Training method of alarm recognition model, alarm recognition method and device

文档序号：97734 发布日期：2021-10-12 浏览：18次中文

阅读说明：本技术 告警识别模型的训练方法、告警识别的方法以及装置 (Training method of alarm recognition model, alarm recognition method and device ) 是由郭旭田峰罗原杜光耀谷彦章曲大林于 2020-04-03 设计创作，主要内容包括：本发明公开了一种告警识别模型的训练方法、告警识别的方法以及装置。具体包括：获取多个告警数据样本；分别对每个告警数据样本进行预处理,得到每个所述告警数据样本对应的训练样本,每个训练样本包括多个样本告警信息和每个样本告警信息的告警类别；根据多个样本告警信息,构建样本告警信息标签特征矩阵和多个样本告警信息之间关联关系对应的邻接矩阵；将样本告警信息的标签特征矩阵、邻接矩阵作为告警识别模型的输入,以告警类别作为告警识别模型的输出,对待训练的告警识别模型进行迭代训练,得到目标告警识别模型。根据本发明实施例,能够可以提高对告警信息识别的准确率,以减少运营维护人员的工作的难度和工作量。(The invention discloses a training method of an alarm recognition model, an alarm recognition method and an alarm recognition device. The method specifically comprises the following steps: obtaining a plurality of alarm data samples; preprocessing each alarm data sample respectively to obtain a training sample corresponding to each alarm data sample, wherein each training sample comprises a plurality of sample alarm information and an alarm category of each sample alarm information; constructing an adjacent matrix corresponding to the incidence relation between the sample alarm information label characteristic matrix and the plurality of sample alarm information according to the plurality of sample alarm information; and (3) taking the label characteristic matrix and the adjacent matrix of the sample alarm information as the input of the alarm identification model, taking the alarm category as the output of the alarm identification model, and performing iterative training on the alarm identification model to be trained to obtain the target alarm identification model. According to the embodiment of the invention, the accuracy of identifying the alarm information can be improved, so that the difficulty and the workload of the operation and maintenance personnel are reduced.)

1. A training method of an alarm recognition model is characterized by comprising the following steps:

obtaining a plurality of alarm data samples;

respectively preprocessing each alarm data sample to obtain a training sample corresponding to each alarm data sample, wherein each training sample comprises a plurality of sample alarm messages and an alarm category of each sample alarm message, the sample alarm messages comprise first alarm characteristic messages and second alarm characteristic messages, the first alarm characteristic messages are alarm basic characteristic messages, and the second alarm characteristic messages are information matching characteristic messages obtained after information matching;

constructing a label characteristic matrix of the sample alarm information and an adjacent matrix corresponding to the incidence relation between at least two sample alarm information according to the plurality of sample alarm information;

and performing iterative training on the alarm recognition model to be trained by taking the label characteristic matrix and the adjacent matrix of the sample alarm information as the input of the alarm recognition model and taking the alarm category as the output of the alarm recognition model to obtain a target alarm recognition model.

2. A method of alarm recognition, comprising:

acquiring a plurality of alarm data;

preprocessing each alarm data respectively to obtain alarm information corresponding to each alarm data, wherein the alarm information comprises first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching;

constructing a label characteristic matrix corresponding to each alarm information and an adjacent matrix corresponding to the incidence relation information between at least two alarm information according to the plurality of alarm information;

inputting the label characteristic matrix and the adjacent matrix into a target alarm identification model to obtain an alarm category corresponding to alarm data; the target alarm recognition model is a model obtained by training by using the alarm recognition model training method of claim 1.

3. The method according to claim 2, wherein the preprocessing each of the alarm data to obtain the alarm information corresponding to each of the alarm data comprises:

respectively extracting the characteristics of each alarm data to obtain first alarm characteristic information corresponding to each alarm data;

and respectively matching each alarm data with information of a preset threat information library to obtain second alarm characteristic information corresponding to each alarm data.

4. The method according to claim 3, wherein the performing feature extraction on each alarm data to obtain first alarm feature information corresponding to each alarm data respectively comprises:

respectively extracting the features of the basic information of each alarm data to obtain first feature information of the first alarm feature information;

and respectively calculating the time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information of the first alarm characteristic information.

5. The method of claim 3, wherein the second alarm characteristic information comprises one or more of any of:

internet protocol IP reputation information, IP associated sample information, and IP associated domain name information.

6. The method according to claim 4, wherein the time characteristic information includes first time characteristic information and second time characteristic information, the first time characteristic information is single-day time characteristic information, and the second time characteristic information is time characteristic information in a preset time period;

the calculating the time characteristic information of each alarm data by using a time series analysis algorithm to obtain the second characteristic information of the first alarm characteristic information comprises the following steps:

calculating the first time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the first time characteristic information;

calculating the second time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the second time characteristic information;

and combining second characteristic information corresponding to the first time characteristic information and second characteristic information corresponding to the second time characteristic information to obtain second characteristic information of the first alarm characteristic information.

7. The method according to claim 6, wherein the calculating the first time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the first time characteristic information comprises:

and respectively calculating the first time characteristic information of each alarm data by using a least square method to obtain second characteristic information corresponding to the first time characteristic information.

8. The method according to claim 6, wherein the calculating the second time characteristic information of each alarm data by using a time series analysis algorithm to obtain the second characteristic information corresponding to the second time characteristic information comprises:

selecting first single-day characteristic information corresponding to the minimum value of the single-day alarm times in the alarm data within a preset time period;

carrying out mean value calculation on the first single-day characteristic information to obtain a time mean value;

matching second single-day characteristic information in the preset time period with the time mean value to obtain a time point meeting a preset matching condition, wherein the second single-day characteristic information is single-day characteristic information corresponding to each single day except the single day corresponding to the first single-day characteristic information;

and calculating the time points meeting the preset conditions by using a least square method to obtain second characteristic information corresponding to the second time characteristic information.

