financial sector, security risk early warning is a mechanism that systematically monitors and analyzes various financial risk indicators to issue warnings and take preventive measures before risks occur, aiming to ensure the sound operation of financial institutions and the safety of public funds.

[0003] Existing methods for security risk early warning typically rely on real-time monitoring, anomaly detection, and deep analysis to identify and prevent cyber threats such as phishing attacks and malware, thereby achieving security risk early warning through automated response and dynamic access control. While this approach effectively reduces data leaks and the exploitation of security vulnerabilities, it lacks methods for standardizing and quantifying various types of log data, as well as for unified spatial verification. This results in key behavioral data such as source IPs and operation names being scattered, independent, and weakly correlated, failing to form an effective and interconnected risk early warning system. Consequently, it can easily lead to difficulties in identifying hidden risk behaviors such as abnormal access and high-risk logins from different locations, thus reducing the overall protection capability of the system. For example, patent application CN117955712A discloses a communication information based on big data. This paper proposes a method and system for early warning and control of information security risks. This solution utilizes streaming data processing technology and complex event processing systems to achieve real-time monitoring of communication networks, in-depth analysis of communication data, quantification and rating of potential security threats, and thus effectively reduces the exploitation of security vulnerabilities and data leakage incidents through automated response mechanisms and dynamic access control policies. Other methods for security risk early warning typically focus on improvements in data encryption. However, they lack methods for standardizing and quantifying various types of log data and for unified spatial verification, resulting in scattered and weakly correlated key behavioral data such as source IPs and operation names. This makes it difficult to form an effective and interconnected risk early warning system, leading to problems such as difficulty in identifying hidden risks like abnormal access and high-risk logins from different locations. Therefore, it is necessary to improve existing security risk early warning methods. Summary of the Invention

[0004] This invention aims to at least partially solve one of the technical problems in the prior art. By proposing a security risk warning method based on three-dimensional visualization, it addresses the lack of standardized quantitative constraints and unified spatial verification methods for various types of log data in existing security risk warning methods. This results in key behavioral data such as source IP and operation name being scattered, independent, and weakly correlated, making it impossible to form an effective and interconnected risk warning system. Consequently, it is easy to make it difficult to identify hidden risk behaviors such as abnormal access and high-risk logins from different locations.

[0005] To achieve the above objectives, this application provides a security risk early warning method based on three-dimensional visualization, comprising the following steps:

[0006] All logs existing in various devices are obtained and recorded as logs to be unified; each log to be unified is analyzed sequentially using a format analysis method, and the three-dimensional correlation parameters of each log to be unified are obtained based on the analysis results. The three-dimensional correlation parameters include the source name parameter area, the source time parameter area, and the name time parameter area.

[0007] A three-dimensional risk coordinate system is constructed, and based on the three-dimensional correlation parameters of each log to be unified, the security risk area of ​​each log to be unified is obtained in the three-dimensional risk coordinate system; the risk partitioning method is used to divide the areas adjacent to the security risk areas.

[0008] Based on the latest logs from various devices, security alert methods are executed sequentially for each log using the corresponding security risk zone.

[0009] Furthermore, obtaining all logs from various devices includes:

[0010] Acquire all devices requiring security risk warnings and mark them as warning-eligible devices; for any warning-eligible device, acquire all its log records and mark them as the unification logs to be unified; divide the unification logs into daily segments, and record the segmented unification logs sequentially as Daily Analysis Log DR1 to Daily Analysis Log DR2. t Where t is the total number of days that the unified logs of the early warning devices are to be recorded;

[0011] Obtain the unified logs of all devices that can provide early warning, and obtain all daily analysis logs corresponding to each unified log.

[0012] Furthermore, format analysis methods include:

[0013] For any single-day analysis log (DR) of any log to be unified x : Get Daily Analysis Log (DR) xRecord all source IPs, and denote the internal network IPs within each source IP as internal network address ND1 to internal network address ND2. n Record the external IP addresses in all source IPs as external IP addresses WD1 to WD1 respectively. w ;

[0014] Retrieve the names of all accessed devices or servers in the logs to be unified, and sort them alphabetically by the first letter of the name, labeling all names as Access Name FM1 to Access Name FM. f .

[0015] Furthermore, format analysis methods also include:

[0016] For any given internal network address, DR in the daily analysis log. x The access name corresponding to the device or server accessed in the network is recorded as the single-day access device of the access name, and the time when the single-day access device is accessed by the internal network address is recorded as the single-day access time corresponding to the internal network address.

