Nothing Special   »   [go: up one dir, main page]

CN117692345B - IT operation method and system based on artificial intelligence - Google Patents

IT operation method and system based on artificial intelligence Download PDF

Info

Publication number
CN117692345B
CN117692345B CN202410137297.XA CN202410137297A CN117692345B CN 117692345 B CN117692345 B CN 117692345B CN 202410137297 A CN202410137297 A CN 202410137297A CN 117692345 B CN117692345 B CN 117692345B
Authority
CN
China
Prior art keywords
network
node
monitoring
result
abnormality
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410137297.XA
Other languages
Chinese (zh)
Other versions
CN117692345A (en
Inventor
徐廷明
韩潇然
刘振国
杜祖永
王广龙
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Houpu Information Technology Co ltd
Original Assignee
Shandong Houpu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Houpu Information Technology Co ltd filed Critical Shandong Houpu Information Technology Co ltd
Priority to CN202410137297.XA priority Critical patent/CN117692345B/en
Publication of CN117692345A publication Critical patent/CN117692345A/en
Application granted granted Critical
Publication of CN117692345B publication Critical patent/CN117692345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Algebra (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an IT operation method and system based on artificial intelligence, belonging to the field of computer network management, wherein the method comprises the following steps: establishing information interaction with an enterprise and establishing monitoring nodes; executing node clustering of the monitoring nodes to generate node clustering constraint; establishing a monitoring data set and constructing an abnormality identification unit; performing function abnormality identification of the monitoring data set to generate a first function abnormality identification result; performing node abnormality recognition, generating a second function abnormality recognition result, and configuring a strengthening node; and carrying out continuous data sensitive monitoring, generating a depth recognition result, generating node early warning and reconstructing a security certificate to finish operation early warning management. The application solves the technical problem that the prior art cannot realize the precise abnormality identification and operation management of massive heterogeneous network nodes, and achieves the technical effects of realizing the precise detection of network abnormalities and operation early warning management by establishing multi-granularity network function characteristics.