9. The method according to claim 2, wherein the constructing, according to the plurality of alarm information, a label feature matrix corresponding to each alarm information and an adjacency matrix corresponding to corresponding incidence relation information between at least two alarm information comprises:

according to first alarm characteristic information and second alarm characteristic information of a plurality of alarm information, constructing a label characteristic matrix corresponding to each alarm information;

constructing corresponding incidence relation information between at least two pieces of alarm information according to the IP control relation information of the plurality of pieces of alarm information;

and determining the corresponding adjacency matrix according to the incidence relation information.

10. The method of any of claims 1 to 9, wherein the alarm recognition model comprises a graph convolutional neural network model.

11. An apparatus for training an alarm recognition model, the apparatus comprising:

the acquisition module is used for acquiring a plurality of alarm data samples;

the system comprises a preprocessing module, a data processing module and a data processing module, wherein the preprocessing module is used for preprocessing a plurality of sample alarm data to obtain a training sample, the training sample comprises a plurality of sample alarm information and the alarm category of each sample alarm information, the sample alarm information comprises first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching is carried out;

the construction module is used for constructing a label characteristic matrix of the sample alarm information and an adjacent matrix corresponding to the incidence relation between at least two sample alarm information according to the plurality of sample alarm information;

and the training module is used for taking the label characteristic matrix and the adjacency matrix of the sample alarm information as the input of an alarm identification model, taking the alarm category as the output of the alarm identification model, and performing iterative training on the alarm identification model to be trained to obtain a target alarm identification model.

12. An apparatus for alarm recognition, the apparatus comprising:

the acquisition module is used for acquiring a plurality of alarm data;

the preprocessing module is used for respectively preprocessing each alarm data to obtain alarm information corresponding to each alarm data, wherein the alarm information comprises first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching;

the construction module is used for constructing a label characteristic matrix corresponding to each alarm information and an adjacent matrix corresponding to the incidence relation information between at least two alarm information according to the plurality of alarm information;

the identification module is used for inputting the label characteristic matrix and the adjacent matrix into a target alarm identification model to obtain an alarm category corresponding to the alarm data; the target alarm recognition model is a model obtained by training by using the alarm recognition model training method of claim 1.

13. Training device for an alarm recognition model, characterized in that it comprises: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a method of training an alert recognition model as recited in claim 1.

14. An apparatus for alarm recognition, the apparatus comprising: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a method of alert identification as claimed in any of claims 2 to 10.

15. A computer storage medium, characterized in that the computer storage medium has stored thereon computer program instructions which, when executed by a processor, implement the method of training an alarm recognition model according to claim 1 and/or the method of alarm recognition according to any one of claims 2 to 10.

Technical Field

The invention belongs to the technical field of computers, and particularly relates to a training method of an alarm recognition model, an alarm recognition method, an alarm recognition device, equipment and a computer storage medium.

Background

Many network security monitoring devices for everyday use, such as dead wood monitoring and handling systems, intrusion detection systems, and intrusion prevention systems, alarm when a monitored asset device is abnormal. However, the amount of alarm data sent by these systems is huge, and some alarms are false alarms, and the alarm information sent by the systems needs to be further analyzed and identified to obtain more effective and accurate alarm information.

At present, when an alarm identification model is generally adopted to identify alarm information, the alarm information related to analysis is not comprehensive enough, so that the accuracy of the existing alarm identification model for identifying the alarm information is not high, abnormal asset equipment cannot be accurately positioned, and the difficulty and workload of operation and maintenance personnel for troubleshooting of the problem equipment are increased.

Therefore, how to improve the identification accuracy of the alarm identification model and accurately position the asset equipment with the abnormal condition is an urgent problem to be solved.

Disclosure of Invention

The embodiment of the invention provides a training method of an alarm identification model, an alarm identification method, an alarm identification device, equipment and a computer storage medium, which can improve the accuracy of alarm information identification, further accurately position abnormal asset equipment and reduce the difficulty and workload of troubleshooting work of operation and maintenance personnel on problem equipment.

In a first aspect, an embodiment of the present invention provides a method for training an alarm recognition model, where the method includes:

obtaining a plurality of alarm data samples;

In a second aspect, an embodiment of the present invention provides an alarm identification method, where the method includes:

acquiring a plurality of alarm data;

Optionally, the respectively preprocessing each alarm data to obtain alarm information corresponding to each alarm data includes:

respectively extracting the characteristics of each alarm data to obtain first alarm characteristic information corresponding to each alarm data;

and respectively matching each alarm data with information of a preset threat information library to obtain second alarm characteristic information corresponding to each alarm data.

Optionally, respectively performing feature extraction on each alarm data to obtain first alarm feature information corresponding to each alarm data, including:

respectively extracting the features of the basic information of each alarm data to obtain first feature information of the first alarm feature information;

Optionally, the second alarm characteristic information includes one or more of any of the following:

internet Protocol (IP) reputation information, IP-associated sample information, and IP-associated domain name information.

Optionally, the time characteristic information includes first time characteristic information and second time characteristic information, where the first time characteristic information is single-day time characteristic information, and the second time characteristic information is time characteristic information within a preset time period;

Optionally, the calculating the first time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the first time characteristic information includes:

Optionally, the calculating the second time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the second time characteristic information includes:

selecting first single-day characteristic information corresponding to the minimum value of the single-day alarm times in the alarm data within a preset time period;

carrying out mean value calculation on the first single-day characteristic information to obtain a time mean value;

and calculating the time points meeting the preset conditions by using a least square method to obtain second characteristic information corresponding to the second time characteristic information.

Optionally, the constructing, according to the plurality of alarm information, a label feature matrix corresponding to each alarm information and an adjacent matrix corresponding to association relationship information corresponding to at least two pieces of alarm information includes:

and determining the corresponding adjacency matrix according to the incidence relation information.

