CN103365871A - Automatic generation method of rules - Google Patents
Automatic generation method of rules Download PDFInfo
- Publication number
- CN103365871A CN103365871A CN2012100883246A CN201210088324A CN103365871A CN 103365871 A CN103365871 A CN 103365871A CN 2012100883246 A CN2012100883246 A CN 2012100883246A CN 201210088324 A CN201210088324 A CN 201210088324A CN 103365871 A CN103365871 A CN 103365871A
- Authority
- CN
- China
- Prior art keywords
- rule
- service data
- rules
- ignore
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000008569 process Effects 0.000 claims abstract description 23
- 230000001960 triggered effect Effects 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000008901 benefit Effects 0.000 abstract description 2
- 230000001105 regulatory effect Effects 0.000 abstract description 2
- 238000007405 data analysis Methods 0.000 abstract 1
- 230000015572 biosynthetic process Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 201000004569 Blindness Diseases 0.000 description 1
- 241001269238 Data Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Abstract
The invention provides an automatic generation method of rules. According to the method, rules are automatically built tracking the process of operational data analysis by a user, thus the user is allowed to add new rules or not according to the analysis results. Further according to method, new rule recommendations can be given and rule priorities can be regulated according to application conditions of rules, so that the user can build and maintain the rules on the basis of the actual operational data, and the rules are improved in practicality and accuracy. The method has the advantages that users can easily build specific information system environments suiting themselves and a rule base continuously adaptable to various system changes, with no need for learning about and studying the programming and interfaces irrelevant to a management target. Through the method, rule building is easier and more efficient.
Description
Technical field
The present invention relates to automatic generation and the area of maintenance of rule in the infosystem, relate in particular to a kind of method of rule generation.
Background technology
At present bulk information security of system management, monitoring management etc. all need to arrange various rules reports to the police to the practical operation situation that detects or processes, and they generally adopt one or more of following methods.
1. rule base method:
Predefined rule base is provided in product, is chosen by the user and it is come into force or lost efficacy.Rule base is researched and developed and is provided by the product supplier.
This technology is generally used and the formation rule storehouse in the research and development centre of oneself by software product manufacturer, and the user can't revise, and can only select.Because the complicacy of actual application environment and fast variation, this method has been difficult to applicable.
2. programmed method:
Provide DLL (dynamic link library) or regular programming language to the user, pass through the programming implementation rule by user oneself.
This technology generally is to make up a regulation engine and a cover programmed method is provided, and makes the user can programme voluntarily formation rule, is made an explanation and is carried out by regulation engine.Although the method provides very high dirigibility and adaptability, the user need to learn the programming language of a uniqueness and the interface method of regulation engine for this reason, to the user require highly, can only use in unit that minority satisfies the requirements.
3. graphical selection-method to set up:
The graphical interfaces that this technology provides regulation engine and rule to arrange comes formation rule for user selection field and conditional expression etc.This method has been avoided the complicacy of the methods such as programming, and dirigibility to a certain degree can be provided again simultaneously, but requires the user to understand in detail the implication of data field, the implication that condition is selected and relevant logic, so the user needs degree of depth training when using.In addition, when arranging, the user select which field and condition to lack foundation, the randomness when causing arranging and blindness, and practical effect is limited.
Summary of the invention
For solving above-mentioned problems of the prior art and shortcoming, the invention provides a kind of method of rule generation, the automatic formation rule of operating process that the present invention analyzes actual operating data by following the tracks of the user, the user can determine whether to add new regulation according to analysis result.The present invention can also propose new regulation and recommend and regulation rule priority according to the applicable cases of rule, the user can be made up and maintenance regulation on the basis of actual operating data, improves practicality and the accuracy of rule.
The method of rule generation provided by the invention may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse.
Preferably, S1 is specially, and obtains the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering.
Preferably, described management objectives comprise with in the Types Below one or more:
File, database, webpage, stream, packet, data stream.
Preferably, the above management objectives form the management objectives collection.
Preferably, S3 is specially, and parses logical relation and the span of the service data that comprises in the described raw readings, generates rule to be selected.
Preferably, further comprising the steps of behind the step S7:
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
Preferably, the rule in the described standard rule base detects described service data by certain strategy ordering is rear.
Preferably, described strategy is priority policy, and the high person's ordering of priority is front.
Preferably, the number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
The beneficial effect that the present invention realizes is:
After using the present invention, the user need not to understand and study and management objectives are irrelevant programming, interface just can be set up the rule base of suitable own customizing messages system environments, the lasting various variations of adaptive system easily.
The present invention can be widely used in infosystem monitoring alarm, safety management, behavior auditing, close various aspects such as regulating reason, and possess following benefit:
1. the user need not to spend new programming language of plenty of time and energy study or data-interface, definition etc.