Description

IT operation method and system based on artificial intelligence
Technical Field
The invention relates to the field of computer network management, in particular to an IT operation method and system based on artificial intelligence.
Background
With the rapid development of information technology, the scale of various heterogeneous networks is continuously enlarged, the number of network nodes is rapidly increased, unprecedented challenges are brought to the operation management of the network, particularly, large data generated by massive network nodes are rapidly and accurately identified and positioned, and the problem to be solved rapidly at present is solved. At present, common IT operation management directly performs statistical analysis on huge node data, but the condition of missing report and missing detection is easy to occur due to huge data quantity and information redundancy, and fine-granularity abnormal monitoring and operation early warning management cannot be realized.
Disclosure of Invention
The application provides an IT operation method and system based on artificial intelligence, which aim to solve the technical problems that in the prior art, data of massive heterogeneous network nodes cannot be effectively analyzed and identified, so that the condition of missing report and missing detection easily occurs in operation management, and fine-granularity abnormal monitoring and operation early warning management cannot be realized.
In view of the above problems, the present application provides an artificial intelligence based IT operation method and system.
In a first aspect of the disclosure, an IT operation method based on artificial intelligence is provided, which includes: establishing information interaction with an enterprise, reading network architecture basic information of the enterprise, and establishing monitoring nodes through the network architecture basic information; network function segmentation is carried out through network architecture basic information, multi-granularity functional network characteristics are established, node clustering of monitoring nodes is executed based on the multi-granularity functional network characteristics, and node clustering constraint is generated; crawling monitoring data of the monitoring nodes, establishing a monitoring data set, and constructing an anomaly identification unit based on big data through multi-granularity functional network characteristics; performing function abnormality recognition of the monitoring data set through an abnormality recognition unit to generate a first function abnormality recognition result; carrying out node abnormality recognition through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, generating a second function abnormality recognition result, and configuring the reinforced nodes according to the first function abnormality recognition result and the second function abnormality recognition result; continuous data sensitive monitoring is carried out on the reinforced nodes, and data sensitive monitoring results are sent to a depth anomaly identification network to generate a depth identification result, wherein the depth anomaly identification network completes initialization through the function anomaly identification result; and generating node early warning based on the depth recognition result, and reconstructing a security certificate through node clustering constraint to complete operation early warning management.
In another aspect of the present disclosure, an artificial intelligence based IT operation system is provided, the system comprising: the monitoring node establishing module is used for establishing information interaction with an enterprise, reading network architecture basic information of the enterprise and establishing monitoring nodes through the network architecture basic information; the node clustering constraint module is used for carrying out network function segmentation through network architecture basic information, establishing multi-granularity functional network characteristics, executing node clustering of monitoring nodes based on the multi-granularity functional network characteristics and generating node clustering constraint; the identification unit construction module is used for crawling the monitoring data of the monitoring nodes, establishing a monitoring data set and constructing an abnormal identification unit based on big data through the multi-granularity functional network characteristics; the function abnormality identification module is used for carrying out function abnormality identification of the monitoring data set through the abnormality identification unit and generating a first function abnormality identification result; the reinforced node configuration module is used for carrying out node abnormality identification through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, generating a second function abnormality identification result, and configuring reinforced nodes according to the first function abnormality identification result and the second function abnormality identification result; the depth recognition result module is used for carrying out continuous data sensitive monitoring on the reinforced nodes, sending the data sensitive monitoring result to the depth abnormality recognition network and generating a depth recognition result, wherein the depth abnormality recognition network completes initialization through the function abnormality recognition result; and the operation early warning management module is used for generating node early warning based on the depth recognition result and reconstructing the security certificate through node clustering constraint so as to complete operation early warning management.
One or more technical schemes provided by the application have at least the following technical effects or advantages:
Because the information interaction between the establishment and the enterprise network is adopted, the basic information of the network architecture is read to establish complete monitoring nodes, and unified monitoring and acquisition of data are realized; network function segmentation is carried out through network architecture information, multi-granularity network function characteristics are established to guide node analysis and processing in a targeted manner, meanwhile, monitoring nodes are clustered based on the function characteristics, node clustering constraint is generated, and basis is provided for function abnormality identification; the data of the monitoring nodes are crawled to establish a monitoring data set, and an abnormality identification unit based on big data is established through multi-granularity functional network characteristics so as to realize efficient and accurate abnormality detection; performing function abnormality recognition of the monitoring data set through an abnormality recognition unit to generate a first function abnormality recognition result; carrying out node abnormality identification through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, and generating a second function abnormality identification result; configuring a strengthening node according to the first function abnormality identification result and the second function abnormality identification result; the technical scheme of the method is that a deep anomaly identification network is applied to the reinforced nodes to realize continuous sensitive monitoring, the refined anomaly identification capability is formed, the security certificate is actively reconstructed through node clustering constraint, an automatic security protection mechanism is established, the accurate identification and active coping of the anomaly condition are completed, the problem that the condition of missing report and missing detection easily occurs in operation management due to the fact that the effective analysis and identification cannot be carried out on data of massive heterogeneous network nodes in the prior art is solved, the technical problems of fine-granularity anomaly monitoring and operation early warning management cannot be realized are solved, the accuracy and coverage rate of anomaly detection in IT operation are improved, the missing report and missing detection probability is reduced, and the technical effect of fine-granularity operation early warning management is achieved.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
FIG. 1 is a schematic flow chart of an IT operation method based on artificial intelligence according to an embodiment of the present application;
fig. 2 is a schematic flow chart of operation early warning update in an IT operation method based on artificial intelligence according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an IT operation system based on artificial intelligence according to an embodiment of the present application.
Reference numerals illustrate: the system comprises a monitoring node establishment module 11, a node cluster constraint module 12, an identification unit construction module 13, a functional abnormality identification module 14, an enhanced node configuration module 15, a depth identification result module 16 and an operation early warning management module 17.
Detailed Description
The technical scheme provided by the application has the following overall thought:
The embodiment of the application provides an IT operation method and system based on artificial intelligence. Firstly, reading network architecture basic information of an enterprise, and comprehensively establishing monitoring nodes to realize unified acquisition of data. And then, clustering the monitoring nodes based on the multi-granularity functional network characteristics to generate node clustering constraint so as to guide the subsequent flow. And then, performing high-efficiency screening by means of the constructed characteristics and the big data technology to obtain a first function abnormality identification result. And then, generating a second functional abnormality recognition result through node clustering constraint by combining node self analysis. And then configuring a reinforced node according to the first function abnormality identification result and the second function abnormality identification result, acquiring a data sensitive monitoring result at the reinforced node, realizing continuous fine monitoring through a deep abnormality identification network, actively reconstructing a safety certificate by matching with node clustering constraint, forming an automatic active isolation and coping mechanism for abnormal conditions, completing operation early warning management, and effectively establishing a safety protection system.