Optionally, the alert identification model comprises a graph convolutional neural network model.

In a third aspect, an embodiment of the present invention provides a training device for an alarm recognition model, where the training device includes:

the acquisition module is used for acquiring a plurality of alarm data samples;

In a fourth aspect, an embodiment of the present invention provides an apparatus for alarm identification, where the apparatus includes:

the acquisition module is used for acquiring a plurality of alarm data;

the identification module is used for inputting the label characteristic matrix and the adjacent matrix into a target alarm identification model to obtain an alarm category corresponding to the alarm data; the target alarm recognition model is a model obtained by training by using the training method of the alarm recognition model of the first aspect.

In a fifth aspect, an embodiment of the present invention provides a training device for an alarm recognition model, where the training device includes: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a method of training an alert recognition model as described in the first aspect.

In a sixth aspect, an embodiment of the present invention provides an apparatus for alarm identification, where the apparatus includes: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements the method of alert identification as described in the second aspect and optionally in the second aspect.

In a seventh aspect, an embodiment of the present invention provides a computer storage medium, on which computer program instructions are stored, and when executed by a processor, the computer program instructions implement the method for training an alarm recognition model according to the first aspect, and/or the method for alarm recognition according to the second aspect and optional embodiments of the second aspect.

The method for training the alarm recognition model, the method for alarm recognition, the device, the equipment and the computer storage medium of the embodiment of the invention train the sample alarm information and the sample alarm information to obtain the target alarm recognition model. In addition, the sample alarm information not only relates to alarm statistical characteristic information, but also considers information matching characteristic information, and fuses the characteristics of the alarm information and the information matching characteristic information. The training sample of the alarm identification model comprises a plurality of alarm information with different dimensions and the incidence relation between each alarm information, so that the model can comprehensively analyze the alarms in a network environment and identify the alarm information really having the infection problem.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a flow chart illustrating a method for training an alarm recognition model according to an embodiment of the present invention;

FIG. 2 is a flow diagram illustrating a method for alarm identification according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an alarm information recognition analysis for a stiff wood worm system according to an embodiment of the present invention;

FIG. 4 is a diagram of an alarm log recognition model scene graph according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a GCN neural network architecture provided by one embodiment of the present invention;

FIG. 6 is a schematic structural diagram of a training apparatus for an alarm recognition model according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of an apparatus for alarm recognition according to an embodiment of the present invention;

FIG. 8 is a diagram illustrating a hardware structure of a training device of an alarm recognition model according to an embodiment of the present invention;

fig. 9 is a schematic diagram of a hardware structure of an alarm identification device according to an embodiment of the present invention.

Detailed Description

Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

At present, network security monitoring systems such as stiff wood worm monitoring and handling systems, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Web Application level Intrusion Prevention systems (WAF) are mainly used for monitoring network devices or network transmissions and giving an alarm when suspicious transmission behaviors are found.

Generally, although the network security monitoring system can alarm an infected host, the alarm false alarm rate is high, and the alarm information sent by the system needs to be further analyzed and identified to obtain more effective and accurate alarm information. However, the existing alarm identification model has low accuracy in identifying alarm information, and cannot accurately locate asset equipment with abnormal conditions.

In order to solve the problem of the prior art, the method for training an alarm recognition model, the method, the device, the equipment and the computer storage medium for alarm recognition provided in the embodiments of the present invention may train to obtain the alarm recognition model by combining the sample alarm information and the sample alarm information. The training sample of the alarm identification model comprises a plurality of alarm information with different dimensions and the incidence relation between each alarm information, wherein the alarm information comprises alarm basic statistical characteristic information and information matching characteristic information, and the alarm information basic characteristic and the information matching characteristic information are fused. Therefore, the model can comprehensively analyze the alarm in the network environment, accurately identify the alarm information with infection problems, and based on the alarm information identification, the accuracy of alarm information identification can be improved, and further the abnormal asset equipment can be accurately positioned. Based on more accurate alarm information, the range of abnormal equipment needing problem troubleshooting can be reduced, and the difficulty and the workload of operation and maintenance personnel on the troubleshooting of the problem equipment are reduced.

The following describes a training method of an alarm recognition model, an alarm recognition method, an alarm recognition device, equipment and a computer storage medium according to embodiments of the present invention with reference to the accompanying drawings. It should be noted that these examples are not intended to limit the scope of the present disclosure.

First, a method for training an alarm recognition model according to an embodiment of the present invention is described below.

In the embodiment of the present invention, as shown in fig. 1, fig. 1 is a schematic flow chart of a training method of an alarm recognition model according to an embodiment of the present invention. The training method of the alarm recognition model is specifically implemented as the following steps:

s101: a plurality of alarm data samples are obtained.

In particular, the alarm data samples may include alarm log data obtained from a corresponding network security monitoring system.

Here, the acquired alarm log data may be subjected to data cleaning first. Redundant fields in the alarm log data can be deleted, so that the analysis and identification efficiency of the alarm log is improved. Specifically, the redundant field may include a field unrelated to the identification of the alarm information, or a repeated field, or the like.

Specifically, for the alarm time in the alarm log data, the discrete time format may also be converted into a continuous numerical value from 0 to 24, so as to perform a feature extraction operation based on the alarm time, thereby improving the efficiency of analysis and identification of the alarm log. The specific conversion method may include, but is not limited to, an existing discrete data conversion rule that can be implemented, and is not described herein again.

S102: and respectively preprocessing each alarm data sample to obtain a training sample corresponding to each alarm data sample.

Specifically, the training sample may include a plurality of sample alarm information and an alarm category for each sample alarm information. The sample alarm information may include first alarm characteristic information and second alarm characteristic information.