[0017] Obtain the daily access time corresponding to all internal network addresses in the daily analysis log, and based on the analysis method of internal network addresses, obtain the daily access time corresponding to all external network addresses.

[0018] Furthermore, format analysis methods also include:

[0019] Establish a Cartesian coordinate system, denoted as the source name coordinate system. The X-axis of the source name coordinate system is a constant axis, and the f coordinate points on the Y-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ;

[0020] The string of characters obtained by arranging the first three segments of the internal network address and the external network address in order is recorded as the identifier characters of the internal network address and the external network address.

[0021] For any internal network address, use the identifier character of the internal network address as the horizontal axis and the number of devices accessing the internal network address on a single day as the vertical axis to mark points in the source name coordinate system. Record all the marks obtained from all devices accessing the internal network address on a single day as the source name points of the internal network address. Obtain the source name points of all internal network addresses and record the curve obtained by fitting all the source name points of all internal network addresses in the same source name coordinate system as the internal network source name curve.

[0022] Based on the analysis of internal network addresses, the source name points corresponding to all external network addresses are obtained, and the curve obtained by fitting all source name points of all external network addresses in the same source name coordinate system is denoted as the external network source name curve; the region between the internal network source name curve and the external network source name curve in the source name coordinate system is denoted as the source name feature region.

[0023] Furthermore, format analysis methods also include:

[0024] Establish a Cartesian coordinate system and denote it as the source time coordinate system. The X-axis of the source time coordinate system is a constant axis, and the unit of the Y-axis is h. For any internal network address, use the identifier character of the internal network address as the x-axis and the daily access time of the internal network address as the y-axis. Mark the points in the source time coordinate system and record all the marks obtained based on the daily access time of the internal network address as the source time points of the internal network address.

[0025] Obtain the source time points of all internal network addresses, and denot the curve obtained by fitting all source time points of all internal network addresses in the same source time coordinate system as the internal network source time curve;

[0026] The method of obtaining the external network source name curve and source name feature region in the source name coordinate system based on the internal network source name curve, and obtaining the external network source time curve and source time feature region corresponding to the internal network source time curve in the source time coordinate system based on the internal network source time curve.

[0027] Furthermore, format analysis methods also include:

[0028] Establish a Cartesian coordinate system, denoted as the time-space coordinate system, where the unit of the X-axis is h, and the f coordinate points on the Y-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ;

[0029] For any intranet address or any single-day access time of any extranet address, mark the single-day access time as the horizontal axis and the single-day access device as the vertical axis in the name-time coordinate system, and record the marks corresponding to all intranet addresses as intranet name-time points, and record the marks corresponding to all extranet addresses as extranet name-time points.

[0030] The region between the curves obtained by fitting all internal network names at time points and the curves obtained by fitting all external network names at time points is denoted as the name-time feature region.

[0031] Obtain the source name feature region, source time feature region, and name-time feature region of all daily analysis logs to be unified; fit the source name feature region, source time feature region, and name-time feature region of all daily analysis logs in the source name coordinate system, source time coordinate system, and name-time coordinate system respectively, and record the obtained regions as the source name parameter region, source time parameter region, and name-time parameter region of the log to be unified.

[0032] Furthermore, a three-dimensional risk coordinate system is constructed, and based on the three-dimensional correlation parameters of each log to be unified, the security risk region of each log to be unified is obtained within the three-dimensional risk coordinate system, including:

[0033] Establish a three-dimensional rectangular coordinate system, denoted as the three-dimensional risk coordinate system. The X-axis of the three-dimensional risk coordinate system is a constant axis, the Y-axis is in units of h, and the f coordinate points on the Z-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ;

[0034] In the XY plane, XZ plane, and YZ plane of the three-dimensional risk coordinate system, place the source time parameter area, source name parameter area, and name time parameter area of ​​the log to be unified, respectively.

[0035] For any point P(X1, Y1, Z1) in the three-dimensional risk coordinate system, if (X1, Y1) ∈ source time parameter region, (X1, Z1) ∈ source name parameter region and (Y1, Z1) ∈ name time parameter region, point P is recorded as a safety protection point.

[0036] The region obtained by fitting all security protection points in the three-dimensional risk coordinate system is recorded as the security risk region to be unified in the log.

[0037] Furthermore, risk allocation methods include:

[0038] For any log to be unified, in the three-dimensional risk coordinate system corresponding to the log to be unified, a column is constructed by normal stretching of the source time parameter region, the source name parameter region, and the name time parameter region, and is denoted as the source time column, the source name column, and the name time column, respectively.