Having described the basic principles of the present application, various non-limiting embodiments of the present application will now be described in detail with reference to the accompanying drawings.
Example 1
As shown in fig. 1, an embodiment of the present application provides an IT operation method based on artificial intelligence, which includes:
Establishing information interaction with an enterprise, reading network architecture basic information of the enterprise, and establishing monitoring nodes through the network architecture basic information;
In the embodiment of the application, firstly, the network architecture basic information of an enterprise is read from the enterprise terminal through a network communication interface or a data transmission interface integrated by a system. The network architecture basic information of the enterprise should include network topology structure, location information of each node, node function information, network configuration parameters, etc. to comprehensively reflect the basic deployment and architecture of the enterprise network. Then, on the basis of obtaining the basic information of the network architecture, the network topology structure is further analyzed, the position information and the functional attribute of the key network node are determined, the node which has great influence on the stable operation of the network and contains the core function is designated as a monitoring node, and the node is used as a data acquisition source for subsequent monitoring and analysis and is responsible for providing the network operation state and flow data.
Performing network function segmentation through the network architecture basic information, establishing multi-granularity functional network characteristics, and executing node clustering of the monitoring nodes based on the multi-granularity functional network characteristics to generate node clustering constraint;
In the embodiment of the application, firstly, on the basis of acquiring network infrastructure information and determining monitoring nodes, network function characteristics under different granularities are abstracted according to network functions, so as to obtain multi-granularity functional network characteristics. Specifically, network function segmentation starts from the minimum functional unit and is summarized step by step to form a higher-level functional unit. For example, the server and the router are minimum functional units, and the local area network formed by the server and the router is a higher-level functional unit, so that network levels such as a core layer, a convergence layer, an access layer and the like can be sequentially divided upwards.
After the multi-granularity functional network characteristics are established, the characteristic description vectors of the corresponding functional units are established, wherein vector elements of the characteristic description vectors can contain functional identifiers, performance parameters, configuration parameters and other characteristic data capable of describing the network functions. And then, based on the multi-granularity network function characteristics, establishing a node function mapping relation, namely determining the corresponding relation between the nodes and the network functions. For example, which nodes belong to the network core layer functions, which nodes provide specific service access functions, etc. And then, on the basis of the functional mapping, classifying and aggregating the monitoring nodes by adopting a clustering algorithm according to the functional attributes and the dependency relations of the nodes to form node clustering constraint, wherein the node clustering constraint comprises the subordinate and association relations among the monitoring nodes, and the support is established for subsequent abnormal recognition.
Crawling monitoring data of the monitoring nodes, establishing a monitoring data set, and constructing an anomaly identification unit based on big data through the multi-granularity functional network characteristics;
in the embodiment of the application, firstly, performance and flow data on each monitoring node are crawled in real time to generate a large-scale monitoring data set. The monitoring data set comprises monitoring data which can reflect the running states of the nodes and the network, such as network flow, delay, packet loss rate, memory occupation, CPU load and the like of each monitoring node, and can also comprise monitoring node logs and event data.
And meanwhile, collecting large-scale time series data such as network flow, performance indexes and the like from each monitoring node, and reflecting the normal and abnormal running states of the network. Features corresponding to the multi-granularity functional network features are then extracted from the large-scale time-series data using feature engineering. And then, carrying out anomaly labeling on the large-scale time sequence data according to the extracted characteristics, and analyzing the relevance of anomalies among different network functions to form an anomaly relevance knowledge graph. And then, training an integrated hierarchical network anomaly detection model, namely an anomaly identification unit, based on the large-scale time sequence data and the anomaly association knowledge graph.
Performing abnormal function recognition of the monitoring data set through the abnormal recognition unit to generate a first abnormal function recognition result;
In the embodiment of the application, firstly, the acquired monitoring data set is subjected to pretreatment such as cleaning, light compression and the like so as to improve the data quality. The monitoring data is then mapped onto corresponding different levels of network functions according to the multi-granularity functional network features. And then, the processed monitoring data set is segmented and input into different functional subunits of the anomaly identification unit, and anomaly judgment is executed based on a Spark and other distributed technologies, so that the anomaly identification efficiency is improved. And then, aggregating the abnormal judgment results output by each functional subunit, such as abnormal flow of a core layer switch, abnormal access layer network delay and the like. And then, on the basis of the aggregation of the abnormal judgment results, further analyzing the relevance of different functional anomalies and marking the abnormal diffusion path. And then, forming abnormal recognition reports such as time points, duration, related nodes, abnormal association relations and the like of different functional abnormalities in the network, namely, a first functional abnormality recognition result.
Carrying out node abnormality recognition through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, generating a second function abnormality recognition result, and configuring the reinforced nodes according to the first function abnormality recognition result and the second function abnormality recognition result;
In the embodiment of the application, firstly, on each monitoring node, a threshold value is set for indexes such as resource utilization rate, response delay and the like, so as to monitor the monitoring node in real time and judge whether the monitoring node is abnormal or not. When an abnormality occurs in a certain monitoring node, determining a network function module corresponding to the monitoring node with the abnormality, judging other monitoring nodes belonging to the same class as or related to the monitoring node with the abnormality according to node clustering constraint, and judging whether the monitoring nodes have potential abnormality hazards or not, so that other monitoring nodes and network function modules with possible faults or performance reduction are deduced, and the abnormality identification range is enlarged. And then, recording the association analysis result of the network function and the abnormality monitoring node to form a second function abnormality identification result, so that the function abnormality identification is more comprehensive and associative.
And comparing the first function abnormality recognition result with the second function abnormality recognition result, and analyzing the difference points and the result accuracy of the first function abnormality recognition result and the second function abnormality recognition result. And then, evaluating stability reduction or fault probability of each network function module caused by abnormal monitoring nodes by combining the comparison analysis results, and judging vulnerability of the network function module and influence surfaces thereof, including a service range depending on the function and the like. And then, based on the evaluation result, drawing a correlation diagram of the functional abnormality and the monitoring nodes, determining which monitoring nodes are likely to cause more serious risks, and selecting the monitoring nodes with critical positions and large influence areas as the strengthening nodes so as to realize high-efficiency targeted network data monitoring.
Continuous data sensitive monitoring is carried out on the reinforced nodes, and data sensitive monitoring results are sent to a depth anomaly identification network to generate a depth identification result, wherein the depth anomaly identification network completes initialization through the function anomaly identification result;
In an embodiment of the present application, after the reinforcement nodes are designated, continuous data-sensitive monitoring is performed on the reinforcement nodes. The data sensitive monitoring refers to deep and continuous supervision of flow content, access control, data operation behavior and the like on the reinforced nodes to find out risks and hidden dangers, so as to obtain a data sensitive monitoring result. Meanwhile, a special depth anomaly identification network is constructed and used for receiving and analyzing the data sensitivity monitoring result of the reinforced node, wherein the data sensitivity monitoring result is input into the monitoring data of the reinforced node, and the data sensitivity monitoring result is output into the evaluation result of the network security risk. When the depth anomaly identification network is constructed, the prior knowledge input is the acquired function anomaly identification result when the model parameters are initialized and pre-trained, so that the depth anomaly identification network can focus anomalies of the monitoring sites more rapidly. And then, sending the data sensitive monitoring result to a depth anomaly identification network to generate a depth identification result, wherein the depth identification result comprises the degree of anomaly scoring of the reinforced node, potential risk early warning and the like.