Here, the first alarm characteristic information may be alarm basic characteristic information, and specifically, each alarm data may be subjected to characteristic extraction, so as to obtain first alarm characteristic information corresponding to each alarm data. The alarm basic characteristic information may include one or more of characteristic information such as alarm times, the number of corresponding controlled IPs, the number of corresponding control IPs, the alarm times of controlled IPs, IP single-day regression errors, IP historical lateral regression errors, and IP alarm interval variances. It is to be understood that the first alarm characteristic information may be basic statistical characteristic information of the alarm.

In particular, threat intelligence is evidence-based knowledge of existing or potential threats faced by an IT or information asset, including situations, mechanisms, indicators, inferences, and actionable suggestions, which may provide decision-making basis for threat responses. Threat intelligence may include HASH (HASH) values, IP addresses, domain names, network or host characteristics, etc., depending on the data itself partitioning. The preset threat intelligence library may be a specialized database constructed based on threat intelligence. The user can build a relevant threat intelligence library according to the working data of the user, and can also directly use various existing open-source threat intelligence libraries.

Specifically, the second alarm characteristic information may include one or more of IP reputation information, IP association sample information, and IP association domain name information, etc.

Specifically, the alarm category of the sample alarm information may be a network security problem category corresponding to the sample alarm information, such as host computer infection and failure, the host computer infection and failure may be represented by a tag 1, and a non-host computer infection and failure may be represented by a tag 0.

S103: and constructing an adjacent matrix corresponding to the incidence relation between the sample alarm information label characteristic matrix and the plurality of sample alarm information according to the plurality of sample alarm information.

Specifically, for a plurality of sample alarm information in a training sample set, on one hand, feature learning is performed on the plurality of sample alarm information, and a label feature matrix corresponding to the alarm information can be constructed; on the other hand, the incidence relation among the plurality of sample alarm information is subjected to feature learning, and a corresponding adjacency matrix can be constructed.

S104: and performing iterative training on the alarm recognition model to be trained by taking the label characteristic matrix and the adjacent matrix of the sample alarm information as the input of the alarm recognition model and taking the alarm category as the output of the alarm recognition model to obtain the target alarm recognition model.

Here, based on the tag feature matrix and the adjacency matrix of the sample alarm information and the alarm type of each sample alarm information, an alarm identification model may be constructed so that the alarm identification model has the capability of outputting the alarm type of any alarm information according to the tag feature matrix and the corresponding adjacency matrix of any input alarm information.

Specifically, the target alarm recognition model is a model that can be used for deep learning of feature information of nodes and structural relationship information between the nodes, and specifically may include, but is not limited to, a Graph Convolutional neural Network (GCN) model.

In summary, in the embodiment of the present invention, the method for training the alarm recognition model can train to obtain the target alarm recognition model by using the association relationship between the sample alarm information and the sample alarm information as the training sample. The alarm information used as the training sample not only has alarm basic characteristic information, but also has information matching characteristic information. Therefore, the alarm characteristic information of multiple dimensions of the alarm and the structural relationship between the alarms are considered when the model is trained, and the corresponding characteristic information of the alarm with the host infection problem is more accurately learned, so that the model can comprehensively and accurately identify and analyze the alarm in the network environment, and further identify the alarm with the host infection problem. Based on the method, the accuracy of identifying the alarm information can be improved, the abnormal asset equipment can be accurately positioned, and the difficulty and the workload of troubleshooting work of operation and maintenance personnel on the problem equipment are reduced.

The following describes the method for alarm identification provided by the embodiment of the present invention in detail.

Fig. 2 is a flowchart illustrating a method for alarm identification according to an embodiment of the present invention. As shown in fig. 2, in the embodiment of the present invention, the method for identifying an alarm may include the following steps:

s201: a plurality of alarm data are acquired.

Specifically, the alarm data is alarm data to be identified. The alarm data may include alarm log data obtained from a network security monitoring system.

Specifically, the acquired multiple alarm data can be subjected to data cleaning, redundant fields in the alarm log data are deleted, and discrete alarm time in the alarm data is subjected to continuous processing, so that the efficiency of analyzing and identifying the alarm log is improved.

S202: and respectively preprocessing each alarm data to obtain alarm information corresponding to each alarm data.

Here, the alarm information includes first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching is performed. Preprocessing the alarm data may include feature extraction of the alarm data and threat intelligence matching of the alarm data.

Specifically, the first alarm characteristic information corresponding to each alarm data may be obtained by respectively performing characteristic extraction on each alarm data. The first alarm characteristic information may be basic statistical characteristic information of the alarm.

Here, the first alarm characteristic information may include first characteristic information and second characteristic information.

Specifically, the first feature information may be obtained by respectively performing feature extraction on the basic information of each alarm data. Here, the basic information of the alarm data may include alarm data-related field information for statistical analysis.

Specifically, the first characteristic information may include one or more of characteristic information such as the number of alarms, the number of corresponding controlled IPs, the number of alarms of a controlled IP, and an IP alarm interval variance.

Specifically, the time characteristic information of each alarm data is calculated by using a time series analysis algorithm to obtain second characteristic information.

Here, the time characteristic information may be obtained by performing a continuous process on the alarm time in the alarm data.

Specifically, the time characteristic information may include first time characteristic information and second time characteristic information. The first time characteristic information may be single-day time characteristic information, and the second time characteristic information may be time characteristic information within a preset time period, that is, time characteristic information of historical data.

Specifically, by using a time series analysis algorithm, the first time characteristic information of each alarm data is calculated, and the second characteristic information corresponding to the first time characteristic information can be obtained. Optionally, for the first time characteristic information, performing regression calculation by using a least square method to obtain second characteristic information corresponding to the first time characteristic information, that is, the IP single-day regression error E of the alarm data_d。

Specifically, the second time characteristic information of each alarm data is calculated by using a time series analysis algorithm, so that second characteristic information corresponding to the second time characteristic information can be obtained.

