An office network traffic anomaly processing method, device, equipment and medium

By performing anomaly detection and information fusion on the traffic data of the office network server, generating alarm events and processing them automatically, the problem of low efficiency in manual maintenance in the office network is solved, and efficient traffic anomaly handling is achieved.

CN122348852APending Publication Date: 2026-07-07BEIJING SIMING QICHUANG TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING SIMING QICHUANG TECH CO LTD
Filing Date
2026-04-15
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

In existing technologies, office networks contain a wide variety and large quantity of data communication information, making it inefficient to maintain the reliability of office networks manually.

Method used

By performing anomaly detection on the server traffic data of the target office network, identifying traffic backup data, using the Suricata engine for real-time anomaly detection, merging anomaly information using information fusion rules, generating alarm events, and generating event handling information through large model analysis, anomaly handling is automated.

Benefits of technology

It enables automated detection and maintenance of office network traffic anomalies without the need for manual traffic analysis and backup data, thus improving processing efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122348852A_ABST
    Figure CN122348852A_ABST
Patent Text Reader

Abstract

The application discloses an office network traffic anomaly processing method, device and equipment and a medium. The method comprises the following steps: determining traffic backup data corresponding to a target office network according to server traffic data corresponding to at least one network server in the target office network; performing anomaly detection on the traffic backup data to determine at least one anomaly information; fusing each anomaly information according to an information fusion rule to obtain at least one alarm event; identifying event processing information according to the alarm event and the traffic backup data for each alarm event; and performing anomaly processing on a corresponding network server in the target office network according to the event processing information. The embodiment of the application can improve the accuracy of office network traffic anomaly processing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data processing technology, and in particular to a method, apparatus, equipment and medium for handling abnormal traffic on an office network. Background Technology

[0002] With the rapid development of technology, office networks are becoming increasingly widespread. Office networks include various types of servers, which can communicate with each other. To ensure the reliability of office network operation, it is necessary to perform anomaly detection and maintenance on the data communication information of each server within the network.

[0003] Currently, by pre-storing anomaly detection rules locally on the server, anomaly detection is performed on the server's data communication information based on the anomaly detection rules stored locally on the server, anomaly detection results are obtained, the anomaly detection results are analyzed manually, and anomaly maintenance is performed on the server.

[0004] However, the types and quantities of data communication information in the office network are numerous, and the efficiency of manually maintaining the reliability of the office network is low. Summary of the Invention

[0005] This invention provides a method, apparatus, equipment, and medium for handling abnormal office network traffic, in order to improve the accuracy of handling abnormal office network traffic.

[0006] In a first aspect, embodiments of the present invention provide a method for handling abnormal office network traffic, the method comprising:

[0007] Based on the server traffic data corresponding to at least one network server in the target office network, determine the traffic backup data corresponding to the target office network;

[0008] Anomaly detection is performed on the traffic backup data to identify at least one abnormal information;

[0009] The aforementioned abnormal information is fused according to information fusion rules to obtain at least one alarm event;

[0010] For each alarm event, event processing information is obtained based on the alarm event and traffic backup data;

[0011] Based on the event handling information, perform anomaly handling on the corresponding network server in the target office network.

[0012] Secondly, embodiments of the present invention also provide an office network traffic anomaly handling device, the device comprising:

[0013] The data determination module is used to determine the traffic backup data corresponding to the target office network based on the server traffic data corresponding to at least one network server in the target office network;

[0014] The data detection module is used to perform anomaly detection on the traffic backup data and identify at least one abnormal information.

[0015] The data fusion module is used to fuse the various abnormal information according to information fusion rules to obtain at least one alarm event;

[0016] The data identification module is used to identify event processing information based on the alarm event and traffic backup data for each alarm event.

[0017] An exception handling module is used to perform exception handling on the corresponding network server in the target office network based on the event handling information.

[0018] Thirdly, embodiments of the present invention also provide an office network traffic anomaly processing device, the office network traffic anomaly processing device comprising:

[0019] At least one processor; and

[0020] A memory that is communicatively connected to at least one processor; wherein,

[0021] The memory stores a computer program that can be executed by at least one processor, such that the at least one processor is able to execute the office network traffic anomaly handling method according to any embodiment of the present invention.

[0022] According to another aspect of the present invention, a computer-readable storage medium is provided, which stores computer instructions for causing a processor to execute the office network traffic anomaly handling method of any embodiment of the present invention.

[0023] The technical solution of this invention determines traffic backup data corresponding to the target office network based on server traffic data corresponding to at least one network server in the target office network; performs anomaly detection on the traffic backup data to identify at least one anomaly; fuses the anomaly information according to information fusion rules to obtain at least one alarm event; for each alarm event, identifies event processing information based on the alarm event and the traffic backup data; and performs anomaly processing on the corresponding network server in the target office network based on the event processing information. This can automatically detect and maintain anomalies in the traffic backup data of the office network without requiring manual analysis of the traffic backup data, thus improving the efficiency of handling office network traffic anomalies.

[0024] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description

[0025] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0026] Figure 1 This is a flowchart of an office network traffic anomaly handling method provided by an embodiment of the present invention;

[0027] Figure 2 This is a flowchart of an office network traffic anomaly handling method provided by an embodiment of the present invention;

[0028] Figure 3 This is a structural diagram of an office network traffic anomaly handling device provided according to an embodiment of the present invention;

[0029] Figure 4 This is a schematic diagram of the structure of an office network traffic anomaly processing device provided in an embodiment of the present invention. Detailed Implementation

[0030] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0031] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0032] The acquisition, storage, and application of traffic backup data and other related technologies in the technical solutions of this invention comply with relevant laws and regulations and do not violate public order and good morals.

