CN103365871A - Automatic generation method of rules - Google Patents

Automatic generation method of rules Download PDF

Info

Publication number
CN103365871A
CN103365871A CN2012100883246A CN201210088324A CN103365871A CN 103365871 A CN103365871 A CN 103365871A CN 2012100883246 A CN2012100883246 A CN 2012100883246A CN 201210088324 A CN201210088324 A CN 201210088324A CN 103365871 A CN103365871 A CN 103365871A
Authority
CN
China
Prior art keywords
rule
service data
rules
ignore
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100883246A
Other languages
Chinese (zh)
Other versions
CN103365871B (en
Inventor
包培文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Bigger Big Data Operations Co ltd
Original Assignee
BEIJING HENGAN YONGTONG TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING HENGAN YONGTONG TECHNOLOGY Co Ltd filed Critical BEIJING HENGAN YONGTONG TECHNOLOGY Co Ltd
Priority to CN201210088324.6A priority Critical patent/CN103365871B/en
Publication of CN103365871A publication Critical patent/CN103365871A/en
Application granted granted Critical
Publication of CN103365871B publication Critical patent/CN103365871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides an automatic generation method of rules. According to the method, rules are automatically built tracking the process of operational data analysis by a user, thus the user is allowed to add new rules or not according to the analysis results. Further according to method, new rule recommendations can be given and rule priorities can be regulated according to application conditions of rules, so that the user can build and maintain the rules on the basis of the actual operational data, and the rules are improved in practicality and accuracy. The method has the advantages that users can easily build specific information system environments suiting themselves and a rule base continuously adaptable to various system changes, with no need for learning about and studying the programming and interfaces irrelevant to a management target. Through the method, rule building is easier and more efficient.