Specifically, the second time characteristic information may be time characteristic information within a preset time period. First, the first single-day feature information corresponding to the minimum value of the single-day alarm times in the alarm data within the preset time period may be selected, and the first single-day feature information may be a time value after continuous processing, and may be a plurality of time values. The single-day alarm frequency in the alarm data can be the single-day alarm frequency corresponding to any host.

And secondly, carrying out mean value calculation on the first single-day characteristic information to obtain a time mean value.

And matching the second single-day characteristic information in the preset time period with the time mean value to obtain a time point meeting the preset matching condition.

Here, the second one-day feature information is one-day feature information corresponding to each one day other than the one day corresponding to the first one-day feature information. The second single-day characteristic information can be understood as single-day characteristic information corresponding to other dates except the date with the least alarm times in the preset time period. And matching the second single-day characteristic information with the time mean value, and determining the time point meeting the preset matching condition. The preset matching condition may be that the time point in the second single-day feature information is consistent with or close to the time average value. And selecting the time point meeting the preset matching condition.

Then, the time point meeting the preset condition can be calculated by using a least square method to obtain second characteristic information corresponding to the second time characteristic information, namely IP historical transverse regression error E of the alarm data_t。

Through the operation, the second characteristic information corresponding to the first time characteristic information and the second characteristic information corresponding to the second time characteristic information can be obtained respectively. And combining the second characteristic information corresponding to the first time characteristic information and the second characteristic information corresponding to the second time characteristic information to obtain the second characteristic information of the first alarm characteristic information, namely the total second characteristic information.

Specifically, the second alarm characteristic information is information matching characteristic information obtained after information matching. Specifically, each alarm data may be respectively matched with information of a preset threat information library to obtain second alarm characteristic information corresponding to each alarm data. The preset information of the threat information library is the existing information threatening the network security, the alarm data is matched with the threat information in the threat information library, the analysis dimension of the alarm data can be increased, and whether the alarm really is the alarm with the network security problem is identified.

Specifically, the preset threat intelligence library may be a specialized database constructed based on threat intelligence. Threat intelligence may include a HASH value, IP address, domain name, network or host characteristics, etc. It can be understood that the user can build a relevant threat intelligence library according to the threat data accumulated in the actual work, and can also directly use various existing open-source threat intelligence libraries, which are not described herein again.

Therefore, by executing the operation, the characteristic information of multiple dimensions of the alarm data can be obtained, wherein the characteristic information comprises the basic characteristic information of the alarm data and the characteristic information matched with the threat intelligence. The identification analysis is carried out based on the richer dimension of the alarm data, so that the correct alarm probability can be increased, most of the false alarms can be screened out, and the false alarm rate of the alarms can be reduced.

S203: and constructing a label characteristic matrix corresponding to each alarm information and an adjacent matrix corresponding to the incidence relation information between at least two alarm information according to the plurality of alarm information.

Here, the corresponding association relationship information between at least two alarm information is constructed according to the IP control relationship information of the plurality of alarm information. Specifically, because a certain incidence relation may exist between different alarm information, such as IP control relation information of the alarm information, that is, an IP of a part of the alarm information is a control IP, and an IP of a part of the alarm information is a controlled IP, an IP structural relation diagram of the alarm information may be constructed according to the IP control relation information, so as to determine corresponding incidence relation information between at least two alarm information, and according to the incidence relation information, feature learning is performed, so as to determine a corresponding adjacent matrix.

In addition, a label characteristic matrix corresponding to each alarm information is constructed according to the first alarm characteristic information and the second alarm characteristic information of the plurality of alarm information. Specifically, feature learning may be performed on a plurality of alarm information to obtain a tag feature matrix corresponding to each alarm information.

S204: and inputting the label characteristic matrix and the adjacent matrix into a target alarm identification model to obtain an alarm category corresponding to the alarm data.

Specifically, the target alarm recognition model is a model obtained by training using the training method of the alarm recognition model described in the above embodiment. The multiple alarm information and the corresponding incidence relation information between at least two alarm information are input into the alarm identification model, and an alarm identification result, namely an alarm category corresponding to the alarm data can be obtained.

It will be appreciated that the alarm recognition model may be a graph convolutional neural network model.

In particular, a graph convolution neural network is an algorithm that can perform deep learning on graph data. In practical application, many data do not have regular spatial structures, such as abstracted maps of recommendation systems, electronic transaction systems, computational geometry, brain signals, molecular structures, and the like. The connection of each node in the graph structures is different, and some nodes have three connections and some nodes have two connections, so that the graph structures are irregular data structures. Therefore, a method capable of deep learning of graph data, namely graph convolution neural network, is developed. It is understood that a graph (graph) is a data format that can be used to represent a social network, a communication network, a protein molecular network, etc., and in general, nodes in the graph are used to represent individuals in the network and edges in the graph are used to represent connection relationships between individuals in the network. Therefore, the graph data can be considered to have two characteristics, namely that each node has own characteristic information, and each node in the graph also has structural information. The GCN model can perform node classification or edge prediction based on node feature information and node structure information in the input graph data. In the embodiment of the invention, the GCN model is utilized, and the association relationship (namely node structure information) among all the alarm information and the alarm characteristic information (node characteristic information) of all the alarm information are combined, so that the alarm information category of all the alarm information can be determined.

In summary, in the embodiments of the present invention, the method for identifying an alarm can accurately identify an alarm that really has network security problems such as host infection and the like based on alarm feature information of multiple dimensions of the alarm information and a structural relationship between the alarm information, can implement a relatively comprehensive and accurate identification analysis on the alarm in a network environment, and can improve the accuracy of identifying the alarm information.