[0033] Example 1

[0034] Figure 1 This is a flowchart illustrating a method for handling abnormal office network traffic according to Embodiment 1 of the present invention. This embodiment of the invention is applicable to situations involving abnormal office network traffic. The method can be executed by an office network traffic anomaly handling device, which can be implemented in hardware and / or software.

[0035] See Figure 1 The methods for handling abnormal office network traffic shown include:

[0036] S101. Based on the server traffic data corresponding to at least one network server in the target office network, determine the traffic backup data corresponding to the target office network.

[0037] The target office network can be the internal office network of the company to be tested. The network server can be a server within the target office network. Server traffic data can be all internet traffic data passing through the server (for example, communication data generated by employees accessing web pages, logging into systems, or transferring files). Traffic backup data can be data obtained by completely copying the original traffic, also known as traffic mirroring, which does not affect the server's normal network communication.

[0038] Specifically, traffic mirroring is enabled and configured on the core switch of the target office network. This completely copies all network traffic generated by office terminals and internal servers that passes through the core switch, and then sends the copied traffic to a dedicated traffic detection device. During the traffic copying and forwarding process, the original traffic continues to be forwarded to its destination address along the normal path. Employees' normal internet access, business access, and data transmission will not be interfered with, interrupted, or delayed. This traffic data, completely copied from the original traffic and used only for security anomaly detection and analysis, and not involved in actual business forwarding, is the traffic backup data. For example, the target office network is the XX location workplace network, and the network server is the XX location core switch (192.168.5.1). All internet traffic from employees' computers and servers at the XX location workplace must pass through the core switch 192.168.5.1. Port mirroring is configured on the core switch. The switch copies all the traffic passing through it. The copied traffic is sent to the detection server deployed with Suricata (a network traffic detection engine). This copied traffic, which does not affect normal business operations, is called the traffic backup data for the XX location office network. The traffic backup data can include: traffic from employee computers accessing websites via 192.168.5.20, traffic from employee logins to various systems, traffic from employee accessing internal systems, traffic generated by employees accidentally visiting malicious websites, and traffic from communication between servers.

[0039] S102. Perform anomaly detection on traffic backup data and identify at least one abnormal information.

[0040] Among them, abnormal information can be descriptive information of attacks or suspicious behaviors detected in traffic backup data (including: source IP, destination IP, attack type, payload content and alarm level, etc.).

[0041] Specifically, the traffic backup data obtained through traffic mirroring is completely input into the Suricata engine deployed on a dedicated detection server. The Suricata engine then performs real-time anomaly detection processing on the traffic backup data. For example, the Suricata engine performs protocol parsing, identifying and disassembling network protocols such as TCP, HTTP, or DNS, extracting key information such as source address, destination address, transmission port, interaction content, and payload data. The Suricata engine then compares the extracted traffic content, feature fields, and payload information against an attack feature rule base, field by field. When the feature information in the traffic backup data completely matches the malicious features in the attack feature rule base or meets preset matching conditions, the Suricata engine immediately determines that the traffic segment is abnormal. After determining it to be abnormal, the Suricata engine automatically generates a structured anomaly record. This record fully includes detailed information such as attack type, source IP address, destination IP address, plaintext payload content, alarm level, occurrence time, and workplace region. This structured anomaly record is the anomaly information. Furthermore, the Suricata engine can write this anomaly information to the detection server's hard drive, saving it as a log file. The Filebeat component (log collection module) on the server can read the log files on the hard drive in real time. Filebeat reliably uploads alarm information to Kafka (message queue) via network security. Kafka asynchronously buffers alarm information, ensuring no loss or congestion under high concurrency, achieving decoupling of collection and analysis. ClickHouse (big data analytics database) subscribes to and consumes anomaly information from Kafka. ClickHouse uses a columnar storage structure to write anomaly information to the server disk at high speed. Anomaly information can be stored long-term, stably, and efficiently, supporting rapid querying and statistics of massive amounts of data. Stored content may include: source IP, destination IP, alarm type, plaintext payload, time, and workplace region, etc.

[0042] S103. Merge the various abnormal information according to the information fusion rules to obtain at least one alarm event.

[0043] The information fusion rules can be pre-set abnormal information merging conditions. For example, abnormal information merging conditions can be based on "same source IP, same workplace, same time period, and same attack type". The alarm event can be a complete security event formed by merging various abnormal information that meet the information fusion rules, representing a real attack behavior or attack chain, rather than scattered alarms.

[0044] Specifically, KeepQ (the visualization module) can read multiple independent and scattered anomaly messages generated during the anomaly detection phase from ClickHouse and perform unified integration processing on these anomaly messages according to pre-configured information fusion rules. First, the anomaly messages are filtered and cleaned, removing invalid alarms with missing fields, duplicate content, format errors, and those that do not meet detection criteria, retaining only valid and usable anomaly data. Valid anomaly messages are then grouped and categorized according to preset dimensions, including: the same source IP address, the same destination IP address, the same workplace region, the same time window range, and the same alarm type, grouping anomaly messages that meet the same grouping criteria into the same set. Key features are extracted from multiple anomaly messages within the same set, the sequence of actions is analyzed, and contextual information is supplemented, ultimately generating a structured alarm event containing a complete picture of the attack and the timing of the actions.