And generating node early warning based on the depth recognition result, and reconstructing a security certificate through the node clustering constraint to complete operation early warning management.
In the embodiment of the application, after the depth identification result is obtained, whether high-risk loopholes or attack precursors exist on the reinforced nodes is determined by combining a preset risk threshold. If the depth recognition result triggers a risk threshold, early warning information is generated for the reinforced node to indicate potential safety problems so as to remind operation and maintenance personnel of finishing inspection and protection. Meanwhile, node clustering constraint is activated, namely whether other monitoring nodes in a network function area associated with the reinforced node to be early-warned have hidden danger is checked, if the regional problem is found, the network strategy is readjusted, and the security certificate is reconstructed through certificate re-issuing, node re-verification and other modes. Through node early warning and security certificate reconstruction, the network function can be timely and safely isolated or reinforced, the problem is prevented from being spread, the security operation and maintenance are realized, and a rapid and effective network security management early warning mechanism is formed.
Further, the embodiment of the application further comprises:
reading task data of an enterprise, and constructing a real-time execution environment of a network through the task data;
Acquiring the environment trust degree of a real-time execution environment, and generating a first abnormal influence based on the environment trust degree;
Performing task association analysis of data interaction through the real-time execution environment, and generating a second abnormal influence according to an association analysis result;
performing network increment optimization of a deep anomaly identification network through the first anomaly impact and the second anomaly impact;
and updating the depth recognition result according to the depth abnormality recognition network after incremental optimization.
In a feasible implementation mode, firstly, a reading interface of task data is built, the reading interface is in butt joint with a business management system of an enterprise, task data such as a business process, task arrangement and the like which are executed by the enterprise are obtained regularly through the reading interface, and the business form required to be supported by a network is reflected. The read task data comprises a task ID, a task time period, a dependent service system, a network service type, a target address and the like. Then, by using the read task data and utilizing a network modeling or simulation means, an execution environment reflecting the current network service load is constructed, and the real-time execution environment of the network in the whole process of network anomaly identification and decision is obtained.
Then, the reliability of the real-time execution environment, namely, the environment trust level is evaluated as a first abnormal influence by detecting the data flow of the real-time execution environment, the stability of performance indexes, or detecting the running safety of network services through logs and alarm information. For example, when the network delay fluctuation exceeds a threshold value, the environment trust level is correspondingly reduced; when a virus propagation event is detected, the environmental confidence level is greatly reduced. And then, according to the position and the data flow direction of the real-time business tasks in the real-time execution environment, an execution environment diagram is constructed, a data path is added between the tasks, and the data content and the format are marked, so that the execution environment diagram becomes a streaming network reflecting the task data interaction. And then, counting the data flow interaction times, the data flow interaction speed and the like among the tasks, calculating a task dependency correlation matrix, determining task correlation strength, simulating the cascade failure condition caused when a single task fails, identifying a key service task which is easy to cause the largest cascade influence when the single task fails, and recording influences such as a section, duration and the like in the service possibly caused by the key task failure to obtain a second abnormal influence result.
And then, converting the environment trust degree in the first abnormal influence into a loss function regularization term in the training process or the prior probability of model output, so that the network identification corresponds to the actual environment risk. And meanwhile, the abnormal cascading result of the key business task in the second abnormal influence is used as incremental knowledge to be added into an intermediate feature layer of the depth network, so that the understanding and conversion of the network to the environment and task semantics are enhanced. And then, performing incremental optimization on the original training parameters of the depth anomaly identification network through knowledge driving of the first anomaly influence and the second anomaly influence, thereby being beneficial to improving anomaly identification quality in a changeable service environment and obtaining the depth anomaly identification network after incremental optimization. And then, reasoning the acquired data sensitive monitoring result by using the depth anomaly identification network after incremental optimization to obtain an updated depth identification result.
Further, the embodiment of the application further comprises:
performing granularity segmentation of the minimum functional units according to the network architecture basic information, and performing functional unit identification layer by taking the minimum functional units as basic unit layers to establish multi-granularity functional network characteristics;
executing real-time task detection, and carrying out feature matching analysis of multi-granularity functional network features according to the real-time task detection result to obtain a feature matching result;
and completing real-time granularity calling constraint of the abnormality identification unit according to the feature matching result so as to perform real-time calling of the abnormality identification unit and complete function abnormality identification.
In one possible implementation, after the basic information of the network architecture is obtained, the network architecture is subjected to bottom-up stepwise function segmentation and identification, and the minimum functional unit forming the network is identified as a basic unit layer, such as port forwarding of a switch, message routing of a router, and the like, so as to use the basic information of the network architecture. Then, on the basis of determining the minimum functional unit, the granularity is enlarged to establish the functional unit formed by the integrated combination of the minimum functional unit so as to correspond to the local area network, the virtual local area network, and the like. After the granularity is enlarged, the granularity is further enlarged to form a higher-level functional unit. Thus, the basic unit layer is used as a starting point to be expanded layer by layer, and the identification of the network multi-granularity function is completed. In the process, for each type of granularity functional unit, characteristic vector representation of network operation is established through methods of collecting interval data, analyzing behavior patterns and the like, and functional network characteristic vectors with different granularities are collected to form multi-granularity functional network characteristics.
After the construction of the multi-granularity functional network features is completed, the network needs to bear tasks of different service systems and applications, and the requirements of the tasks on the network are dynamically changed. Therefore, various tasks which are actively executed on the current network are detected and analyzed in real time by analyzing the source address, the target address, the service type, the data content and the like of the tasks, so that a real-time task detection result is formed. And then, carrying out layer-by-layer matching analysis on the obtained real-time task detection result and the multi-granularity network function characteristics, and judging whether the operation of the current task is corresponding to the completion of the network function which needs to be activated or depends on which granularity, so as to obtain the characteristic matching result.
Then, a correspondence table between the network function and the abnormality recognition sub-module in the abnormality recognition unit is established in advance. And then, generating an abnormal recognition submodule list required to be called for different network functions according to the characteristic matching result to form a module activation rule. When the function abnormality recognition starts, according to the generated module activation rule, dynamically activating the required abnormality recognition sub-module in the abnormality recognition unit, and distributing the monitoring data set read in real time to the activated abnormality recognition sub-module according to the function guide. And then, collecting the abnormal recognition results from the called abnormal recognition sub-module, and collecting and integrating the results to complete the abnormal recognition of the functions.
Further, as shown in fig. 2, the embodiment of the present application further includes:
Determining an early warning level based on the node early warning, and establishing a sensitive supervision period based on the early warning level and the corresponding node attribute;
performing continuous sensitive monitoring of the corresponding node according to the sensitive supervision period to generate a continuous sensitive monitoring result;