Moreover, by the alarm identification method, most of the false alarms can be screened out, and the correct alarms can be accurately identified, so that network asset equipment such as a host machine infected with the lost fault can be accurately positioned, the quantity of the asset equipment which needs to be abnormally checked can be reduced, and the difficulty and the workload of operation and maintenance personnel in checking the problem equipment are reduced.

In order to better understand the method of the present invention, the method for identifying the alarm information will be described in detail with reference to the application example.

Optionally, in some embodiments of the present invention, taking a stiff wood creep monitoring and handling system as an example, in the practical application scenario, an alarm that has a network security problem such as host infection may be analyzed more accurately in the following manner, so as to implement alarm identification.

Specifically, a stiff wood worm monitoring and handling system (hereinafter referred to as a stiff wood worm system) is a safety device for monitoring abnormal behaviors of a host, collects all data in a host network in a flow mirroring manner, performs safety detection and analysis on the data, finds malicious files transmitted in the host network and existing abnormal events, and sends an alarm in time. However, the stiff wood worm system has the problems of large alarm quantity, high false alarm rate and small alarm content dimension. The workload of operation and maintenance personnel is greatly increased, so that the inspection work on the assets is difficult to carry out, and the threat of infected assets cannot be removed in time.

In the implementation of the present invention, as shown in fig. 3, fig. 3 is a schematic diagram of an alarm information identification analysis for a stiff wood worm system according to an embodiment of the present invention. By the alarm information identification and analysis method of the stiff wood creeping system, the alarm of the infected lost host in a large amount of alarm log data can be identified.

Firstly, data processing is performed on an alarm log generated by a stiff wood worm system, and the data processing may include: deleting redundant fields in the alarm log, carrying out continuous processing on the alarm time and the like.

Specifically, the alarm time per day is continuously processed, and the discrete time format is converted into a continuous numerical value from 0 to 24, and the format conversion can be performed through the following formula:

whereinT_hourIs the current hour number, T_minNumber of current minutes, T_sFor the current number of seconds, T_cIs the converted time value.

Next, the processed data may be subjected to operations of feature extraction and intelligence matching fusion.

In particular, in one aspect, feature mining is performed based on alarm data. Firstly, extracting the basic characteristics of the alarm data through characteristic mining.

On the other hand, the time information of the alarm log data is analyzed by a time series linear regression method. Specifically, the method can comprise the steps of longitudinally analyzing single-day data of the alarm data and transversely analyzing historical data.

Specifically, the longitudinal analysis of the single-day data can be directly realized by least square regression, and a regression error E is output_d。

Specifically, because the same asset, such as a host resource, may have multiple alarms every day, performing a horizontal time series analysis based on historical data requires first performing a certain processing on alarm data, and the specific implementation steps are as follows:

s11, counting the alarm times of the assets i every day;

s12, selecting the date d with the least alarm times in the time period T of the property i_minTaking the average value t of the time after continuous processing_avg；

S13, selecting the alarm time and the average value T of the rest dates in the time period T of the asset i_avgClose time t_i；

S14, for the selected multiple time points t_iPerforming least square regression analysis to output error E_T。

Here, for example, according to the above-mentioned methods of S11 to S14, 7 time points t may be selected when the selection period is 7 days_iFor least squares regression analysis, output E_T。

Specifically, the result of feature mining extraction based on alarm data is shown in table 1 below:

TABLE 1

Specifically, the intelligence matching fusion is to combine the basic information in the alarm log with threat intelligence information in a threat intelligence library to perform intelligence analysis to obtain intelligence matching characteristic information. Here, the intelligence matching analysis can be performed according to the control IP and the controlled IP in the alarm log data, and the intelligence matching characteristic information shown in table 2 is obtained:

TABLE 2

The information matching fusion not only can enrich the scene atlas of the subsequent GCN model, but also adds a new alarm dimension on the basis of the original alarm log, thereby facilitating the investigation of the working personnel.

And then, a scene graph can be constructed by utilizing the alarm information obtained by the analysis. As shown in fig. 4, fig. 4 is a schematic diagram of an alarm log recognition model scene graph according to an embodiment of the present invention.

Specifically, the characteristic information of each alarm IP node in the alarm information may be obtained by the above-mentioned identification and analysis operation.

Specifically, the alarm data is subjected to feature extraction to obtain basic feature statistical information and time series analysis information. The base feature statistics may include: the number of single-day alarms, the number of control IPs, the number of controlled IPs, the number of alarms in a time period T and the like; the time series analysis may include: single day regression error E_dWithin time period T, regression error E_tAnd the like.

Specifically, IP associated sample information, IP reputation information and IP associated domain name information are obtained through the operation of intelligence matching fusion. The IP association sample information may include: the MD5 value, total number of associated samples, associated sample threat type, IP reputation information may include: threat type, family, threat level, attack area, etc.; the IP associated domain name information may include: domain name, number of associated domain names, threat type of associated domain name, etc.

Specifically, as shown in fig. 4, the alarm log recognition model scene graph also has a structural relationship between alarm IP nodes. The structural relationship among the IP1, the IP2, the IP3, the IP4 and the IP5 is determined according to the control relationship of the alarm IP.

According to the scene graph of fig. 4, the input of the GCN neural network model can be divided into two types of data sets, namely an alarm characteristic data set and an inter-alarm structural relationship data set, which are specifically shown in the following table 3:

TABLE 3

Next, an alarm recognition model training may be performed based on the graph convolution neural network. Specifically, the input data sets are respectively the processed alarm characteristic information and the structural relationship between alarms. After feature learning, a label matrix corresponding to the alarm feature information and an adjacent matrix corresponding to the structural relationship between alarms are obtained through calculation respectively.

Specifically, the label matrix: each node, e.g. alarm IP, has its characteristic information X_iCan use matrix X_(N*D)And (4) showing. Where N represents the number of nodes and D represents the number of characteristic information of each node.

