US 12,323,444 B2
Alarm processing method and apparatus, electronic device, computer program product, and computer-readable storage medium
Xiaorong Shi, Shenzhen (CN); Aisi Xu, Shenzhen (CN); Liquan Nie, Shenzhen (CN); Junli Shen, Shenzhen (CN); Fan Zeng, Shenzhen (CN); and Hankeng Rong, Shenzhen (CN)
Assigned to TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED, Shenzhen (CN)
Filed by TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED, Shenzhen (CN)
Filed on Nov. 22, 2022, as Appl. No. 17/992,085.
Application 17/992,085 is a continuation of application No. PCT/CN2022/076268, filed on Feb. 15, 2022.
Claims priority of application No. 202110189703.3 (CN), filed on Feb. 19, 2021.
Prior Publication US 2023/0087267 A1, Mar. 23, 2023
Int. Cl. G06F 16/28 (2019.01); G06F 16/22 (2019.01); H04L 9/40 (2022.01)
CPC H04L 63/1425 (2013.01) [G06F 16/2237 (2019.01); G06F 16/285 (2019.01)] 17 Claims
OG exemplary drawing
 
1. An alarm processing method, performed by an electronic device, the method comprising:
acquiring a plurality of sample attack records of a service, and determining importance indexes corresponding to a plurality of words in the sample attack records on a one-to-one basis, the service being an online service provided by one or more servers to users, the plurality of sample attack records comprising at least source Internet Protocol (IP) addresses and request data of attackers;
updating an attack word library according to the plurality of words in the sample attack records and the importance indexes corresponding to the plurality of words in the sample attack records on a one-to-one basis;
receiving an alarm query request for the service, and acquiring a plurality of alarm records of the service;
performing keyword extraction processing on the plurality of alarm records according to an attack word library of the service to obtain attack keywords, comprising:
screening out multiple words of which the importance indexes satisfy a first index condition in the attack word library; and
processing a plurality of words in the plurality of alarm records by matching each of the plurality of words with the multiple words from the screening, and using words successfully matched as the attack keywords in the plurality of alarm records;
determining a similarity between every two of the plurality of alarm records according to the attack keywords in the plurality of alarm records;
clustering the plurality of alarm records according to the similarity to obtain a plurality of alarm record clusters;
receiving a response processing request for a target alarm record cluster of the plurality of alarm record clusters, the response processing request comprising a blocking or intercepting request; and
responding to the response processing request by performing batch blocking or intercepting processing on source IP addresses in the plurality of alarm records in the target alarm record cluster.