And executing early warning accumulation according to the continuous sensitive monitoring result, and carrying out operation early warning updating according to the early warning accumulation result.
In one possible implementation, first, when a node early warning is generated for a certain reinforced node, it indicates that the reinforced node has potential safety hazard or abnormal operation. At this time, for each early warning event, the hazard level is further judged, and the judgment basis comprises early warning content, node type and the like, so that the early warning level of the node early warning is obtained. And defining a sensitive monitoring period of the reinforced node according to the early warning level and the node attribute of the reinforced node, and determining the interval frequency and the duration of monitoring the reinforced node. Wherein, setting more frequent and long-term data monitoring tasks for the nodes with high-grade early warning or the more critical nodes.
And then, continuously and sensitively monitoring each enhanced node according to the self-adaptive sensitive supervision period generated for each enhanced node, wherein the self-adaptive sensitive supervision period comprises an access log and a system log of the related node, and the service and the process running on the node are subjected to port, network connection and the like to generate a continuously sensitive monitoring result. And then, counting the number of risk points found by each enhanced node in the continuous sensitive monitoring result, and judging whether potential safety hazards or attacks are accumulated and enlarged or not based on the number of risk points, namely, whether early warning is descending or ascending, so as to obtain an early warning accumulated result. And then, based on the early warning accumulated result, updating the network security operation and maintenance, defining high-risk nodes needing important defense or isolation in the network, and outputting a black-and-white list of the reinforced nodes, thereby updating the operation early warning and enhancing the supervision of the reinforced nodes for the rapid increase early warning.
Further, the embodiment of the application further comprises:
establishing a time sequence attenuation factor, establishing an abnormal feature set of the node through the node early warning, and executing feature value update in the abnormal feature set through the time sequence attenuation factor;
when a new abnormality occurs to any time node, performing abnormal linkage analysis on the new abnormality and the abnormal feature set;
Reconstructing the characteristic value of the corresponding abnormal characteristic according to the abnormal linkage analysis result;
And executing network updating of the deep anomaly identification network according to the anomaly characteristic set after the characteristic value is reconstructed.
In one possible implementation, first, when any enhanced node generates node early warning, a keyword field in early warning data is extracted to construct a feature vector representing the abnormal event, so as to form an abnormal feature set of multiple types of abnormal events. Considering that the importance of the recently occurring abnormal event to the judgment of the current safety condition is greater, an exponential decay time weight mechanism is constructed, namely an exponential decay function is defined, an input variable is a time node of the occurrence of the abnormal event, the function outputs the time weight of the abnormal event, the more recent weight is, the less the weight is at the moment of the long time, and thus a time sequence decay factor is established. Then, based on the time attenuation factor, each feature vector in the abnormal feature set is re-weighted, and the feature parameter value is updated in proportion to the time weight, so that the identification and response to the network new abnormal event are more sensitive and adaptive.
Then, when a new abnormal feature vector is detected during the network operation at any time node, a new security event is indicated. At this time, the linkage judgment is immediately performed on the newly added abnormality, that is, whether the newly added abnormality is associated with an existing abnormal event in the abnormal feature set is judged, for example, whether two events belong to the same linkage embodiment of the attack activity, so that an abnormal linkage analysis result is obtained. When the abnormal linkage analysis result shows that the linkage relation exists between the newly added abnormality and one abnormality in the abnormal feature set, the newly added abnormality is described as an abnormal diffusion process. In this case, the abnormal feature vector corresponding to the abnormal type linked with the newly added abnormality is reconstructed, the feature parameter value in the abnormal feature vector is increased, and the value is enlarged to highlight the occurrence and influence of the abnormal feature. For example, increasing a parameter indicative of threat severity, increasing the specific gravity of an anomaly-related network flow feature value, and the like. And after the reconstruction adjustment of the characteristic values, a characteristic set which is more sensitive to specific new linkage abnormal events, namely an abnormal characteristic set after the characteristic values are reconstructed, is formed on the basis of the original abnormal characteristic set. And then, on the depth anomaly identification network model, updating parameters of the model by utilizing the anomaly characteristic set after reconstructing the characteristic value, and purposefully fine-tuning the parameter weight of the model in a corresponding classification or characteristic extraction layer, so that the identification of the depth anomaly identification network to the anomaly event is optimized, and the safety protection effect is improved.
Further, the embodiment of the application further comprises:
Establishing an abnormal scheme set, and executing scheme test at a preset period node by using the abnormal scheme set;
reading a network identification result of the deep anomaly identification network, and executing verification evaluation of a test through the network identification result;
Generating sensitivity feedback through verification of the evaluation result;
and performing sensitivity optimization of the monitoring and identifying process based on the sensitivity feedback.
In a feasible implementation manner, firstly, in order to verify the effectiveness of network anomaly identification, an anomaly scheme set covering various known network threats is constructed through a security knowledge graph and a historical case analysis, wherein each anomaly scheme defines characteristics of a type of anomaly triggering condition, an influence surface, a hazard degree and the like, and the characteristics comprise various typical threats such as DoS attack for a router, injection tampering realized by utilizing database loopholes and the like. And then triggering the abnormal schemes in the abnormal scheme set in a test environment, introducing an attack case, and executing scheme test. After the abnormal scheme is triggered and tested, the deep abnormal recognition network detects and recognizes various generated test abnormalities, reads network recognition results, performs comparison analysis corresponding to the test-triggered abnormal scheme one by one, and determines recognition accuracy, report missing rate, false alarm rate and the like to obtain verification evaluation results.
And then, on the basis of verification and evaluation results, further analyzing which factors cause the deep anomaly identification network to generate an identification blind zone, namely the deep anomaly identification network has insufficient sensitivity to abnormal events of which types or characteristics, so that feedback that the deep anomaly identification network has defects of monitoring and identification sensitivity is formed. Such as false positives caused by insufficient feature extraction, insufficient ability to perceive certain protocol type attacks, etc. And then, the deep anomaly identification network is optimized pertinently according to sensitivity feedback, so that the anomaly detection sensitivity of the network is improved, and the overall improvement and optimization of the monitoring and identification sensitivity are realized. For example, if the model discrimination capability is weak due to insufficient training data amount, the acquisition frequency of abnormal data is increased, and the data set scale is enlarged; if the dimension of the feature extraction is insufficient, the feature dimension is increased, and more abnormal behavior features are extracted.
Further, the embodiment of the application further comprises:
judging whether the verification evaluation result meets a preset evaluation threshold value or not;
if the preset evaluation threshold cannot be met, generating a recognition early warning corresponding to the abnormality;
and updating the abnormality detection strategy through the identification early warning.
In one possible implementation manner, first, for each index in the verification evaluation result, such as the accuracy rate of anomaly detection, detection delay, failure rate, and the like, an expected threshold corresponding to each index is preset as a preset evaluation threshold. And after the verification evaluation result is obtained, comparing the verification evaluation result with a predefined index expected threshold value one by one. If the measured performance of some indexes in the verification evaluation result is lower than the expected indexes in the preset evaluation threshold, the depth anomaly identification network has obvious weakness in identification for the excited specific anomaly scheme. At this time, special recognition and early warning are correspondingly generated for the type of abnormality, which type of abnormality leads to dead zones or short plates of the depth abnormality recognition network discrimination behavior are clearly pointed out in the recognition and early warning, and corresponding evidences such as false report samples, positioning error logs and the like are fed back. And then, based on the abnormal recognition dead zone pointed by the recognition early warning, correspondingly updating the technical strategy for improving the abnormal detection. For example, aiming at the abnormal conditions pointed out in the recognition early warning, the data acquisition range is enlarged, more samples of the type of abnormality are obtained, and model training data are enriched; or adding a corresponding classifier in the model of the depth anomaly identification network, and improving the extraction and focusing of the anomaly behavior discrimination characteristics; or adjusting the decision mechanism of overall network abnormality judgment, adapting to the judgment rule of the reflected abnormal situation, etc. By updating the anomaly detection strategy, the deep anomaly identification network is more sensitive and adaptive to the anomalies pointed out in the identification early warning, the diagnosis dead angle of anomaly monitoring is eliminated, and the robustness of IT operation is improved.