[0045] S104. For each alarm event, identify the event handling information based on the alarm event and traffic backup data.

[0046] Among them, the event handling information can be the descriptive information of the alarm event, which is used to describe the alarm type, alarm cause, alarm handling method, alarm level and alarm region of the alarm event in a structured conclusion.

[0047] Specifically, aggregated alarm events are retrieved from the ClickHouse database, and plaintext payload information containing attack behavior characteristics is extracted from traffic backup data. The LiteLLM (Large Model Interface) component is used to call the large model, loading and using a pre-defined fixed prompt word template customized for office network traffic detection scenarios. Key fields such as the traffic payload content of the alarm event, attack occurrence time, source IP address, destination IP address, and workplace region are automatically filled into the template, forming complete and standardized model input content. After receiving the input content, the large model performs multi-dimensional in-depth analysis of the data: including semantic understanding of alarm information and traffic payload, temporal ranking analysis of multiple abnormal behaviors, parsing of plaintext attack characteristics, and matching and comparing the behavior sequence with a standard attack chain template to determine whether a complete attack chain is formed. After the analysis is completed, the large model automatically outputs four types of core analysis results according to a preset format: first, the root cause of the anomaly, clarifying the attack type and triggering mechanism; second, specific handling suggestions, providing handling methods for the source IP and destination IP, such as blocking IPs, isolating terminals, or detecting and removing malware; third, the risk level, judged according to a four-level standard of Critical / High / Medium / Low; and fourth, the affected workplace area, marking the physical location of the incident. These four types of core results are then structured, their fields concatenated, and their formats standardized, ultimately integrating them to generate event handling information.

[0048] S105. Perform anomaly handling on the corresponding network server in the target office network based on the event handling information.

[0049] Specifically, based on the incident handling information, the system automatically parses the core handling instructions (such as blocking IPs or isolating terminals), target objects (source IP, destination IP, and affected workplaces), and risk levels (to determine handling priorities). Based on the affected workplace areas marked in the incident handling information, it locates the corresponding network control nodes of the office network (such as workplace core switches, firewalls, or operation and maintenance management platforms). Following the specific requirements in the handling recommendations, it issues automated handling instructions to the aforementioned network control nodes. If the risk is high / critical, it simultaneously triggers manual handling reminders (for example, pushing alarm details via group messages) to facilitate in-depth investigation in conjunction with automated operations. The control nodes execute the handling instructions to complete the anomaly handling of the corresponding network objects. After handling is completed, the handling results are sent back to the KeephQ platform to update the alarm event status.

[0050] The technical solution of this invention determines the traffic backup data corresponding to the target office network based on the server traffic data corresponding to at least one network server in the target office network; performs anomaly detection on the traffic backup data to identify at least one anomaly; merges the anomalies according to information fusion rules to obtain at least one alarm event; for each alarm event, identifies event processing information based on the alarm event and the traffic backup data; and performs anomaly processing on the corresponding network server in the target office network based on the event processing information. This can automatically detect and maintain anomalies in the traffic backup data of the office network without requiring manual analysis of the traffic backup data, thus improving the efficiency of handling anomalies in office network traffic.

[0051] Example 2

[0052] Figure 2 This is a flowchart illustrating a method for handling abnormal office network traffic according to Embodiment 2 of the present invention. Based on the above embodiments, this embodiment optimizes and improves the operation for handling abnormal office network traffic.

[0053] Furthermore, the step of "performing anomaly detection on traffic backup data and identifying at least one abnormal piece of information" is refined to "performing anomaly detection on traffic backup data and identifying at least one anomaly type and the type information of each anomaly type; for each anomaly type, performing similarity matching between the type information of the anomaly type and the type information of the corresponding baseline type to obtain the similarity matching result; and identifying at least one abnormal piece of information based on the similarity matching result corresponding to each anomaly type," in order to improve the operation of handling anomalies in office network traffic.

[0054] It should be noted that for parts not described in detail in the embodiments of the present invention, please refer to the descriptions in other embodiments.

[0055] See Figure 2 The methods for handling abnormal office network traffic shown include:

[0056] S201. Based on the server traffic data corresponding to at least one network server in the target office network, determine the traffic backup data corresponding to the target office network.

[0057] S202. Perform anomaly detection on traffic backup data to determine at least one anomaly type and the type information of each anomaly type.

[0058] The anomaly type can be the type of abnormal behavior, representing different network security threats or violations, such as port scanning, Domain Name System (DNS) tunneling, malicious payload transmission, and data outreach. The type information can be a detailed description of the characteristics corresponding to each type of anomaly, and is the core basis for identifying the anomaly, including the anomaly's characteristic string, triggering conditions, associated protocols, severity level, and attack characteristics.

[0059] Specifically, the system retrieves backup traffic data and performs protocol parsing and feature extraction on each segment of network traffic, extracting core data such as source IP, destination IP, transport protocol, packet payload, and communication behavior sequence. A multi-dimensional anomaly feature rule base (containing preset features for various anomalies such as port scanning, DNS tunneling, malicious payloads, and data outflow) is loaded, and the extracted traffic features are matched against the preset features in the rule base. When the features of a traffic segment completely match the features of a certain anomaly type in the rule base or reach a preset matching threshold, the traffic is determined to belong to that anomaly type, and the anomaly type identifier is recorded. For all successfully matched anomaly types, the type information is further extracted and recorded: including the core feature string of the anomaly, the traffic protocol that triggered the anomaly, the attack severity corresponding to the anomaly, the frequency of the anomaly in the backup traffic data, and the associated source / destination address information. Finally, all identified anomaly types are output, along with complete type information for each anomaly.