Specifically, the adjacency matrix: the data set of the graph structure information and the structure relationship graph among the nodes can be represented by a matrix A.

Specifically, the node propagation rule trained by the GCN model is as follows:

let the central node be i, whereinA characteristic expression of node i at level l, c_ijNormalization factor (taking reciprocal of node degree), N_iNeighbor of node i (including itself), R_iThe type of the node i is selected,represents R_iThe nodes transform the weight parameters. The formula can be expressed as an operator of the GCN neural network. When the GCN model training achieves the expected effect, corresponding parameters are obtained to determine the GCN alarm recognition model. The expected effect can be specifically the recall rate of model prediction, namely the recall rate reaches 90%. The GCN neural network structure can be shown in fig. 5, and fig. 5 is a schematic diagram of the GCN neural network structure provided by an embodiment of the present invention.

And finally, identifying the alarm to be detected by applying the trained GCN alarm identification model to obtain an alarm identification result, so that the infected lost host in the alarm log can be determined.

It can be understood that the alarm recognition method and the alarm model training method are not only suitable for analyzing alarm logs of the stiff wood worm system, but also can be applied to alarm log analysis of other types of network security monitoring systems, such as IDS, IPS, WAF and the like.

In summary, the alarm identification method of the embodiment of the present invention can be based on the multi-dimensional alarm characteristic information of the alarm information and the structural relationship between the alarm information, and the multi-dimensional alarm characteristic information relates to the alarm log analysis, and is combined with threat information to accurately identify the alarm with network security problems such as host infection, and can realize comprehensive and accurate identification and analysis of the alarm in the network environment, and improve the accuracy of the alarm information identification.

In addition, in the embodiment of the invention, when the alarm is identified and analyzed, the alarm information dimension is enriched by combining the alarm log analysis and threat information so as to improve the identification accuracy of the alarm log.

Based on the method for training the alarm recognition model provided by the embodiment, correspondingly, the application also provides a specific implementation mode of the device for training the alarm recognition model. Please see the examples below.

In an embodiment of the present invention, as shown in fig. 6, fig. 6 is a schematic structural diagram of a training device of an alarm recognition model according to another embodiment of the present invention, where the training device of the alarm recognition model specifically includes:

an obtaining module 601, configured to obtain multiple alarm data samples;

a preprocessing module 602, configured to preprocess the sample alarm data to obtain a training sample, where the training sample includes a plurality of sample alarm information and an alarm category of each sample alarm information, where the sample alarm information includes first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching;

a constructing module 603, configured to construct, according to the multiple sample alarm information, an adjacency matrix corresponding to an association relationship between a sample alarm information label feature matrix and the multiple sample alarm information;

the training module 604 is configured to use the label feature matrix and the adjacency matrix of the sample alarm information as inputs of an alarm recognition model, use an alarm category as an output of the alarm recognition model, and perform iterative training on the alarm recognition model to be trained to obtain a target alarm recognition model.

In summary, in the embodiment of the present invention, the training apparatus for an alarm recognition model may be used in a method for implementing an alarm recognition model training, and may train to obtain a target alarm recognition model by using an association relationship between sample alarm information and sample alarm information as a training sample. The alarm information used as the training sample not only has alarm basic characteristic information, but also has information matching characteristic information. Therefore, the alarm characteristic information of multiple dimensions of the alarm and the structural relationship between the alarms are considered when the model is trained, and the corresponding characteristic information of the alarm with the host infection problem is more accurately learned, so that the model can comprehensively and accurately identify and analyze the alarm in the network environment, and further identify the alarm with the host infection problem. Therefore, the accuracy of alarm information identification can be improved, abnormal asset equipment can be accurately positioned, and the difficulty and workload of operation and maintenance personnel on troubleshooting of problem equipment are reduced.

Based on the method for alarm identification provided by the above embodiment, correspondingly, the application also provides a specific implementation manner of the device for alarm identification. Please see the examples below.

In an embodiment of the present invention, as shown in fig. 7, fig. 7 is a schematic structural diagram of an alarm recognition device according to another embodiment of the present invention, where the alarm recognition device specifically includes:

an obtaining module 701, configured to obtain multiple pieces of alarm data;

a preprocessing module 702, configured to respectively preprocess each alarm data to obtain alarm information corresponding to each alarm data, where the alarm information includes first alarm characteristic information and second alarm characteristic information, the first alarm characteristic information is alarm basic characteristic information, and the second alarm characteristic information is information matching characteristic information obtained after information matching;

a constructing module 703, configured to construct, according to the multiple sample alarm information, a label feature matrix of the sample alarm information and an adjacent matrix corresponding to an association relationship between at least two sample alarm information;

the identification module 704 is configured to input the tag feature matrix and the adjacency matrix into a target alarm identification model, so as to obtain an alarm category corresponding to alarm data; the target alarm recognition model is obtained by training by using the training method of the alarm recognition model in the embodiment.

Optionally, in some embodiments, the preprocessing module 702 includes:

and the extraction unit is used for respectively extracting the characteristics of each alarm data to obtain first alarm characteristic information corresponding to each alarm data.

And the matching unit is used for respectively matching each alarm data with the information of a preset threat information library to obtain second alarm characteristic information corresponding to each alarm data.

Optionally, the second alarm characteristic information includes one or more of any of the following: internet protocol IP reputation information, IP associated sample information, and IP associated domain name information.

Optionally, in some embodiments, the extraction unit comprises:

the extraction subunit is configured to perform feature extraction on the basic information of each alarm data, respectively, to obtain first feature information of the first alarm feature information;

and the calculating subunit is used for calculating the time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information of the first alarm characteristic information.