In summary, the IT operation method based on artificial intelligence provided by the embodiment of the application has the following technical effects:
Information interaction with an enterprise is established, network architecture basic information of the enterprise is read, and monitoring nodes are established through the network architecture basic information, so that full-range data monitoring and acquisition are realized. And performing network function segmentation through the network architecture basic information, establishing multi-granularity functional network characteristics, executing node clustering of the monitoring nodes based on the multi-granularity functional network characteristics, generating node clustering constraint, and providing guidance for subsequent anomaly identification. And crawling monitoring data of the monitoring nodes, establishing a monitoring data set, constructing an abnormal recognition unit based on big data through the multi-granularity functional network characteristics, and providing support for obtaining a first functional abnormal recognition result. And carrying out abnormal function recognition of the monitoring data set through the abnormal recognition unit, generating a first abnormal function recognition result and outputting an abnormal judgment result. And carrying out node abnormality recognition through the monitoring nodes, carrying out functional abnormality analysis through node clustering constraint, generating a second functional abnormality recognition result, and outputting finer functional abnormality judgment by combining node self analysis. And configuring the reinforced nodes according to the first function abnormality identification result and the second function abnormality identification result to obtain the nodes needing continuous data sensitive monitoring. And continuously monitoring data sensitivity at the reinforced nodes, sending the data sensitivity monitoring result to a depth anomaly identification network, generating a depth identification result, and accurately positioning anomalies. And generating node early warning based on the depth recognition result, and reconstructing a security certificate through the node clustering constraint to complete operation early warning management and realize fine-grained operation early warning management.
Example two
Based on the same inventive concept as one of the artificial intelligence based IT operation methods in the foregoing embodiments, as shown in fig. 3, an embodiment of the present application provides an artificial intelligence based IT operation system, which includes:
The monitoring node establishing module 11 is used for establishing information interaction with an enterprise, reading network architecture basic information of the enterprise, and establishing monitoring nodes through the network architecture basic information;
The node clustering constraint module 12 is configured to perform network function segmentation through the network architecture basic information, establish a multi-granularity functional network feature, and execute node clustering of the monitoring nodes based on the multi-granularity functional network feature to generate node clustering constraint;
the identification unit construction module 13 is used for crawling the monitoring data of the monitoring nodes, establishing a monitoring data set, and constructing an abnormal identification unit based on big data through the multi-granularity functional network characteristics;
A functional abnormality recognition module 14, configured to perform functional abnormality recognition of the monitoring data set by using the abnormality recognition unit, and generate a first functional abnormality recognition result;
The reinforced node configuration module 15 is configured to perform node anomaly identification through the monitoring node, perform functional anomaly analysis through node clustering constraint, generate a second functional anomaly identification result, and configure the reinforced node according to the first functional anomaly identification result and the second functional anomaly identification result;
The depth recognition result module 16 is configured to perform continuous data sensitive monitoring on the enhanced node, and send the data sensitive monitoring result to a depth anomaly recognition network to generate a depth recognition result, where the depth anomaly recognition network completes initialization through the function anomaly recognition result;
And the operation early warning management module 17 is used for generating node early warning based on the depth recognition result and reconstructing a security certificate through the node clustering constraint so as to complete operation early warning management.
Further, the embodiment of the application also comprises a depth recognition result updating module, which comprises the following execution steps:
reading task data of an enterprise, and constructing a real-time execution environment of a network through the task data;
Acquiring the environment trust degree of a real-time execution environment, and generating a first abnormal influence based on the environment trust degree;
Performing task association analysis of data interaction through the real-time execution environment, and generating a second abnormal influence according to an association analysis result;
performing network increment optimization of a deep anomaly identification network through the first anomaly impact and the second anomaly impact;
and updating the depth recognition result according to the depth abnormality recognition network after incremental optimization.
Further, the malfunction recognition module 14 includes the following execution steps:
performing granularity segmentation of the minimum functional units according to the network architecture basic information, and performing functional unit identification layer by taking the minimum functional units as basic unit layers to establish multi-granularity functional network characteristics;
executing real-time task detection, and carrying out feature matching analysis of multi-granularity functional network features according to the real-time task detection result to obtain a feature matching result;
and completing real-time granularity calling constraint of the abnormality identification unit according to the feature matching result so as to perform real-time calling of the abnormality identification unit and complete function abnormality identification.
Further, the embodiment of the application comprises an operation early warning updating module, which comprises the following execution steps:
Determining an early warning level based on the node early warning, and establishing a sensitive supervision period based on the early warning level and the corresponding node attribute;
performing continuous sensitive monitoring of the corresponding node according to the sensitive supervision period to generate a continuous sensitive monitoring result;
And executing early warning accumulation according to the continuous sensitive monitoring result, and carrying out operation early warning updating according to the early warning accumulation result.
Further, the embodiment of the application further comprises a network updating identifying module, which comprises the following execution steps:
establishing a time sequence attenuation factor, establishing an abnormal feature set of the node through the node early warning, and executing feature value update in the abnormal feature set through the time sequence attenuation factor;
when a new abnormality occurs to any time node, performing abnormal linkage analysis on the new abnormality and the abnormal feature set;
Reconstructing the characteristic value of the corresponding abnormal characteristic according to the abnormal linkage analysis result;
And executing network updating of the deep anomaly identification network according to the anomaly characteristic set after the characteristic value is reconstructed.
Further, the embodiment of the application further comprises a sensitivity optimization module, which comprises the following execution steps:
Establishing an abnormal scheme set, and executing scheme test at a preset period node by using the abnormal scheme set;
reading a network identification result of the deep anomaly identification network, and executing verification evaluation of a test through the network identification result;
Generating sensitivity feedback through verification of the evaluation result;
and performing sensitivity optimization of the monitoring and identifying process based on the sensitivity feedback.
Further, the embodiment of the application also comprises an abnormality detection strategy updating module, which comprises the following execution steps:
judging whether the verification evaluation result meets a preset evaluation threshold value or not;
if the preset evaluation threshold cannot be met, generating a recognition early warning corresponding to the abnormality;
and updating the abnormality detection strategy through the identification early warning.
Any of the steps of the methods described above may be stored as computer instructions or programs in a non-limiting computer memory and may be called by a non-limiting computer processor to identify any method for implementing an embodiment of the present application, without unnecessary limitations.
Further, the first or second element may not only represent a sequential relationship, but may also represent a particular concept, and/or may be selected individually or in whole among a plurality of elements. It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the scope of the application. Thus, the present application is intended to include such modifications and alterations insofar as they come within the scope of the application or the equivalents thereof.