[0039] The region in the source time column that lies between the source time parameter region and the security risk region is designated as the name abnormal region. The region in the source name column that lies between the source name parameter region and the security risk region is designated as the time abnormal region. The region in the name time column that lies between the name time parameter region and the security risk region is designated as the source IP abnormal region.

[0040] Furthermore, safety early warning methods include:

[0041] For any warning device, logs that require security risk detection in the warning device are obtained in real time and recorded as real-time detection logs; for any record in the real-time detection logs, the daily access time, the device accessed on the day, and the internal or external network address are obtained based on the format analysis method.

[0042] Based on the recorded daily access time, daily access device, and internal or external network address, points are marked in the three-dimensional risk coordinate system of the real-time detection log and recorded as log risk points.

[0043] When a log risk point is within a security risk area, no risk warning is issued.

[0044] When the log risk point is in the abnormal name area, abnormal time area, or abnormal source IP area, send an access name abnormality warning, access time abnormality warning, or access IP abnormality warning.

[0045] When a log risk point is outside the security risk zone, name abnormal zone, time abnormal zone, and source IP abnormal zone, a new log risk warning will be sent.

[0046] The beneficial effects of this invention are as follows: This application first obtains all logs existing in various devices and records them as logs to be unified; it then uses a format analysis method to analyze each log to be unified in turn, and obtains the three-dimensional correlation parameters of each log based on the analysis results. The advantage of this is that by analyzing the data in the logs to be unified and obtaining the three-dimensional correlation parameters based on the analysis results, it is possible to analyze the key behavioral data in the logs that can be standardized and quantified, and obtain the correlation data of the key behavioral data when it is normally recorded. This allows for the construction of a security risk area for unified analysis of key behavioral data through the three-dimensional correlation parameters during subsequent analysis, thereby enabling unified risk warning of the data in the logs based on the security risk area.

[0047] This application also constructs a three-dimensional risk coordinate system and, based on the three-dimensional correlation parameters of each log to be unified, obtains the security risk area of ​​each log within the three-dimensional risk coordinate system; uses a risk partitioning method to divide the areas adjacent to the security risk area; finally, based on the latest logs from various devices, uses the security risk area corresponding to each log to sequentially execute a security warning method for each log. The advantage of this is that, by obtaining the security risk area and dividing the areas adjacent to the security risk area, when executing security warnings on logs, a risk warning system that effectively links key behavioral data can be constructed through the security risk area and its adjacent areas, so as to effectively identify hidden risk behaviors and improve the overall protection capability of the system. Attached Figure Description

[0048] Figure 1 This is a flowchart illustrating the steps of the method of the present invention;

[0049] Figure 2 This is a schematic diagram of the source name coordinate system of the present invention;

[0050] Figure 3 This is a schematic diagram of the three-dimensional risk coordinate system of the present invention;

[0051] Figure 4 This is a schematic diagram of the electronic device of the present invention. Detailed Implementation

[0052] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0053] Example 1, please refer to Figure 1 As shown, this application provides a security risk early warning method based on three-dimensional visualization, including the following steps:

[0054] Step S1: Obtain all logs existing in various devices and record them as logs to be unified; use the format analysis method to analyze each log to be unified in turn, and obtain the three-dimensional correlation parameters of each log to be unified based on the analysis results. The three-dimensional correlation parameters include the source name parameter area, the source time parameter area, and the name time parameter area.

[0055] Step S1 includes: Step S101, acquiring all devices that require security risk warning and recording them as warning-eligible devices; for any warning-eligible device, acquiring all log records of the warning-eligible device and recording them as the unified log of the warning-eligible device; dividing all records in the unified log of the device into daily logs, and recording the divided unified logs as daily analysis logs DR1 to DR2 in sequence. t Where t is the total number of days that the unified logs of the early warning devices are to be recorded;

[0056] In the specific implementation process, the length of the division period can be modified according to the actual data analysis capabilities and the total log recording time of the log to be unified. For example, when the number of log days recorded in the log to be unified is long, the division period can be set to a week or a month to divide all records in the log to be unified in order to improve the data analysis efficiency of the log to be unified.

[0057] Step S102: Obtain the unified logs of all devices that can be alerted, and obtain all daily analysis logs corresponding to each unified log.