[0060] S203. For each anomaly type, perform similarity matching between the type information of the anomaly type and the type information of the corresponding baseline type to obtain the similarity matching result.

[0061] Specifically, the system retrieves all anomaly types and their corresponding type information. Simultaneously, it retrieves the baseline types and type information corresponding to each actual anomaly type from the system's baseline anomaly type library (e.g., if the actual anomaly is a DNS tunnel, the system retrieves the type information of the preset DNS tunnel baseline type from the baseline type library). For each set of "anomaly type type information and corresponding baseline type type information," feature decomposition is performed according to preset multi-dimensional matching rules to determine matching dimensions (such as core feature strings, associated network protocols, payload characteristics, behavioral patterns, hazard levels, and associated address types). Each decomposed feature dimension is compared and quantified one by one. Same feature dimensions are recorded as matching scores, and scores for different feature dimensions are deducted based on the degree of difference. Finally, the scores of each dimension are summed to obtain the overall similarity score for the group of anomalies. Based on a preset similarity threshold, the quantified score is converted into a qualitative matching result (e.g., a score greater than or equal to 80% is a high match, a score greater than or equal to 60% and less than or equal to 79% is a medium match, and a score less than 60% is a low match). A complete result containing the quantified score and qualitative conclusion is generated for each anomaly type. This result is the similarity matching result, and the result is associated with and stored with the corresponding anomaly type.

[0062] S204. Based on the similarity matching results corresponding to each anomaly type, determine at least one anomaly information.

[0063] Specifically, the system retrieves anomaly types and their corresponding similarity matching results, and associates the anomaly type information to form a complete dataset of "anomaly type - similarity matching result - type information". It loads a preset effective anomaly judgment threshold (this threshold is set based on office network traffic characteristics and security detection requirements, such as a qualitative conclusion of high / medium matching or a quantitative score greater than or equal to 60 points), and compares the similarity matching results of each anomaly type with this threshold. Effective anomalies are then filtered according to the judgment threshold: invalid anomalies that do not meet the similarity standard are removed (such as low matching or scores less than or equal to 60 points, which are mostly false alarms or edge traffic without actual harm), while retaining effective anomaly types that meet the similarity standard. For each effective anomaly type, its anomaly type identifier, similarity matching result (score + qualitative conclusion), and type information (core features, associated protocols, source / destination IPs, and harm characteristics, etc.) are structurally integrated and encapsulated according to a preset anomaly information format. Finally, a standardized anomaly information is generated for each effective anomaly type, and all anomaly information is associated and stored in ClickHouse.

[0064] S205. Merge the various abnormal information according to the information fusion rules to obtain at least one alarm event.

[0065] S206. For each alarm event, identify the event handling information based on the alarm event and traffic backup data.

[0066] S207. Perform anomaly handling on the corresponding network server in the target office network based on the event handling information.

[0067] This invention embodiment detects anomalies in traffic backup data to determine at least one anomaly type and type information for each anomaly type; for each anomaly type, the type information of the anomaly type is matched with the type information of the corresponding baseline type to obtain a similarity matching result; based on the similarity matching result corresponding to each anomaly type, at least one anomaly information is determined, and the detected anomaly information can be matched with the corresponding baseline information to prevent false alarms.

[0068] Optionally, the abnormal information is fused according to information fusion rules to obtain at least one alarm event, including: filtering the abnormal information according to filtering rules to obtain at least one piece of information to be fused; obtaining at least one basic attribute and at least one additional attribute; classifying the information to be fused according to the attribute values ​​of each basic attribute and each additional attribute in each piece of information to be fused to obtain at least one alarm set; comparing the total number of information corresponding to each alarm set with a preset total threshold to obtain a threshold comparison result; and determining at least one alarm event according to the threshold comparison result corresponding to each alarm set.

[0069] The filtering rules can be pre-defined information screening rules based on the office network security testing requirements (for example, removing isolated, non-continuous, and non-core area anomalies). Basic attributes can be highly identifiable key attributes used for core classification (source IP address, affected workplace area, anomaly type, and time window), serving as the core dimensions of the classification. Additional attributes can be auxiliary attributes used for refined classification (destination IP type, associated network protocol, severity level, and time period of the behavior), improving classification accuracy and avoiding the mis-aggregation of information with consistent core attributes but different risks.

[0070] Specifically, KeepHQ retrieves all anomaly information, loads office network-specific filtering rules (such as removing anomalies with "single isolated messages without continuous behavior," "non-core business areas," and "low-risk and no load characteristics"), performs filtering operations to remove invalid information, and retains information with correlation and fusion value to complete the initial deduplication. From all information to be fused, basic and additional attributes are automatically extracted according to preset rules (basic attributes are fixed as: source IP address, affected workplace area, anomaly type, and time window; additional attributes: destination IP type, associated network protocol, hazard level, and time period of occurrence), and the specific attribute values ​​corresponding to each piece of information to be fused are sorted out. All information to be fused is grouped and categorized. The basic attributes (source IP / workplace / anomaly type / time window) must be completely identical, and at least one of the additional attributes (destination IP type / protocol) must match. Information to be fused that meets the rules is grouped into the same group, and each group is an alarm set, and the total number of information in each set is marked. The system retrieves a preset threshold for the total number of alarms on the office network (set based on the characteristics of office network attack behavior; for example, ≥2 alarms within a short time window are considered valid). For each alarm set, the total number of alarms is compared with the preset threshold to generate a threshold comparison result: "Threshold reached or not reached." Using "threshold reached" as the valid criterion, all alarm sets that meet the criteria are selected. Each qualifying set is then structured and integrated, extracting key information such as core attributes, anomaly characteristics, payload information, and behavioral timing to generate alarm events. Alarm sets that do not reach the threshold are directly discarded, classified as isolated anomalies, and not included in subsequent analysis. All the finally determined alarm events are then associated and stored in the ClickHouse database.

[0071] By filtering each abnormal information according to filtering rules, at least one piece of information to be merged is obtained; at least one basic attribute and at least one additional attribute are obtained; based on the attribute values ​​of each basic attribute and each additional attribute in each piece of information to be merged, each piece of information to be merged is classified to obtain at least one alarm set; for each alarm set, the total number of information corresponding to the alarm set is compared with a preset total threshold to obtain a threshold comparison result; based on the threshold comparison result corresponding to each alarm set, at least one alarm event is determined, thereby reducing the number of invalid alarms, reducing the amount of data to be processed, and improving traffic detection efficiency.

[0072] Optionally, event processing information can be identified based on alarm events and traffic backup data, including: finding the model input template corresponding to the alarm event based on the alarm event; fusing the alarm event, traffic backup data and model input template to obtain fused information; and inputting the fused information into the anomaly detection model to obtain event processing information.

[0073] The model input template can be a structured large-scale model analysis prompt word template customized for different types of alarm events (such as exclusive templates for DNS tunnels, port scans, and APT attacks). The template presets the analysis dimensions, output requirements, word limits, and required content (such as root causes and handling suggestions), which is the core basis for accurate large-scale model analysis. The anomaly detection model can be a large language model for in-depth analysis of traffic anomalies (adapted and optimized for office network traffic detection scenarios), with the ability to understand semantics, parse payloads, infer attack chains, and generate handling suggestions.

[0074] Specifically, alarm events are retrieved from ClickHouse, and the alarm event type and affected workplace scenarios are extracted as search keywords. The system automatically searches and matches the corresponding custom model input template from the office network customized model input template library, ensuring a high degree of compatibility between the template and the alarm event type and office network scenario. Based on the core identifiers of the alarm event (such as event ID, source IP, and time window), the system retrieves the corresponding traffic backup data from ClickHouse. This traffic backup data is then lightweighted and extracted, retaining core effective content (such as plaintext, key communication timings, protocol characteristics, and payload details) while removing redundant data with no analytical value. The retrieved structured information of the alarm event and the core effective content of the traffic backup data are automatically filled and encapsulated according to the preset fields, format requirements, and analysis instructions of the matched model input template. The alarm event details are filled into the "Basic Event Information" field of the template, and the payload plaintext and core traffic characteristics are filled into the "Raw Traffic Data" field, ensuring that the fused content fully conforms to the template requirements and generating standardized fused information. Through the LiteLLM unified interface gateway, fused information is standardized and pushed to the anomaly detection model in the large model service center. LiteLLM automatically masks the interface differences of the underlying models, enabling seamless model integration. After receiving the fused information, the anomaly detection model performs in-depth analysis, including semantic understanding, payload feature parsing, attack behavior inference, and root cause localization, according to the preset analysis dimensions and output requirements of the template. Following the template requirements, the anomaly detection model outputs standardized analysis results, including the root cause (focusing on payload analysis), specific handling suggestions (for source / destination IPs), risk level (Critical / High / Medium / Low), and affected workplace regions. This result constitutes the incident handling information. The generated incident handling information is synchronized to the KeepHQ platform for visualization and simultaneously stored in the ClickHouse database, and then pushed by KeepHQ to the message receiving database of the corresponding workplace.

[0075] By finding the model input template corresponding to the alarm event based on the alarm event, the alarm event, traffic backup data and model input template are merged to obtain fused information. The fused information is then input into the anomaly detection model to obtain event processing information, which can deeply analyze anomaly information and reduce false alarm rate.

[0076] Optionally, the fused information is input into the anomaly detection model to obtain event processing information, including: sorting each anomaly information in the fused information according to time to obtain an information time series; extracting features from the information time series to obtain a payload feature chain; matching the payload feature chain with at least one attack chain to determine the target chain; and generating event processing information based on the target chain.

[0077] Among them, the information time series can be an ordered sequence of abnormal behaviors arranged in chronological order, presenting the time sequence of abnormal behaviors of a certain terminal / IP, which is the basis for identifying attack chains (attack chains have clear behavioral time sequence characteristics).