Description

A kind of method of rule generation
Technical field
The present invention relates to automatic generation and the area of maintenance of rule in the infosystem, relate in particular to a kind of method of rule generation.
Background technology
At present bulk information security of system management, monitoring management etc. all need to arrange various rules reports to the police to the practical operation situation that detects or processes, and they generally adopt one or more of following methods.
1. rule base method:
Predefined rule base is provided in product, is chosen by the user and it is come into force or lost efficacy.Rule base is researched and developed and is provided by the product supplier.
This technology is generally used and the formation rule storehouse in the research and development centre of oneself by software product manufacturer, and the user can't revise, and can only select.Because the complicacy of actual application environment and fast variation, this method has been difficult to applicable.
2. programmed method:
Provide DLL (dynamic link library) or regular programming language to the user, pass through the programming implementation rule by user oneself.
This technology generally is to make up a regulation engine and a cover programmed method is provided, and makes the user can programme voluntarily formation rule, is made an explanation and is carried out by regulation engine.Although the method provides very high dirigibility and adaptability, the user need to learn the programming language of a uniqueness and the interface method of regulation engine for this reason, to the user require highly, can only use in unit that minority satisfies the requirements.
3. graphical selection-method to set up:
The graphical interfaces that this technology provides regulation engine and rule to arrange comes formation rule for user selection field and conditional expression etc.This method has been avoided the complicacy of the methods such as programming, and dirigibility to a certain degree can be provided again simultaneously, but requires the user to understand in detail the implication of data field, the implication that condition is selected and relevant logic, so the user needs degree of depth training when using.In addition, when arranging, the user select which field and condition to lack foundation, the randomness when causing arranging and blindness, and practical effect is limited.
Summary of the invention
For solving above-mentioned problems of the prior art and shortcoming, the invention provides a kind of method of rule generation, the automatic formation rule of operating process that the present invention analyzes actual operating data by following the tracks of the user, the user can determine whether to add new regulation according to analysis result.The present invention can also propose new regulation and recommend and regulation rule priority according to the applicable cases of rule, the user can be made up and maintenance regulation on the basis of actual operating data, improves practicality and the accuracy of rule.
The method of rule generation provided by the invention may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse.
Preferably, S1 is specially, and obtains the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering.
Preferably, described management objectives comprise with in the Types Below one or more:
File, database, webpage, stream, packet, data stream.
Preferably, the above management objectives form the management objectives collection.
Preferably, S3 is specially, and parses logical relation and the span of the service data that comprises in the described raw readings, generates rule to be selected.
Preferably, further comprising the steps of behind the step S7:
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
Preferably, the rule in the described standard rule base detects described service data by certain strategy ordering is rear.
Preferably, described strategy is priority policy, and the high person's ordering of priority is front.
Preferably, the number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
The beneficial effect that the present invention realizes is:
After using the present invention, the user need not to understand and study and management objectives are irrelevant programming, interface just can be set up the rule base of suitable own customizing messages system environments, the lasting various variations of adaptive system easily.
The present invention can be widely used in infosystem monitoring alarm, safety management, behavior auditing, close various aspects such as regulating reason, and possess following benefit:
1. the user need not to spend new programming language of plenty of time and energy study or data-interface, definition etc.
2. just finished regular structure when the customer analysis problem, made and set up that rule is easier, efficient is higher.
3. the user can intuitively obtain the effect of rule application, and whether easier decision adds rule.
4. can adapt to rapidly the various variations of customer information system, comprise the variation of management objectives, the variation of running environment and the variation of Data Source, greatly improve the practicality of algorithm.
5. priority that can the dynamic optimization rule application is accelerated response speed.
Description of drawings
Fig. 1 is the flow chart of steps of the method for rule generation of the present invention.
Embodiment
The method of implementing rule generation provided by the invention may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed; Be specially, obtain the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering; Described management objectives comprise one or more in the various forms of service datas such as file, database, webpage, stream, packet and data stream; The above management objectives are formed the management objectives collection;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected; Be specially, parse logical relation and the span of the service data that comprises in the described raw readings, generate rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse;
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
Rule in the described standard rule base detects described service data by certain strategy ordering is rear.Described strategy is priority policy, and the high person's ordering of priority is front.The number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
Following concrete example explanation the specific embodiment of the present invention:
Take the fire wall working status monitoring system as example, purpose is the CPU usage of monitoring fire wall, then reports to the police after the CPU usage of firewall box is unusual.The CPU usage of firewall box namely is management objectives, and these management objectives are included in the firewall management target tightening; CPU usage on the firewall box by the SNMP interface in real time with fire wall CPU usage data transmission to data resource interface, data resource interface receives and in real time it is illustrated in after the CPU usage data in the service data tabulation.Data list provides number list and the actions menu of CPU usage by the time distributes, and comprises " only see greater than ", " only see less than ", " only seeing the interval ", " only see and equal ", " only see more than or equal to ", " only see and be less than or equal to ", " getting rid of this numerical value " etc.When the shown CPU usage of certain bar data reaches 60%, the user selects " only see more than or equal to " to these data, triggering also in result set, order set has sent alerting signal, analyze then compare analyzing operation of tracking engine this moment, trigger action and command operating carry out record, generated the raw readings of this operating process, analyzing simultaneously tracking engine resolves this raw readings, parsing the logical relation and the numerical range that wherein comprise is that the fire wall CPU usage is more than or equal to 60% warning, generated immediately this rule, so but this rule not yet obtains the user confirms that this rule is rule to be selected; This rule to be selected and rule in the default standard rule base are compared, see whether this rule to be selected has been present in the described standard rule base, if this rule to be selected does not exist in described standard rule base, judge then whether described rule to be selected is present in the default ignore rule storehouse, if this rule to be selected exists in described standard rule base then turns back to the step that operating process is followed the tracks of, continuation is followed the tracks of the analysis operation process, uses this rule by the rule application engine simultaneously and namely reports to the police; When judging whether described rule to be selected is present in the default ignore rule storehouse, if this rule to be selected does not exist in described ignore rule storehouse, then described rule to be selected is showed in the list of rules to be selected, wait for that new regulation generates instruction or regular ignore instruction; If this rule to be selected exists in described ignore rule storehouse, then turn back to the step that operating process is followed the tracks of, continue the analysis operation process is followed the tracks of;
When the rule selected to be selected in the described list of rules to be selected receives new regulation generation instruction, then described new regulation is generated rule to be selected corresponding to instruction and add in the described standard rule base; When the rule selected to be selected in the described list of rules to be selected received regular ignore instruction, then the rule to be selected that described regular ignore instruction is corresponding was added in the ignore rule storehouse; In this example " the fire wall CPU usage is more than or equal to 60% warning " this rule has been sent new regulation and generated instruction, then " the fire wall CPU usage is more than or equal to 60% warning " this rule has been added in the described standard rule base.
So so far, just had the rule of " the fire wall CPU usage is more than or equal to 60% warning " in the standard rule base, the initial priority of this rule is zero; When receiving new fire wall CPU usage data, described data resource interface then this rule is applied in the CPU usage data that described data resource interface receives by the rule application engine, namely use " the fire wall CPU usage is more than or equal to 60% warning " this rule that described CPU usage data are detected, when the trigger alarm then more than or equal to 60% time of the CPU usage value in the described CPU usage data, improve simultaneously this regular priority.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.