[0058] Step S103, the format analysis method includes: Step S1031, for any single-day analysis log (DR) of any log to be unified. x : Get Daily Analysis Log (DR) x Record all source IPs, and denote the internal network IPs within each source IP as internal network address ND1 to internal network address ND2. n Record the external IP addresses in all source IPs as external IP addresses WD1 to WD1 respectively. w ;

[0059] In the data analysis of this embodiment, for example, during a single data analysis, a source IP in a daily analysis log is 192.168.1.35. Analysis reveals that 192.168.1.35 is an internal network IP, therefore it can be recorded as an internal network address. Furthermore, the device names accessed by 192.168.1.35 in the daily analysis log are "Financial Risk Control Audit Terminal" and "Backend Management System," with access times of 2023-07-15 08:23:16 and 2023-07-15 15:36:09 respectively. Subsequent analysis shows that both the "Financial Risk Control Audit Terminal" and the "Backend Management System" can be recorded as devices accessed by 192.168.1.35 on that day, and the access times of 2023-07-15 08:23:16 and 2023-07-15 can be recorded as access times. 15:36:09 are recorded as the daily access times for the financial risk control audit terminal and the back-end management system, respectively.

[0060] Step S1032: Obtain the names of all accessed devices or servers in the log to be unified, and sort them alphabetically by the first letter of the name, recording them as access name FM1 to access name FM. f .

[0061] The format analysis method also includes: step S1033, for any internal network address, DR the internal network address in the daily analysis log. x The access name corresponding to the device or server accessed in the network is recorded as the single-day access device of the access name, and the time when the single-day access device is accessed by the internal network address is recorded as the single-day access time corresponding to the internal network address.

[0062] Step S1034: Obtain the daily access time corresponding to all internal network addresses in the daily analysis log, and obtain the daily access time corresponding to all external network addresses based on the analysis method of internal network addresses.

[0063] The format analysis method also includes: step S1035, establishing a Cartesian coordinate system and denoting it as the source name coordinate system, wherein the X-axis of the source name coordinate system is a constant axis, and the f coordinate points from the origin upwards in the Y-axis are sequentially labeled as access name FM1 to access name FM. f ;

[0064] Step S1036: Arrange the numbers corresponding to the first three segments of the internal network address and the external network address in order to obtain a string of characters, which is recorded as the identifier characters of the internal network address and the external network address.

[0065] In the data analysis of this embodiment, for example, the source IP obtained in the above analysis is 192.168.1.35. By arranging the numbers corresponding to the first three segments of 192.168.1.35 from first to last, the resulting character is 1921681. Therefore, 1921681 can be recorded as the identifier character of the internal network address 192.168.1.35. By obtaining the identifier character, the source IP can be located, making it easier to filter out abnormal source IPs using the identifier character.

[0066] Step S1037: For any intranet address, mark points in the source name coordinate system with the identifier character of the intranet address as the horizontal axis and the number of devices accessing the intranet address on a single day as the vertical axis, and record all the marks obtained from all devices accessing the intranet address on a single day as the source name points of the intranet address; obtain the source name points of all intranet addresses, and record the curve obtained by fitting all the source name points of all intranet addresses in the same source name coordinate system as the intranet source name curve;

[0067] In the data analysis of this embodiment, for example, during a single data analysis, the source coordinate system obtained is as follows: Figure 2 As shown, by analyzing the daily access devices corresponding to the source IP 192.168.1.35 in the above-analyzed daily logs, the source name point corresponding to the source IP 192.168.1.35 is... Figure 2 Points YM1 and YM2 are included; similarly, by obtaining the source name points corresponding to all internal and external network addresses in the daily analysis log, the fitted internal network source name curve and external network source name curve are shown below. Figure 2 As shown by curves NY and WY, analysis reveals that the source name characteristic region is the region where region NW is located.

[0068] Step S1038: Based on the analysis method of the internal network address, obtain the source name points corresponding to all external network addresses, and record the curve obtained by fitting all source name points of all external network addresses in the same source name coordinate system as the external network source name curve; record the area between the internal network source name curve and the external network source name curve in the source name coordinate system as the source name feature area.

[0069] In the specific implementation process, by obtaining the source name feature region, the source IP and the devices accessed by the source IP in the daily analysis log can be uniformly associated. This ensures that the obtained source name feature region can visualize the source IP and the accessed devices in the daily analysis log. This facilitates the subsequent acquisition of the source time feature region and the name time feature region, and the construction of security risk regions. Through the security risk regions, the source IP, devices, and access time in the log can be visualized and analyzed, thus building a risk warning system that effectively links key behavioral data, so as to effectively identify hidden risk behaviors.

[0070] The format analysis method also includes: step S1039, establishing a Cartesian coordinate system and denoting it as the source time coordinate system, wherein the X-axis of the source time coordinate system is a constant axis and the unit of the Y-axis is h; for any intranet address, using the identifier character of the intranet address as the horizontal axis and the daily access time of the intranet address as the vertical axis, marking points in the source time coordinate system, and recording all the marking points obtained based on the daily access time of the intranet address as the source time point of the intranet address;

[0071] Step S1040: Obtain the source time points of all internal network addresses, and record the curve obtained by fitting all source time points of all internal network addresses in the same source time coordinate system as the internal network source time curve;

[0072] Step S1041: Based on the internal network source name curve, obtain the external network source name curve and source name feature region in the source name coordinate system; based on the internal network source time curve, obtain the external network source time curve and source time feature region corresponding to the internal network source time curve in the source time coordinate system.

[0073] The format analysis method also includes: step S1042, establishing a Cartesian coordinate system, denoted as the time coordinate system, wherein the unit of X in the time coordinate system is h, and the f coordinate points from the origin upwards in the Y-axis are sequentially labeled as access name FM1 to access name FM. f ;

[0074] Step S1043: For any intranet address or any single-day access time of any extranet address, mark the single-day access time as the horizontal axis and the single-day access device as the vertical axis in the name-time coordinate system, and record the marks corresponding to all intranet addresses as intranet name-time points, and record the marks corresponding to all extranet addresses as extranet name-time points.

[0075] Step S1044: The region between the curves obtained by fitting all internal network names at the time points and the curves obtained by fitting all external network names at the time points is denoted as the name time feature region.

[0076] In the data analysis of this embodiment, the acquisition of the source time feature region and the name time feature region is based on the same principle as the acquisition of the source name feature region. By fitting the source name feature region, source time feature region, and name time feature region of the daily analysis log, the obtained source name parameter region, source time parameter region, and name time parameter region can effectively reflect the relationship between the source IP and the access device of the source IP, the relationship between the access time of the source IP and the access device of the source IP in the log to be unified, and the relationship between the access device of the source IP and the access time of the source IP. This will enable the constructed security risk region to perform visual analysis of the source IP, device, and access time in subsequent analysis.

[0077] Step S1045: Obtain the source name feature region, source time feature region, and name-time feature region of all daily analysis logs to be unified; fit the source name feature region, source time feature region, and name-time feature region of all daily analysis logs in the source name coordinate system, source time coordinate system, and name-time coordinate system respectively, and record the obtained regions as the source name parameter region, source time parameter region, and name-time parameter region of the log to be unified respectively.

[0078] Step S2: Construct a three-dimensional risk coordinate system, and based on the three-dimensional association parameters of each log to be unified, obtain the security risk area of ​​each log to be unified within the three-dimensional risk coordinate system; use the risk partitioning method to partition the areas adjacent to the security risk areas.

[0079] Step S2 includes: Step S201, establishing a three-dimensional rectangular coordinate system, denoted as the three-dimensional risk coordinate system, wherein the X-axis of the three-dimensional risk coordinate system is a constant axis, the Y-axis is in units of h, and the f coordinate points from the origin upwards in the Z-axis are sequentially labeled as access name FM1 to access name FM. f ;

[0080] Step S202: Place the source time parameter area, source name parameter area, and name time parameter area of ​​the log to be unified in the XY plane, XZ plane, and YZ plane of the three-dimensional risk coordinate system, respectively.

[0081] Step S203: For any point P(X1, Y1, Z1) in the three-dimensional risk coordinate system, when (X1, Y1) ∈ source time parameter region, (X1, Z1) ∈ source name parameter region and (Y1, Z1) ∈ name time parameter region, point P is recorded as a safety protection point.

[0082] In the data analysis of this embodiment, for example, in a single data analysis, the constructed three-dimensional risk coordinate system is as follows: Figure 3 As shown, the obtained security risk areas are as follows: Figure 3 As shown in region AF; through the above analysis, it can be seen that there is an internal network address with source IP 192.168.1.35, and the access time of the device accessing the device on the same day is 08:23:16 on 2023-07-15. Therefore, there should be a point P (1921681, 08:23:16, financial risk control audit terminal) in region AF.

[0083] Step S204: The area obtained by fitting all security protection points in the three-dimensional risk coordinate system is recorded as the security risk area to be unified in the log.

[0084] Step S205, the risk classification method includes: Step S2051, for any log to be unified, in the three-dimensional risk coordinate system corresponding to the log to be unified, construct columns by normal stretching of the source time parameter region, the source name parameter region and the name time parameter region, respectively, and denoted as source time column, source name column and name time column respectively.

[0085] Step S2052: Record the area between the source time parameter area and the security risk area in the source time column as the name abnormal area, record the area between the source name parameter area and the security risk area in the source name column as the time abnormal area, and record the area between the name time parameter area and the security risk area in the name time column as the source IP abnormal area.

[0086] In the specific implementation process, if during subsequent analysis and security checks of the logs, after obtaining the log risk point in the three-dimensional risk coordinate system, the log risk point is located in the name anomaly area, it means that the source IP and the access time of the source IP in the access record corresponding to the log risk point are within the normal range. However, the name of the device or server accessed by the source IP at the access time is not in the database record, so there is an access anomaly for the device name, and an access name anomaly warning should be sent. On the other hand, if the log risk point is located in the security risk area, it means that the source IP, the access time of the source IP, and the name of the device or server accessed by the source IP at the access time are all in the database record, which is normal access and no risk warning is required.

[0087] Step S3: Based on the latest logs from various devices, use the security risk area corresponding to each log to execute the security warning method for each log in sequence;

[0088] The security early warning method includes: step S301, for any early warning device, real-time acquisition of logs in the early warning device that require security risk detection, and recording them as real-time detection logs; for any record in the real-time detection logs, the single-day access time, single-day access device, and internal or external network address in the record are obtained based on the format analysis method;

[0089] Step S302: Based on the recorded daily access time, daily access device, and intranet or extranet address, mark the points in the three-dimensional risk coordinate system of the real-time detection log and record them as log risk points.

[0090] Step S303: When the log risk point is within the security risk area, no risk warning is executed;

[0091] Step S304: When the log risk point is in the abnormal name area, abnormal time area, or abnormal source IP area, send an abnormal access name warning, abnormal access time warning, or abnormal access IP warning.

[0092] Step S305: When the log risk point is outside the security risk area, name abnormal area, time abnormal area and source IP abnormal area, send a new log risk warning.

[0093] Example 2, please refer to Figure 4 As shown, Figure 4 A schematic diagram of an electronic device is provided, which may include a processor, a communication interface, a memory, and a communication bus. The processor, communication interface, and memory communicate with each other via the communication bus. The memory stores computer-readable instructions, and the processor can call these instructions. When the processor executes a computer-readable instruction, it performs steps similar to those in a 3D visualization-based security risk warning method to achieve the following functions: First, all logs from various devices are acquired and recorded as logs to be unified; each log to be unified is analyzed sequentially using a format analysis method, and the 3D correlation parameters of each log are obtained based on the analysis results; then, a 3D risk coordinate system is constructed, and the security risk area of ​​each log to be unified is obtained within the 3D risk coordinate system based on the 3D correlation parameters; the adjacent areas of the security risk areas are divided using a risk partitioning method; finally, based on the latest acquired logs from various devices, the security warning method is executed sequentially for each log using its corresponding security risk area.

[0094] Furthermore, when the logical instructions in the aforementioned memory can be implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0095] Example 3: This application also provides a computer program product, which includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions. When the program instructions are executed by a computer, the computer can execute the security risk warning method based on three-dimensional visualization provided by the above methods. The method includes: first, acquiring all logs existing in various types of devices and recording them as logs to be unified; analyzing each log to be unified sequentially using a format analysis method and acquiring the three-dimensional correlation parameters of each log to be unified based on the analysis results; then constructing a three-dimensional risk coordinate system and acquiring the security risk area of ​​each log to be unified within the three-dimensional risk coordinate system based on the three-dimensional correlation parameters of each log to be unified; dividing the adjacent areas of the security risk areas using a risk division method; and finally, based on the latest acquired logs in various types of devices, using the security risk area corresponding to each log, sequentially executing the security warning method for each log.

[0096] Example 4: This application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it performs the steps of the above-mentioned security risk warning method based on three-dimensional visualization to achieve the following functions: First, all logs existing in various devices are acquired and recorded as logs to be unified; each log to be unified is analyzed sequentially using a format analysis method, and the three-dimensional correlation parameters of each log to be unified are obtained based on the analysis results; then, a three-dimensional risk coordinate system is constructed, and the security risk area of ​​each log to be unified is obtained in the three-dimensional risk coordinate system based on the three-dimensional correlation parameters of each log to be unified; the adjacent areas of the security risk area are divided using a risk division method; finally, based on the latest acquired logs in various devices, the security warning method is executed sequentially for each log using the security risk area corresponding to each log.