[0078] Specifically, all discrete individual anomaly messages are extracted from the fused information. For each anomaly message, core fields such as the precise timestamp, associated source / destination IP, and description of the abnormal behavior are extracted. All discrete anomaly messages are then sorted and organized in chronological order (from morning to night) to generate an information time series, clearly presenting the temporal trajectory of the abnormal behavior. Node-by-node core feature extraction is performed on the information time series. Redundant network information such as source MAC addresses and port numbers is removed from each time-series anomaly message. The focus is on extracting three core categories: plaintext / feature strings, malicious code fragments, and attack behavior types (such as port scanning, exploiting vulnerabilities, and establishing DNS tunnels). These extracted features are then concatenated and integrated according to the original time series to form a payload feature chain, achieving a temporal abstraction of the actual attack behavior. Retrieve the dedicated standard attack chain library for the office network (containing node features, temporal relationships, and core payload features of various typical attack chains). Perform multi-node temporal similarity matching between the extracted payload feature chain and each standard attack chain in the library. Compare the feature fit node by node to verify the consistency between the node occurrence time and the standard attack chain, and calculate the overall matching degree. Select standard attack chains with an overall matching degree greater than or equal to a preset threshold and with a complete match of core attack nodes (such as vulnerability exploitation and data outflow). Identify these as target chains and mark the matching nodes and differences between the payload feature chain and the target chain. The large-scale model uses a defined target chain as its core basis, combining specific plaintext details, associated IPs / terminals, affected workplace areas, and attack time periods within the payload feature chain. It then conducts in-depth analysis according to preset output requirements: 1) Locating the current stage of the attack chain (e.g., probing, exploitation, or data outreach) and predicting potential subsequent attacks; 2) Analyzing the attack objectives and harms corresponding to core payload characteristics; 3) Developing targeted response measures for each node / stage of the attack chain; 4) Determining the risk level and identifying affected areas according to standards. Finally, the above content is structured and integrated to generate a chain-like, refined event handling information. This generated event handling information is synchronized to the KeepHQ platform for visualization (including an attack chain node sequence diagram), simultaneously stored in the ClickHouse database, and pushed by KeepHQ to the message receiving database of the corresponding workplace's operations and maintenance personnel.

[0079] By sorting the abnormal information in the fused information according to time, an information time series is obtained; features are extracted from the information time series to obtain a payload feature chain; the payload feature chain is matched with at least one attack chain to determine the target chain; and event processing information is generated based on the target chain. This allows for targeted determination of attack chains based on attack time sequence characteristics, identification of the correlation between various abnormal information, and improvement of traffic detection accuracy.

[0080] Optionally, based on the target chain, event handling information is generated, including: identifying the event type corresponding to the target chain based on the target chain; finding the handling suggestion template corresponding to the event type based on the event type; filling the handling suggestion template with the exception information corresponding to the event type to obtain the handling method information; and generating event handling information based on the event type, the handling method information, and the exception information corresponding to the event type.

[0081] Specifically, based on the identified target chain, the overall nature of the attack behavior is determined, and the event type corresponding to the target chain is identified. Based on the identified event type, a standardized handling suggestion template matching the event type is retrieved from a pre-set handling suggestion template library. Next, the system automatically populates the corresponding fields of the handling suggestion template with all anomaly information corresponding to the event type, including real data such as source IP, destination IP, payload content, occurrence time, workplace region, and attack behavior characteristics, generating complete and executable handling method information. Finally, the event type, handling method information, and all corresponding anomaly information are structurally integrated and summarized to generate complete event handling information including attack description, root cause, handling steps, risk level, and affected area.

[0082] The event type corresponding to the target chain is identified based on the target chain; based on the event type, the corresponding processing suggestion template is found; the processing suggestion template is filled with the abnormal information corresponding to the event type to obtain the processing method information; based on the event type, processing method information and the abnormal information corresponding to the event type, event processing information is generated. By determining the event processing information through multi-dimensional data, the accuracy of event processing information determination is improved.

[0083] Optionally, after performing anomaly handling on the corresponding network servers in the target office network based on the event handling information, the method further includes: obtaining a regional map corresponding to the target office network; determining the first layer information based on the occurrence location and regional map corresponding to each alarm event; determining the second layer information based on the number of events and regional map corresponding to each alarm event; determining the third layer information based on the event handling information and regional map corresponding to each alarm event; and determining the office network visualization information based on the first layer information, the second layer information, and the third layer information.

[0084] Specifically, a nationwide workplace distribution map corresponding to the target office network is obtained. This map pre-marks the location and network range of each workplace. Based on the location information corresponding to each alarm event, a geographic mapping is performed using the regional map to determine the first layer of information used to display the alarm location. Based on the statistical results of the number of alarm events in each region, a second layer of information is determined using the regional map to display the event distribution density. Based on the event handling information corresponding to each alarm event, including risk level, handling status, and handling results, a third layer of information is determined using the regional map to display security risks and handling status. The first, second, and third layers of information are overlaid and merged to generate complete office network security situation visualization information for global display on the KeepHQ platform. For example, a regional map is obtained, including workplace location 1, workplace location 2, workplace location 3, and workplace location 4. In the first layer (location layer), if an alarm occurs at workplace location 1, a triangle is marked at workplace location 1 on the map. The second layer (quantity layer) shows 12 alarms in workplace location 1, marked with the number 12. Workplace location 2 has 5 alarms, marked with the number 5. The third layer (risk / handling layer) shows high-risk unhandled alarms in workplace location 1, marked with a red "unhandled warning." Workplace location 2 has medium-risk handled alarms, marked with an orange "handled." Workplace location 3 has low-risk alarms, marked with a blue "safe." These three layers can be overlaid or displayed separately to determine the office network security situation map.

[0085] The system obtains the area map corresponding to the target office network; determines the first layer information based on the occurrence location and area map of each alarm event; determines the second layer information based on the number of events and area map of each alarm event; determines the third layer information based on the event handling information and area map of each alarm event; and determines the office network visualization information based on the first, second, and third layer information.

[0086] Example 3

[0087] Figure 3 This is a schematic diagram of an office network traffic anomaly handling device provided in Embodiment 3 of the present invention. This embodiment of the present invention is applicable to situations involving office network traffic anomaly handling. The device can execute an office network traffic anomaly handling methods and can be implemented in hardware and / or software.

[0088] See Figure 3 The office network traffic anomaly handling device shown includes: a data determination module 301, a data detection module 302, a data fusion module 303, a data identification module 304, and an anomaly handling module 305, wherein...

[0089] The data determination module 301 is used to determine the traffic backup data corresponding to the target office network based on the server traffic data corresponding to at least one network server in the target office network.

[0090] Data detection module 302 is used to perform anomaly detection on traffic backup data and identify at least one abnormal information;

[0091] The data fusion module 303 is used to fuse various abnormal information according to information fusion rules to obtain at least one alarm event;

[0092] The data recognition module 304 is used to identify event processing information based on the alarm event and traffic backup data for each alarm event.

[0093] The exception handling module 305 is used to perform exception handling on the corresponding network server in the target office network based on the event handling information.

[0094] The technical solution of this invention determines the traffic backup data corresponding to the target office network based on the server traffic data corresponding to at least one network server in the target office network; performs anomaly detection on the traffic backup data to identify at least one anomaly; merges the anomalies according to information fusion rules to obtain at least one alarm event; for each alarm event, identifies event processing information based on the alarm event and the traffic backup data; and performs anomaly processing on the corresponding network server in the target office network based on the event processing information. This can automatically detect and maintain anomalies in the traffic backup data of the office network without requiring manual analysis of the traffic backup data, thus improving the efficiency of handling anomalies in office network traffic.

[0095] Optional, the data detection module 302 is specifically used for:

[0096] Perform anomaly detection on traffic backup data to identify at least one anomaly type and the type information of each anomaly type;

[0097] For each anomaly type, the type information of the anomaly type is matched with the type information of the corresponding baseline type to obtain the similarity matching result;

[0098] Based on the similarity matching results corresponding to each anomaly type, at least one anomaly information is determined.

[0099] Optional, the data fusion module 303 is specifically used for:

[0100] Each abnormal information is filtered according to the filtering rules to obtain at least one piece of information to be fused;

[0101] Get at least one basic attribute and at least one additional attribute;

[0102] Based on the attribute values ​​of each basic attribute and each additional attribute in each piece of information to be merged, the information to be merged is classified to obtain at least one alarm set.

[0103] For each alarm set, the total number of messages corresponding to the alarm set is compared with a preset total threshold to obtain the threshold comparison result;

[0104] Based on the threshold comparison results corresponding to each alarm set, at least one alarm event is determined.

[0105] Optionally, the data recognition module 304 includes:

[0106] The template lookup unit is used to find the model input template corresponding to the alarm event based on the alarm event.

[0107] The template fusion unit is used to fuse alarm events, traffic backup data and model input templates to obtain fused information;

[0108] The data input unit is used to input the fused information into the anomaly detection model to obtain event processing information.

[0109] Optional, the data input unit includes:

[0110] The information sorting subunit is used to sort the abnormal information in the fused information according to time to obtain the information time series.

[0111] The feature extraction subunit is used to extract features from the information time series to obtain the load feature chain;

[0112] The attack chain matching subunit is used to match the payload feature chain with at least one attack chain to determine the target chain.

[0113] The information generation subunit is used to generate event processing information based on the target chain.

[0114] Optional, information generation subunit, specifically used for:

[0115] The event type corresponding to the target chain is obtained based on the target chain identification;

[0116] Based on the event type, find the corresponding handling suggestion template;

[0117] The processing suggestion template is populated based on the exception information corresponding to the event type to obtain the processing method information;

[0118] Event handling information is generated based on the event type, handling method information, and the corresponding exception information for each event type.

[0119] Optionally, the office network traffic anomaly handling device is also specifically used for:

[0120] After handling the anomalies of the corresponding network servers in the target office network based on the event handling information, obtain the area map corresponding to the target office network;

[0121] Based on the location and area map corresponding to each alarm event, determine the information of the first layer;

[0122] The second layer information is determined based on the number of events corresponding to each alarm event and the area map;

[0123] The third layer information is determined based on the event handling information and area map corresponding to each alarm event;

[0124] Based on the information from the first layer, the second layer, and the third layer, determine the visual information of the office network.

[0125] The office network traffic anomaly handling device provided in the embodiments of the present invention can execute the office network traffic anomaly handling method provided in any embodiment of the present invention, and has the corresponding functional modules and beneficial effects of executing the office network traffic anomaly handling method.

[0126] Example 4

[0127] Figure 4 A schematic diagram of the structure of an office network traffic anomaly processing device 400 that can be used to implement an embodiment of the present invention is shown.

[0128] like Figure 4 As shown, the office network traffic anomaly handling device 400 includes at least one processor 401 and a memory, such as a read-only memory (ROM) 402 and a random access memory (RAM) 403, communicatively connected to the at least one processor 401. The memory stores computer programs executable by the at least one processor. The processor 401 can perform various appropriate actions and processes based on the computer program stored in the ROM 402 or loaded from storage unit 408 into the RAM 403. The RAM 403 can also store various programs and data required for the operation of the office network traffic anomaly handling device 400. The processor 401, ROM 402, and RAM 403 are interconnected via a bus 404. An input / output (I / O) interface 405 is also connected to the bus 404.

[0129] Multiple components in the office network traffic anomaly processing device 400 are connected to I / O interface 405, including: input unit 406, such as keyboard, mouse, etc.; output unit 407, such as various types of monitors, speakers, etc.; storage unit 408, such as disk, optical disk, etc.; and communication unit 409, such as network card, modem, wireless transceiver, etc. The communication unit 409 allows the office network traffic anomaly processing device 400 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0130] Processor 401 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 401 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 401 performs the various methods and processes described above, such as methods for handling abnormal office network traffic.

[0131] In some embodiments, the office network traffic anomaly handling method may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 408. In some embodiments, part or all of the computer program may be loaded and / or installed on the office network traffic anomaly handling device 400 via ROM 402 and / or communication unit 409. When the computer program is loaded into RAM 403 and executed by processor 401, one or more steps of the office network traffic anomaly handling method described above may be performed. Alternatively, in other embodiments, processor 401 may be configured to perform the office network traffic anomaly handling method by any other suitable means (e.g., by means of firmware).

[0132] Various implementations of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), complex programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various implementations may include: implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0133] Computer programs used to implement the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0134] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0135] To provide user interaction, the systems and techniques described herein can be implemented on an office network traffic anomaly processing device, which includes: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the office network traffic anomaly processing device. Other types of devices can also be used to provide user interaction; for example, the feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0136] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or middleware components (e.g., application servers), or frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.

[0137] A computing system can include clients and servers. Clients and servers are generally geographically separated and typically interact via communication networks. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system. It addresses the shortcomings of traditional physical hosts and VPS (Virtual Private Server) services, such as high management difficulty and weak business scalability.

[0138] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and no limitation is imposed herein.

[0139] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.

Claims

1. A method for handling abnormal traffic on an office network, characterized in that, The method includes: Based on the server traffic data corresponding to at least one network server in the target office network, determine the traffic backup data corresponding to the target office network; Anomaly detection is performed on the traffic backup data to identify at least one abnormal information; The aforementioned abnormal information is fused according to information fusion rules to obtain at least one alarm event; For each alarm event, event processing information is obtained based on the alarm event and traffic backup data; Based on the event handling information, perform anomaly handling on the corresponding network server in the target office network.

2. The method according to claim 1, characterized in that, The step of performing anomaly detection on the traffic backup data and identifying at least one anomaly includes: Anomaly detection is performed on the traffic backup data to determine at least one anomaly type and the type information of each anomaly type; For each of the aforementioned anomaly types, the type information of the anomaly type is matched with the type information of the base type corresponding to the anomaly type to obtain a similarity matching result; Based on the similarity matching results corresponding to each of the aforementioned anomaly types, at least one anomaly information is determined.

3. The method according to claim 1, characterized in that, The step of fusing the various abnormal information according to information fusion rules to obtain at least one alarm event includes: Each of the aforementioned abnormal information is filtered according to the filtering rules to obtain at least one piece of information to be fused; Get at least one basic attribute and at least one additional attribute; Based on the attribute values ​​of each basic attribute and each additional attribute in each of the information to be merged, the information to be merged is classified to obtain at least one alarm set; For each alarm set, the total number of information corresponding to the alarm set is compared with a preset total threshold to obtain a threshold comparison result; Based on the threshold comparison results corresponding to each alarm set, at least one alarm event is determined.

4. The method according to claim 1, characterized in that, The process of identifying event handling information based on the alarm events and traffic backup data includes: The model input template corresponding to the alarm event is obtained by searching for the alarm event; The alarm events, the traffic backup data, and the model input template are fused to obtain fused information; The fused information is input into the anomaly detection model to obtain event processing information.

5. The method according to claim 4, characterized in that, The step of inputting the fused information into the anomaly detection model to obtain event processing information includes: The abnormal information in the fused information is sorted by time to obtain an information time series; Feature extraction is performed on the information time series to obtain the load feature chain; The payload feature chain is matched with at least one attack chain to determine the target chain; Based on the target chain, event handling information is generated.

6. The method according to claim 5, characterized in that, The step of generating event processing information based on the target chain includes: The event type corresponding to the target chain is obtained based on the target chain identification; Based on the event type, the corresponding processing suggestion template is retrieved. The processing suggestion template is populated with the exception information corresponding to the event type to obtain the processing method information; Event processing information is generated based on the event type, the processing method information, and the exception information corresponding to the event type.

7. The method according to claim 1, characterized in that, After performing anomaly handling on the corresponding network server in the target office network based on the event handling information, the method further includes: Obtain the regional map corresponding to the target office network; The first layer information is determined based on the location of each alarm event and the area map. The second layer information is determined based on the number of events corresponding to each alarm event and the area map. The third layer information is determined based on the event handling information corresponding to each alarm event and the area map. Based on the information in the first layer, the second layer, and the third layer, the visualization information of the office network is determined.

8. A device for handling abnormal traffic on an office network, characterized in that, The device includes: The data determination module is used to determine the traffic backup data corresponding to the target office network based on the server traffic data corresponding to at least one network server in the target office network; The data detection module is used to perform anomaly detection on the traffic backup data and identify at least one abnormal information. The data fusion module is used to fuse the various abnormal information according to information fusion rules to obtain at least one alarm event; The data identification module is used to identify event processing information based on the alarm event and traffic backup data for each alarm event. An exception handling module is used to perform exception handling on the corresponding network server in the target office network based on the event handling information.

9. An office network traffic anomaly handling device, characterized in that, The office network traffic anomaly handling equipment includes: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the office network traffic anomaly handling method according to any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that are used to cause a processor to execute the office network traffic anomaly handling method according to any one of claims 1-7.