2. just finished regular structure when the customer analysis problem, made and set up that rule is easier, efficient is higher.
3. the user can intuitively obtain the effect of rule application, and whether easier decision adds rule.
4. can adapt to rapidly the various variations of customer information system, comprise the variation of management objectives, the variation of running environment and the variation of Data Source, greatly improve the practicality of algorithm.
5. priority that can the dynamic optimization rule application is accelerated response speed.
Description of drawings
Fig. 1 is the flow chart of steps of the method for rule generation of the present invention.
Embodiment
The method of implementing rule generation provided by the invention may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed; Be specially, obtain the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering; Described management objectives comprise one or more in the various forms of service datas such as file, database, webpage, stream, packet and data stream; The above management objectives are formed the management objectives collection;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected; Be specially, parse logical relation and the span of the service data that comprises in the described raw readings, generate rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse;
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
Rule in the described standard rule base detects described service data by certain strategy ordering is rear.Described strategy is priority policy, and the high person's ordering of priority is front.The number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
Following concrete example explanation the specific embodiment of the present invention:
Take the fire wall working status monitoring system as example, purpose is the CPU usage of monitoring fire wall, then reports to the police after the CPU usage of firewall box is unusual.The CPU usage of firewall box namely is management objectives, and these management objectives are included in the firewall management target tightening; CPU usage on the firewall box by the SNMP interface in real time with fire wall CPU usage data transmission to data resource interface, data resource interface receives and in real time it is illustrated in after the CPU usage data in the service data tabulation.Data list provides number list and the actions menu of CPU usage by the time distributes, and comprises " only see greater than ", " only see less than ", " only seeing the interval ", " only see and equal ", " only see more than or equal to ", " only see and be less than or equal to ", " getting rid of this numerical value " etc.When the shown CPU usage of certain bar data reaches 60%, the user selects " only see more than or equal to " to these data, triggering also in result set, order set has sent alerting signal, analyze then compare analyzing operation of tracking engine this moment, trigger action and command operating carry out record, generated the raw readings of this operating process, analyzing simultaneously tracking engine resolves this raw readings, parsing the logical relation and the numerical range that wherein comprise is that the fire wall CPU usage is more than or equal to 60% warning, generated immediately this rule, so but this rule not yet obtains the user confirms that this rule is rule to be selected; This rule to be selected and rule in the default standard rule base are compared, see whether this rule to be selected has been present in the described standard rule base, if this rule to be selected does not exist in described standard rule base, judge then whether described rule to be selected is present in the default ignore rule storehouse, if this rule to be selected exists in described standard rule base then turns back to the step that operating process is followed the tracks of, continuation is followed the tracks of the analysis operation process, uses this rule by the rule application engine simultaneously and namely reports to the police; When judging whether described rule to be selected is present in the default ignore rule storehouse, if this rule to be selected does not exist in described ignore rule storehouse, then described rule to be selected is showed in the list of rules to be selected, wait for that new regulation generates instruction or regular ignore instruction; If this rule to be selected exists in described ignore rule storehouse, then turn back to the step that operating process is followed the tracks of, continue the analysis operation process is followed the tracks of;
When the rule selected to be selected in the described list of rules to be selected receives new regulation generation instruction, then described new regulation is generated rule to be selected corresponding to instruction and add in the described standard rule base; When the rule selected to be selected in the described list of rules to be selected received regular ignore instruction, then the rule to be selected that described regular ignore instruction is corresponding was added in the ignore rule storehouse; In this example " the fire wall CPU usage is more than or equal to 60% warning " this rule has been sent new regulation and generated instruction, then " the fire wall CPU usage is more than or equal to 60% warning " this rule has been added in the described standard rule base.
So so far, just had the rule of " the fire wall CPU usage is more than or equal to 60% warning " in the standard rule base, the initial priority of this rule is zero; When receiving new fire wall CPU usage data, described data resource interface then this rule is applied in the CPU usage data that described data resource interface receives by the rule application engine, namely use " the fire wall CPU usage is more than or equal to 60% warning " this rule that described CPU usage data are detected, when the trigger alarm then more than or equal to 60% time of the CPU usage value in the described CPU usage data, improve simultaneously this regular priority.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.
Claims (9)
1. the method for a rule generation is characterized in that may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse.
2. the method for rule generation according to claim 1, it is characterized in that, S1 is specially, obtain the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering.
3. the method for rule generation according to claim 2 is characterized in that, described management objectives comprise with in the Types Below one or more:
File, database, webpage, stream, packet, data stream.
4. the method for rule generation according to claim 3 is characterized in that, the above management objectives form the management objectives collection.
5. the method for rule generation according to claim 1 is characterized in that, S3 is specially, and parses logical relation and the span of the service data that comprises in the described raw readings, generates rule to be selected.
6. the method for rule generation according to claim 1 is characterized in that, also comprises step behind the step S7:
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
7. the method for rule generation according to claim 6 is characterized in that, the rule in the described standard rule base detects described service data by certain strategy ordering is rear.
8. the method for rule generation according to claim 7 is characterized in that, described strategy is priority policy, and the high person's ordering of priority is front.
9. the method for rule generation according to claim 8 is characterized in that, the number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210088324.6A CN103365871B (en) | 2012-03-29 | 2012-03-29 | A kind of method of rule generation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210088324.6A CN103365871B (en) | 2012-03-29 | 2012-03-29 | A kind of method of rule generation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103365871A true CN103365871A (en) | 2013-10-23 |
CN103365871B CN103365871B (en) | 2017-07-14 |
Family
ID=49367241
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210088324.6A Active CN103365871B (en) | 2012-03-29 | 2012-03-29 | A kind of method of rule generation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103365871B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109684306A (en) * | 2018-12-24 | 2019-04-26 | 成都四方伟业软件股份有限公司 | A kind of automated date base management method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6915297B2 (en) * | 2002-05-21 | 2005-07-05 | Bridgewell, Inc. | Automatic knowledge management system |
US7382970B2 (en) * | 2001-03-01 | 2008-06-03 | Sony Corporation | Process control manager for audio/video file system |
CN101739248A (en) * | 2008-11-13 | 2010-06-16 | 国际商业机器公司 | Method and system for executing rule set |
CN102281260A (en) * | 2010-06-10 | 2011-12-14 | 阿里巴巴集团控股有限公司 | Generating method and server of monitoring rule |
-
2012
- 2012-03-29 CN CN201210088324.6A patent/CN103365871B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7382970B2 (en) * | 2001-03-01 | 2008-06-03 | Sony Corporation | Process control manager for audio/video file system |
US6915297B2 (en) * | 2002-05-21 | 2005-07-05 | Bridgewell, Inc. | Automatic knowledge management system |
CN101739248A (en) * | 2008-11-13 | 2010-06-16 | 国际商业机器公司 | Method and system for executing rule set |
CN102281260A (en) * | 2010-06-10 | 2011-12-14 | 阿里巴巴集团控股有限公司 | Generating method and server of monitoring rule |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109684306A (en) * | 2018-12-24 | 2019-04-26 | 成都四方伟业软件股份有限公司 | A kind of automated date base management method and device |
Also Published As
Publication number | Publication date |
---|---|
CN103365871B (en) | 2017-07-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110445807A (en) | Network security situation sensing system and method | |
CN105191257B (en) | Method and apparatus for detecting multistage event | |
US10101244B2 (en) | Self-learning simulation environments | |
RU2011115363A (en) | SYSTEM AND METHOD FOR PREVENTING SECURITY INCIDENTS BASED ON USER HAZARD RATINGS | |
CN105511944A (en) | Anomaly detection method of internal virtual machine of cloud system | |
CN104978201A (en) | Method and device for controlling automatic pop-up window display | |
EP3797503B1 (en) | Cyber defence system | |
KR20170035892A (en) | Recognition of behavioural changes of online services | |
CN110493043B (en) | Distributed situation awareness calling method and device | |
CN112463553B (en) | System and method for analyzing intelligent alarms based on common alarm association | |
CN108712448A (en) | A kind of injection attack detection model based on the analysis of dynamic stain | |
CN113242267A (en) | Situation perception method based on brain-like calculation | |
US20160259869A1 (en) | Self-learning simulation environments | |
CN101562539A (en) | Self-adapting network intrusion detection system | |
Beling et al. | Model-based engineering for functional risk assessment and design of cyber resilient systems | |
Chu et al. | Big data and its V’s with IoT to develop sustainability | |
CN103365871A (en) | Automatic generation method of rules | |
CN103503042B (en) | Customizable policy engine | |
Xiong et al. | Construction of approximate reasoning model for dynamic CPS network and system parameter identification | |
CN110493218B (en) | Situation awareness virtualization method and device | |
CN108494791A (en) | A kind of DDOS attack detection method and device based on Netflow daily record datas | |
WO2017176676A1 (en) | Graph-based fusing of heterogeneous alerts | |
US20190377590A1 (en) | System and method for physical machine monitoring and analysis | |
Merat et al. | Artificial intelligence application for improving cyber-security acquirement | |
Morales et al. | Using iron to build frictionless on-line communities |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20240103 Address after: Room 1203, 12th Floor, Building A2, No.10 Kegu 1st Street, Daxing District, Beijing, 100176 Patentee after: Beijing Bigger Big Data Operations Co.,Ltd. Address before: Room 610, Building A, No. 4 Xizhao Temple Middle Street, Chongwen District, Beijing, 100061 Patentee before: BEIJING HENGAN YONGTONG TECHNOLOGY Co.,Ltd. |