Optionally, in some embodiments, the calculating subunit is further configured to calculate, by using a time series analysis algorithm, the first time characteristic information of each alarm data, to obtain second characteristic information corresponding to the first time characteristic information; calculating the second time characteristic information of each alarm data by using a time series analysis algorithm to obtain second characteristic information corresponding to the second time characteristic information; combining second characteristic information corresponding to the first time characteristic information with second characteristic information corresponding to the second time characteristic information to obtain second characteristic information; the time characteristic information comprises first time characteristic information and second time characteristic information, wherein the first time characteristic information is single-day time characteristic information, and the second time characteristic information is time characteristic information in a preset time period;

optionally, in some embodiments, the calculating subunit is further configured to calculate the first time characteristic information of each alarm data by using a least square method, so as to obtain second characteristic information corresponding to the first time characteristic information.

Optionally, in some embodiments, the calculating subunit is further configured to select first single-day feature information corresponding to a minimum value of the single-day alarm times in the alarm data within a preset time period; carrying out mean value calculation on the first single-day characteristic information to obtain a time mean value; matching second single-day characteristic information in the preset time period with the time mean value to obtain a time point meeting a preset matching condition, wherein the second single-day characteristic information is single-day characteristic information corresponding to each single day except the single day corresponding to the first single-day characteristic information; and calculating the time points meeting the preset conditions by using a least square method to obtain second characteristic information corresponding to the second time characteristic information.

Optionally, in some embodiments, the constructing module 703 is further configured to construct, according to first alarm characteristic information and second alarm characteristic information of a plurality of alarm information, a tag characteristic matrix corresponding to each alarm information; constructing corresponding incidence relation information between at least two pieces of alarm information according to the IP control relation information of the plurality of pieces of alarm information; and according to the incidence relation information, performing feature learning and determining a corresponding adjacent matrix.

Optionally, in some embodiments, the alarm recognition model in the alarm recognition device may be a graph convolutional neural network model.

In summary, in the embodiment of the present invention, the apparatus for alarm identification may be used to implement the method for alarm identification in the above embodiments, and can accurately identify an alarm that really has network security problems such as host infection based on alarm characteristic information of multiple dimensions of alarm information and a structural relationship between the alarm information, so as to implement a relatively comprehensive and accurate identification analysis on the alarm in a network environment, and improve the accuracy of alarm information identification. Moreover, by the alarm identification method, most of the false alarms can be screened out, and the correct alarms can be accurately identified, so that network asset equipment such as a host machine infected with the lost fault can be accurately positioned, the quantity of the asset equipment which needs to be abnormally checked can be reduced, and the difficulty and the workload of operation and maintenance personnel in checking the problem equipment are reduced.

Based on the method for training the alarm recognition model and the method for recognizing the alarm provided by the embodiment, the application further provides specific hardware structure descriptions of the training equipment of the alarm recognition model and the alarm recognition equipment. Please see the examples below.

Fig. 8 is a schematic diagram illustrating a hardware structure of a training device of an alarm recognition model according to an embodiment of the present invention.

The training apparatus of the alert recognition model may include a processor 801 and a memory 802 having stored thereon computer program instructions.

Specifically, the processor 801 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing embodiments of the present invention.

Memory 802 may include mass storage for data or instructions. By way of example, and not limitation, memory 802 may include a Hard Disk Drive (HDD), a floppy Disk Drive, flash memory, an optical Disk, a magneto-optical Disk, a tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 802 may include removable or non-removable (or fixed) media, where appropriate. The memory 802 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 802 is a non-volatile solid-state memory. In a particular embodiment, the memory 802 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.

The processor 801 reads and executes the computer program instructions stored in the memory 802 to implement the method for training the alarm recognition model in any of the above embodiments.

In one example, the training device of the alert recognition model may also include a communication interface 803 and a bus 810. As shown in fig. 8, the processor 801, the memory 802, and the communication interface 803 are connected via a bus 810 to complete communication therebetween.

The communication interface 803 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.

Bus 810 includes hardware, software, or both to couple the components of the training device of the alert recognition model to each other. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hypertransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 810 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.

The training device of the alarm recognition model may execute the method of alarm recognition in the embodiment of the present invention, thereby implementing the method of training the alarm recognition model described in conjunction with fig. 1.

Fig. 9 is a schematic diagram illustrating a hardware structure of an alarm recognition device according to an embodiment of the present invention.

The apparatus for alarm identification may comprise a processor 901 and a memory 902 storing computer program instructions.

Specifically, the processor 901 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing the embodiments of the present invention.

Memory 902 may include mass storage for data or instructions. By way of example, and not limitation, memory 902 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 902 may include removable or non-removable (or fixed) media, where appropriate. The memory 902 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 902 is a non-volatile solid-state memory. In a particular embodiment, the memory 902 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.

The processor 901 realizes the method of alarm recognition in any of the above embodiments by reading and executing computer program instructions stored in the memory 902.

In one example, the alert identified device may also include a communication interface 903 and a bus 910. As shown in fig. 9, the processor 901, the memory 902, and the communication interface 903 are connected via a bus 910 to complete communication with each other.

The communication interface 903 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.

Bus 910 includes hardware, software, or both to couple the components of the alert-identified device to each other. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hypertransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 310 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.

The alarm recognition device may perform the alarm recognition method in the embodiment of the present invention, thereby implementing the alarm recognition method described in conjunction with fig. 2.

In addition, in combination with the method for training the alarm recognition model in the above embodiment, the embodiment of the present invention may provide a computer storage medium to implement. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement a method of training an alert recognition model as in any of the above embodiments.

In addition, in combination with the method for alarm identification in the above embodiments, embodiments of the present invention may provide a computer storage medium to implement. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement a method of alert identification as in any of the above embodiments.

It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.

The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.

It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.

As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.

25页详细技术资料下载

Training method of alarm recognition model, alarm recognition method and device

相关技术

网友询问留言