Claims (9)

1. the method for a rule generation is characterized in that may further comprise the steps:
S1 follows the tracks of the operating process that service data is analyzed;
S2 generates the raw readings of described operating process;
S3 resolves described raw readings, forms rule to be selected;
S4 judges that whether described rule to be selected is present in the standard rule base, if the determination result is NO, then carries out S5; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S5 judges that whether described rule to be selected is present in the ignore rule storehouse, if the determination result is NO, then carries out S6; If judged result is yes, then carries out S1 and follow the tracks of the operating process that new service data is analyzed;
S6 is showed in described rule to be selected in the list of rules to be selected, waits for that new regulation generates instruction or regular ignore instruction;
S7 when receiving described new regulation generation instruction, generates rule to be selected corresponding to instruction with described new regulation and adds in the described standard rule base; When receiving regular ignore instruction, the rule to be selected that described regular ignore instruction is corresponding is added in the ignore rule storehouse.
2. the method for rule generation according to claim 1, it is characterized in that, S1 is specially, obtain the corresponding service data of management objectives, described service data is showed in the service data tabulation and etc. triggering to be analyzed, when the service data in the described service data tabulation is triggered, follow the tracks of the operating process of described triggering.
3. the method for rule generation according to claim 2 is characterized in that, described management objectives comprise with in the Types Below one or more:
File, database, webpage, stream, packet, data stream.
4. the method for rule generation according to claim 3 is characterized in that, the above management objectives form the management objectives collection.
5. the method for rule generation according to claim 1 is characterized in that, S3 is specially, and parses logical relation and the span of the service data that comprises in the described raw readings, generates rule to be selected.
6. the method for rule generation according to claim 1 is characterized in that, also comprises step behind the step S7:
S8 detects the service data that receives with the rule in described standard rule base and/or the ignore rule storehouse, triggers described rule when described service data meets the trigger condition of described rule.
7. the method for rule generation according to claim 6 is characterized in that, the rule in the described standard rule base detects described service data by certain strategy ordering is rear.
8. the method for rule generation according to claim 7 is characterized in that, described strategy is priority policy, and the high person's ordering of priority is front.
9. the method for rule generation according to claim 8 is characterized in that, the number of times that is triggered according to same described rule is adjusted the priority of described rule, and the number of times that is triggered is more, and priority is higher.
CN201210088324.6A 2012-03-29 2012-03-29 A kind of method of rule generation Active CN103365871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210088324.6A CN103365871B (en) 2012-03-29 2012-03-29 A kind of method of rule generation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210088324.6A CN103365871B (en) 2012-03-29 2012-03-29 A kind of method of rule generation