Claims (7)

1. An artificial intelligence based IT operation method, characterized in that the method comprises:
Establishing information interaction with an enterprise, reading network architecture basic information of the enterprise, and establishing monitoring nodes through the network architecture basic information;
Performing network function segmentation through the network architecture basic information, establishing multi-granularity functional network characteristics, and executing node clustering of the monitoring nodes based on the multi-granularity functional network characteristics to generate node clustering constraint;
Crawling monitoring data of the monitoring nodes, establishing a monitoring data set, and constructing an anomaly identification unit based on big data through the multi-granularity functional network characteristics;
Performing abnormal function recognition of the monitoring data set through the abnormal recognition unit to generate a first abnormal function recognition result;
carrying out node abnormality recognition through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, generating a second function abnormality recognition result, and configuring the reinforced nodes according to the first function abnormality recognition result and the second function abnormality recognition result;
continuous data sensitive monitoring is carried out on the reinforced nodes, and data sensitive monitoring results are sent to a depth anomaly identification network to generate a depth identification result, wherein the depth anomaly identification network completes initialization through the function anomaly identification result;
Generating node early warning based on the depth recognition result, and reconstructing a security certificate through the node clustering constraint to complete operation early warning management;
wherein the method further comprises:
reading task data of an enterprise, and constructing a real-time execution environment of a network through the task data;
Acquiring the environment trust degree of a real-time execution environment, and generating a first abnormal influence based on the environment trust degree;
Performing task association analysis of data interaction through the real-time execution environment, and generating a second abnormal influence according to an association analysis result;
performing network increment optimization of a deep anomaly identification network through the first anomaly impact and the second anomaly impact;
and updating the depth recognition result according to the depth abnormality recognition network after incremental optimization.
2. The method of claim 1, wherein the method further comprises:
performing granularity segmentation of the minimum functional units according to the network architecture basic information, and performing functional unit identification layer by taking the minimum functional units as basic unit layers to establish multi-granularity functional network characteristics;
executing real-time task detection, and carrying out feature matching analysis of multi-granularity functional network features according to the real-time task detection result to obtain a feature matching result;
and completing real-time granularity calling constraint of the abnormality identification unit according to the feature matching result so as to perform real-time calling of the abnormality identification unit and complete function abnormality identification.
3. The method of claim 1, wherein the method further comprises:
Determining an early warning level based on the node early warning, and establishing a sensitive supervision period based on the early warning level and the corresponding node attribute;
performing continuous sensitive monitoring of the corresponding node according to the sensitive supervision period to generate a continuous sensitive monitoring result;
And executing early warning accumulation according to the continuous sensitive monitoring result, and carrying out operation early warning updating according to the early warning accumulation result.
4. A method as claimed in claim 3, wherein the method further comprises:
establishing a time sequence attenuation factor, establishing an abnormal feature set of the node through the node early warning, and executing feature value update in the abnormal feature set through the time sequence attenuation factor;
when a new abnormality occurs to any time node, performing abnormal linkage analysis on the new abnormality and the abnormal feature set;
Reconstructing the characteristic value of the corresponding abnormal characteristic according to the abnormal linkage analysis result;
And executing network updating of the deep anomaly identification network according to the anomaly characteristic set after the characteristic value is reconstructed.
5. The method of claim 1, wherein the method further comprises:
Establishing an abnormal scheme set, and executing scheme test at a preset period node by using the abnormal scheme set;
reading a network identification result of the deep anomaly identification network, and executing verification evaluation of a test through the network identification result;
Generating sensitivity feedback through verification of the evaluation result;
and performing sensitivity optimization of the monitoring and identifying process based on the sensitivity feedback.
6. The method of claim 5, wherein the method further comprises:
judging whether the verification evaluation result meets a preset evaluation threshold value or not;
if the preset evaluation threshold cannot be met, generating a recognition early warning corresponding to the abnormality;
and updating the abnormality detection strategy through the identification early warning.
7. An artificial intelligence based IT operation system for implementing an artificial intelligence based IT operation method according to any of claims 1-6, the system comprising:
The monitoring node establishing module is used for establishing information interaction with an enterprise, reading network architecture basic information of the enterprise and establishing monitoring nodes through the network architecture basic information;
The node clustering constraint module is used for carrying out network function segmentation through the network architecture basic information, establishing multi-granularity functional network characteristics, executing node clustering of the monitoring nodes based on the multi-granularity functional network characteristics and generating node clustering constraint;
The identification unit construction module is used for crawling the monitoring data of the monitoring nodes, establishing a monitoring data set and constructing an abnormal identification unit based on big data through the multi-granularity functional network characteristics;
the function abnormality identification module is used for carrying out function abnormality identification on the monitoring data set through the abnormality identification unit and generating a first function abnormality identification result;
The reinforced node configuration module is used for carrying out node abnormality identification through the monitoring nodes, carrying out function abnormality analysis through node clustering constraint, generating a second function abnormality identification result, and configuring reinforced nodes according to the first function abnormality identification result and the second function abnormality identification result;
The depth recognition result module is used for carrying out continuous data sensitive monitoring on the reinforced nodes, sending the data sensitive monitoring result to a depth abnormality recognition network and generating a depth recognition result, wherein the depth abnormality recognition network completes initialization through the function abnormality recognition result;
And the operation early warning management module is used for generating node early warning based on the depth recognition result and reconstructing a security certificate through the node clustering constraint so as to complete operation early warning management.
CN202410137297.XA 2024-02-01 2024-02-01 IT operation method and system based on artificial intelligence Active CN117692345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410137297.XA CN117692345B (en) 2024-02-01 2024-02-01 IT operation method and system based on artificial intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410137297.XA CN117692345B (en) 2024-02-01 2024-02-01 IT operation method and system based on artificial intelligence