[0097] Based on the above description of the embodiments, the embodiments of the present invention can be provided as methods, systems, or computer program products. Based on this understanding, the above technical solutions, in essence or in terms of their contribution to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or certain parts of the embodiments.

[0098] In the embodiments provided in this application, it should be understood that the disclosed system or method can be implemented in other ways. The embodiments described above are merely illustrative. For example, the division of modules or units is only a logical functional division, and there may be other division methods in actual implementation. Furthermore, multiple modules or units may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the coupling or direct coupling or communication connection shown or discussed may be through some communication interfaces. The indirect coupling or communication connection between systems, modules, and units may be electrical, mechanical, or other forms.

[0099] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A security risk early warning method based on three-dimensional visualization, characterized in that, Includes the following steps: All logs existing in various devices are obtained and recorded as logs to be unified; each log to be unified is analyzed sequentially using a format analysis method, and the three-dimensional correlation parameters of each log to be unified are obtained based on the analysis results. The three-dimensional correlation parameters include the source name parameter area, the source time parameter area, and the name time parameter area. A three-dimensional risk coordinate system is constructed, and based on the three-dimensional correlation parameters of each log to be unified, the security risk area of ​​each log to be unified is obtained in the three-dimensional risk coordinate system; the risk partitioning method is used to divide the areas adjacent to the security risk areas. Based on the latest logs from various devices, security alert methods are executed sequentially for each log using the corresponding security risk zone.

2. The security risk early warning method based on three-dimensional visualization according to claim 1, characterized in that, Retrieving all logs from various devices includes: Acquire all devices requiring security risk warnings and mark them as warning-eligible devices; for any warning-eligible device, acquire all its log records and mark them as the unification logs to be unified; divide the unification logs into daily segments, and record the segmented unification logs sequentially as Daily Analysis Log DR1 to Daily Analysis Log DR2. t Where t is the total number of days that the unified logs of the early warning devices are to be recorded; Obtain the unified logs of all devices that can provide early warning, and obtain all daily analysis logs corresponding to each unified log.

3. The security risk early warning method based on three-dimensional visualization according to claim 2, characterized in that, Format analysis methods include: For any single-day analysis log (DR) of any log to be unified x : Get Daily Analysis Log (DR) x Record all source IPs, and denote the internal network IPs within each source IP as internal network address ND1 to internal network address ND2. n Record the external IP addresses in all source IPs as external IP addresses WD1 to WD1 respectively. w ; Retrieve the names of all accessed devices or servers in the logs to be unified, and sort them alphabetically by the first letter of the name, labeling all names as Access Name FM1 to Access Name FM. f .

4. The security risk early warning method based on three-dimensional visualization according to claim 3, characterized in that, Format analysis methods also include: For any given internal network address, DR in the daily analysis log. x The access name corresponding to the device or server accessed in the network is recorded as the single-day access device of the access name, and the time when the single-day access device is accessed by the internal network address is recorded as the single-day access time corresponding to the internal network address. Obtain the daily access time corresponding to all internal network addresses in the daily analysis log, and based on the analysis method of internal network addresses, obtain the daily access time corresponding to all external network addresses.

5. The security risk early warning method based on three-dimensional visualization according to claim 4, characterized in that, Format analysis methods also include: Establish a Cartesian coordinate system, denoted as the source name coordinate system. The X-axis of the source name coordinate system is a constant axis, and the f coordinate points on the Y-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ; The string of characters obtained by arranging the first three segments of the internal network address and the external network address in order is recorded as the identifier characters of the internal network address and the external network address. For any internal network address, use the identifier character of the internal network address as the horizontal axis and the number of devices accessing the internal network address on a single day as the vertical axis to mark points in the source name coordinate system. Record all the marks obtained from all devices accessing the internal network address on a single day as the source name points of the internal network address. Obtain the source name points of all internal network addresses and record the curve obtained by fitting all the source name points of all internal network addresses in the same source name coordinate system as the internal network source name curve. Based on the analysis of internal network addresses, the source name points corresponding to all external network addresses are obtained, and the curve obtained by fitting all source name points of all external network addresses in the same source name coordinate system is denoted as the external network source name curve; the region between the internal network source name curve and the external network source name curve in the source name coordinate system is denoted as the source name feature region.

6. The security risk early warning method based on three-dimensional visualization according to claim 5, characterized in that, Format analysis methods also include: Establish a Cartesian coordinate system and denote it as the source time coordinate system. The X-axis of the source time coordinate system is a constant axis, and the unit of the Y-axis is h. For any internal network address, use the identifier character of the internal network address as the x-axis and the daily access time of the internal network address as the y-axis. Mark the points in the source time coordinate system and record all the marks obtained based on the daily access time of the internal network address as the source time points of the internal network address. Obtain the source time points of all internal network addresses, and denot the curve obtained by fitting all source time points of all internal network addresses in the same source time coordinate system as the internal network source time curve; The method of obtaining the external network source name curve and source name feature region in the source name coordinate system based on the internal network source name curve, and obtaining the external network source time curve and source time feature region corresponding to the internal network source time curve in the source time coordinate system based on the internal network source time curve.

7. The security risk early warning method based on three-dimensional visualization according to claim 6, characterized in that, Format analysis methods also include: Establish a Cartesian coordinate system, denoted as the time-space coordinate system, where the unit of the X-axis is h, and the f coordinate points on the Y-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ; For any intranet address or any single-day access time of any extranet address, mark the single-day access time as the horizontal axis and the single-day access device as the vertical axis in the name-time coordinate system, and record the marks corresponding to all intranet addresses as intranet name-time points, and record the marks corresponding to all extranet addresses as extranet name-time points. The region between the curves obtained by fitting all internal network names at time points and the curves obtained by fitting all external network names at time points is denoted as the name-time feature region. Obtain the source name feature region, source time feature region, and name-time feature region of all daily analysis logs to be unified; fit the source name feature region, source time feature region, and name-time feature region of all daily analysis logs in the source name coordinate system, source time coordinate system, and name-time coordinate system respectively, and record the obtained regions as the source name parameter region, source time parameter region, and name-time parameter region of the log to be unified.

8. The security risk early warning method based on three-dimensional visualization according to claim 7, characterized in that, A three-dimensional risk coordinate system is constructed, and based on the three-dimensional correlation parameters of each log to be unified, the security risk area of ​​each log to be unified is obtained within the three-dimensional risk coordinate system, including: Establish a three-dimensional rectangular coordinate system, denoted as the three-dimensional risk coordinate system. The X-axis of the three-dimensional risk coordinate system is a constant axis, the Y-axis is in units of h, and the f coordinate points on the Z-axis from the origin upwards are sequentially labeled as access name FM1 to access name FM. f ; In the XY plane, XZ plane, and YZ plane of the three-dimensional risk coordinate system, place the source time parameter area, source name parameter area, and name time parameter area of ​​the log to be unified, respectively. For any point P(X1, Y1, Z1) in the three-dimensional risk coordinate system, if (X1, Y1) ∈ source time parameter region, (X1, Z1) ∈ source name parameter region and (Y1, Z1) ∈ name time parameter region, point P is recorded as a safety protection point. The region obtained by fitting all security protection points in the three-dimensional risk coordinate system is recorded as the security risk region to be unified in the log.

9. The security risk early warning method based on three-dimensional visualization according to claim 8, characterized in that, Risk allocation methods include: For any log to be unified, in the three-dimensional risk coordinate system corresponding to the log to be unified, a column is constructed by normal stretching of the source time parameter region, the source name parameter region, and the name time parameter region, and is denoted as the source time column, the source name column, and the name time column, respectively. The region in the source time column that lies between the source time parameter region and the security risk region is designated as the name abnormal region. The region in the source name column that lies between the source name parameter region and the security risk region is designated as the time abnormal region. The region in the name time column that lies between the name time parameter region and the security risk region is designated as the source IP abnormal region.

10. The security risk early warning method based on three-dimensional visualization according to claim 9, characterized in that, Safety warning methods include: For any warning device, logs that require security risk detection in the warning device are obtained in real time and recorded as real-time detection logs; for any record in the real-time detection logs, the daily access time, the device accessed on the day, and the internal or external network address are obtained based on the format analysis method. Based on the recorded daily access time, daily access device, and internal or external network address, points are marked in the three-dimensional risk coordinate system of the real-time detection log and recorded as log risk points. When a log risk point is within a security risk area, no risk warning is issued. When the log risk point is in the abnormal name area, abnormal time area, or abnormal source IP area, send an access name abnormality warning, access time abnormality warning, or access IP abnormality warning. When a log risk point is outside the security risk zone, name abnormal zone, time abnormal zone, and source IP abnormal zone, a new log risk warning will be sent.