Publications (2)

Publication Number Publication Date
CN103365871A true CN103365871A (en) 2013-10-23
CN103365871B CN103365871B (en) 2017-07-14

Family

ID=49367241

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210088324.6A Active CN103365871B (en) 2012-03-29 2012-03-29 A kind of method of rule generation

Country Status (1)

Country Link
CN (1) CN103365871B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109684306A (en) * 2018-12-24 2019-04-26 成都四方伟业软件股份有限公司 A kind of automated date base management method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6915297B2 (en) * 2002-05-21 2005-07-05 Bridgewell, Inc. Automatic knowledge management system
US7382970B2 (en) * 2001-03-01 2008-06-03 Sony Corporation Process control manager for audio/video file system
CN101739248A (en) * 2008-11-13 2010-06-16 国际商业机器公司 Method and system for executing rule set
CN102281260A (en) * 2010-06-10 2011-12-14 阿里巴巴集团控股有限公司 Generating method and server of monitoring rule

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7382970B2 (en) * 2001-03-01 2008-06-03 Sony Corporation Process control manager for audio/video file system
US6915297B2 (en) * 2002-05-21 2005-07-05 Bridgewell, Inc. Automatic knowledge management system
CN101739248A (en) * 2008-11-13 2010-06-16 国际商业机器公司 Method and system for executing rule set
CN102281260A (en) * 2010-06-10 2011-12-14 阿里巴巴集团控股有限公司 Generating method and server of monitoring rule

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109684306A (en) * 2018-12-24 2019-04-26 成都四方伟业软件股份有限公司 A kind of automated date base management method and device

Also Published As

Publication number Publication date
CN103365871B (en) 2017-07-14

Similar Documents

Publication Publication Date Title
CN110445807A (en) Network security situation sensing system and method
CN105191257B (en) Method and apparatus for detecting multistage event
US10101244B2 (en) Self-learning simulation environments
RU2011115363A (en) SYSTEM AND METHOD FOR PREVENTING SECURITY INCIDENTS BASED ON USER HAZARD RATINGS
CN105511944A (en) Anomaly detection method of internal virtual machine of cloud system
CN104978201A (en) Method and device for controlling automatic pop-up window display
EP3797503B1 (en) Cyber defence system
KR20170035892A (en) Recognition of behavioural changes of online services
CN110493043B (en) Distributed situation awareness calling method and device
CN112463553B (en) System and method for analyzing intelligent alarms based on common alarm association
CN108712448A (en) A kind of injection attack detection model based on the analysis of dynamic stain
CN113242267A (en) Situation perception method based on brain-like calculation
US20160259869A1 (en) Self-learning simulation environments
CN101562539A (en) Self-adapting network intrusion detection system
Beling et al. Model-based engineering for functional risk assessment and design of cyber resilient systems
Chu et al. Big data and its V’s with IoT to develop sustainability
CN103365871A (en) Automatic generation method of rules
CN103503042B (en) Customizable policy engine
Xiong et al. Construction of approximate reasoning model for dynamic CPS network and system parameter identification
CN110493218B (en) Situation awareness virtualization method and device
CN108494791A (en) A kind of DDOS attack detection method and device based on Netflow daily record datas
WO2017176676A1 (en) Graph-based fusing of heterogeneous alerts
US20190377590A1 (en) System and method for physical machine monitoring and analysis
Merat et al. Artificial intelligence application for improving cyber-security acquirement
Morales et al. Using iron to build frictionless on-line communities

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240103

Address after: Room 1203, 12th Floor, Building A2, No.10 Kegu 1st Street, Daxing District, Beijing, 100176

Patentee after: Beijing Bigger Big Data Operations Co.,Ltd.

Address before: Room 610, Building A, No. 4 Xizhao Temple Middle Street, Chongwen District, Beijing, 100061

Patentee before: BEIJING HENGAN YONGTONG TECHNOLOGY Co.,Ltd.