Publications (2)

Publication Number Publication Date
CN117692345A CN117692345A (en) 2024-03-12
CN117692345B true CN117692345B (en) 2024-06-11

Family

ID=90137451

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410137297.XA Active CN117692345B (en) 2024-02-01 2024-02-01 IT operation method and system based on artificial intelligence

Country Status (1)

Country Link
CN (1) CN117692345B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117914005B (en) * 2024-03-20 2024-06-11 江苏中恩网络科技有限公司 Distribution network lean panoramic monitoring system and method
CN118094531B (en) * 2024-04-25 2024-07-12 济南源根科技有限公司 Safe operation and maintenance real-time early warning integrated system
CN118175186B (en) * 2024-05-11 2024-07-23 成都昊锐佳科技有限责任公司 Edge gateway control method, system and device for AI perception sentinel terminal
CN118282782B (en) * 2024-06-04 2024-08-09 山东至盛信息科技有限公司 Big data inspection early warning method and system for network security

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3477906A1 (en) * 2017-10-26 2019-05-01 Accenture Global Solutions Limited Systems and methods for identifying and mitigating outlier network activity
CN114070855A (en) * 2020-07-28 2022-02-18 中国电信股份有限公司 Resource allocation method, resource allocation device, resource allocation system, and storage medium
WO2023071761A1 (en) * 2021-10-29 2023-05-04 深圳前海微众银行股份有限公司 Anomaly positioning method and device
CN116128312A (en) * 2023-04-17 2023-05-16 南昌工程学院 Dam safety early warning method and system based on monitoring data analysis
CN116346406A (en) * 2023-01-18 2023-06-27 重庆赛力斯新能源汽车设计院有限公司 Detection device and detection method
CN117277592A (en) * 2023-11-21 2023-12-22 西安晟昕科技股份有限公司 Protection switching method for monitoring high-voltage circuit signals
CN117475593A (en) * 2023-12-26 2024-01-30 江苏濠汉信息技术有限公司 Advanced intelligent early warning method and device for abnormal load of electricity utilization terminal

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3477906A1 (en) * 2017-10-26 2019-05-01 Accenture Global Solutions Limited Systems and methods for identifying and mitigating outlier network activity
CN114070855A (en) * 2020-07-28 2022-02-18 中国电信股份有限公司 Resource allocation method, resource allocation device, resource allocation system, and storage medium
WO2023071761A1 (en) * 2021-10-29 2023-05-04 深圳前海微众银行股份有限公司 Anomaly positioning method and device
CN116346406A (en) * 2023-01-18 2023-06-27 重庆赛力斯新能源汽车设计院有限公司 Detection device and detection method
CN116128312A (en) * 2023-04-17 2023-05-16 南昌工程学院 Dam safety early warning method and system based on monitoring data analysis
CN117277592A (en) * 2023-11-21 2023-12-22 西安晟昕科技股份有限公司 Protection switching method for monitoring high-voltage circuit signals
CN117475593A (en) * 2023-12-26 2024-01-30 江苏濠汉信息技术有限公司 Advanced intelligent early warning method and device for abnormal load of electricity utilization terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
云南会泽县待补地区水系沉积物地球化学特征及其找矿意义;张东阳;周毅;王迎春;刘学龙;彦廷龙;陈琰勋;浦正义;;黄金;20170115(01);全文 *

Also Published As

Publication number Publication date
CN117692345A (en) 2024-03-12

Similar Documents

Publication Publication Date Title
CN117692345B (en) IT operation method and system based on artificial intelligence
CN113965404B (en) Network security situation self-adaptive active defense system and method
US11336669B2 (en) Artificial intelligence cyber security analyst
EP2487860B1 (en) Method and system for improving security threats detection in communication networks
CN108494810A (en) Network security situation prediction method, apparatus and system towards attack
KR102091076B1 (en) Intelligent security control system and method using mixed map alert analysis and non-supervised learning based abnormal behavior detection method
CN115378711B (en) Intrusion detection method and system for industrial control network
CN113162930A (en) Network security situation sensing method based on electric power CPS
CN115733762A (en) Monitoring system with big data analysis capability
CN117614741B (en) Network security vulnerability position detection method and system
Dalmazo et al. Expedite feature extraction for enhanced cloud anomaly detection
Wang et al. Automatic multi-step attack pattern discovering
CN117978515B (en) Industrial computer network access control method and system
CN114362994A (en) Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method
Nam et al. Virtual machine failure prediction using log analysis
CN118153117A (en) Information security risk assessment system based on block chain
Cortés et al. A hybrid alarm management strategy in signature-based intrusion detection systems
CN116962206B (en) Operation and maintenance management method, device and equipment of security monitoring equipment and storage medium
TWI789003B (en) Service anomaly detection and alerting method, apparatus using the same, storage media for storing the same, and computer software program for generating service anomaly alert
CN118713927B (en) Information security asset network space mapping system
CN118138434B (en) Hierarchical management method and hierarchical management system for distributed network management platform
CN118764323B (en) Network security situation awareness platform based on flow monitoring
CN118363816A (en) Application program alarm analysis system
GB2627553A (en) System for processing network security alerts
Bu et al. Network Security Risk Evaluation and Inducement Analysis Based on Bayesian Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant