CN108388631A - A kind of method, agent apparatus and system threatening intelligence sharing - Google Patents

A kind of method, agent apparatus and system threatening intelligence sharing Download PDF

Info

Publication number
CN108388631A
CN108388631A CN201810150285.5A CN201810150285A CN108388631A CN 108388631 A CN108388631 A CN 108388631A CN 201810150285 A CN201810150285 A CN 201810150285A CN 108388631 A CN108388631 A CN 108388631A
Authority
CN
China
Prior art keywords
information
unknown data
intranet
agent apparatus
query result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810150285.5A
Other languages
Chinese (zh)
Other versions
CN108388631B (en
Inventor
白敏�
汪列军
韩志立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201810150285.5A priority Critical patent/CN108388631B/en
Publication of CN108388631A publication Critical patent/CN108388631A/en
Application granted granted Critical
Publication of CN108388631B publication Critical patent/CN108388631B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/55Push-based network services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the present invention provides a kind of method, agent apparatus and system threatening intelligence sharing.The method includes:The unknown data table in Intranet is polled according to predetermined period, obtains the unknown data in unknown data table;Inquiry request is sent to information Cloud Server according to unknown data, and receive the return of information Cloud Server includes the query result for threatening information;Query result is pushed to the threat information platform of Intranet, so that threaten information platform to store the query result threatens the shared of information to realize.The agent apparatus is for executing the above method.The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to the unknown data in unknown data table inquiry request is sent to information Cloud Server, and query result is back to the threat information platform of Intranet, the case where gateway limits network environment is crossed in interior Netcom, it realizes and threatens the shared of information, improve the safety of intranet environment.

Description

A kind of method, agent apparatus and system threatening intelligence sharing
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of method threatening intelligence sharing, agencies Apparatus and system.
Background technology
In today that science and technology is grown rapidly, ensure that the safety of network has become the premise of Internet technology development, it is many Can all be studied by the Internet media distribution technology with security study personnel, security firm article, safety message etc. to colleague, Scientific research personnel's analytical technology details.
We can often see from CERT, security service manufacturer, anti-virus manufacturer, government organs and security organization there Safe early warning notice, loophole notice, threat notice etc., these belong to typical security threat information.Realizing the present invention During embodiment, inventor has found, under many network security scenes, due to being limited by inner-mesh network environment, leads to Often only open single agreement or particular port, i.e., increase unidirectional gateway between Intranet and outer net, unidirectional gateway can only by outer net to Intranet initiates propelling data, cannot initiate to inquire from Intranet to outer net.Therefore, under the situation threat information of outer net be cannot be into Enter to arrive Intranet, causes the safety of Intranet very low since Intranet can not obtain more rich threat information.
Therefore, in the case where Intranet network environment is restricted, how the threat information of outer net pushed into Intranet, from And the safety for improving intranet environment is project nowadays urgently to be resolved hurrily.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provide it is a kind of threaten intelligence sharing method, agency dress It sets and system.
In a first aspect, the embodiment of the present invention provides a kind of method threatening intelligence sharing, including:
The unknown data table in Intranet is polled according to predetermined period, when Intranet initiates information inquiry request, more Newly and obtain the unknown data in the unknown data table;
Inquiry request is sent to information Cloud Server according to the unknown data, and receives the information Cloud Server and returns Query result, the query result includes the corresponding threat information of the unknown data;
The query result is pushed to the threat information platform of Intranet, so that the threat information platform is by the inquiry As a result it is stored, the shared of information is threatened to realize.
On the other hand, the embodiment of the present invention provides a kind of agent apparatus threatening intelligence sharing, including:
Poller module, for being polled to the unknown data table in Intranet according to predetermined period, when Intranet initiates information When inquiry request, updates and obtain the unknown data in the unknown data table;
First sending module for sending inquiry request to information Cloud Server according to the unknown data, and receives institute The query result of information Cloud Server return is stated, the query result includes the corresponding threat information of the unknown data;
Pushing module, the threat information platform for the query result to be pushed to Intranet, so that the threat information Platform stores the query result, and the shared of information is threatened to realize.
The third aspect, the embodiment of the present invention provide a kind of system, including:Threaten information platform, information Cloud Server and the Agent apparatus described in two aspects.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to Enable the method and step for being able to carry out first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, including:
The non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer Execute the method and step of first aspect.
A kind of method, agent apparatus and system threatening intelligence sharing provided in an embodiment of the present invention, passes through agent apparatus Periodic polling is carried out to the unknown data table in Intranet, is sent to information Cloud Server according to the unknown data in unknown data table Inquiry request, and query result is back to the threat information platform of Intranet, internal Netcom crosses what gateway limited network environment Situation realizes and threatens the shared of information, improves the safety of intranet environment.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of threat intelligence sharing method flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of threat intelligence sharing agent apparatus structural schematic diagram provided in an embodiment of the present invention;
Fig. 3 is threat intelligence sharing system structure diagram provided in an embodiment of the present invention;
Fig. 4 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of threat intelligence sharing method flow schematic diagram provided in an embodiment of the present invention, as described in Figure 1, described Method, including:
Step 101:The unknown data table in Intranet is polled according to predetermined period, information inquiry is initiated when Intranet and asks When asking, updates and obtain the unknown data in the unknown data table;
Specifically, the big data analysis platform in Intranet preferentially links with information platform is threatened, Intranet user is submitted Data are analyzed, and black, white, grey data are generated, wherein the data that user submits can be IP address, MD5 codes etc., by big Data Analysis Platform and threaten information platform if it is determined that primary data be black data, then illustrate that the data are threat datas, such as Fruit data are white data, then illustrate that the data are safe, if it is grey data, then illustrate that the data are not detected, and are belonged to In unknown data, all unknown data got are stored in unknown data table, agent apparatus is according to predetermined period pair Unknown data table in Intranet is polled, and when Intranet initiates information inquiry request, needs to update in unknown data table not Primary data, and the unknown data in unknown data table is obtained by poll.It should be noted that agent apparatus can pass through SQL Sentence is polled unknown data table, and predetermined period can be 1 second, can also be adjusted according to actual demand, the present invention Embodiment is not specifically limited this.Unknown data in unknown data table can be multiple there are one that can also have.
Step 102:Inquiry request is sent to information Cloud Server according to the unknown data, and receives the information cloud clothes The query result that business device returns, the query result includes the corresponding threat information of the unknown data;
Specifically, agent apparatus after getting unknown data, is looked into unknown data to the transmission of information Cloud Server The corresponding query result of unknown data is back to by the inquiry request of inquiry, information Cloud Server after receiving the inquiry request Agent apparatus, agent apparatus receive the query result that information Cloud Server returns, it is to be understood that query result includes not The corresponding threat information of primary data can be IOC information and safety notice, can also include other information, and the present invention is implemented Example is not specifically limited this.
Step 103:The query result is pushed to the threat information platform of Intranet, so that the threat information platform will The query result is stored, and the shared of information is threatened to realize.
Specifically, agent apparatus after the corresponding query result of unknown data for receiving the return of information Cloud Server, is incited somebody to action The query result pushes to the threat information platform of content, due in agent apparatus there are agency service, can with it is interior Net is communicated.After threatening information platform to receive the query result of unknown data, it is stored, it will be outer to realize The threat information of net pushes to Intranet by agent apparatus, and the shared of information is threatened to realize.It should be noted that threatening information Platform according to different types of IOC information be decrypted decompression read, and insert result into threaten information platform KV engines into The utilization to threatening information is completed in row parsing.
The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to unknown data Unknown data in table sends inquiry request to information Cloud Server, and the threat information that query result is back to Intranet is put down The case where gateway limits network environment is crossed by platform, internal Netcom, realizes and threatens the shared of information, improves the peace of intranet environment Quan Xing.
On the basis of the above embodiments, the method further includes:
Receive the intelligence document that periodically sends of information Cloud Server, and by the intelligence document in the form of binary stream into Row storage.
Specifically, agent apparatus can receive the intelligence document that information Cloud Server is periodically sent, the information is being received After file, the operations such as any decompression decryption is not done to intelligence document, directly intelligence document is stored, SQL languages can be passed through Intelligence document is inserted into database by sentence, it should be noted that is utilized storage of the database to information, is passed through binary stream Form stores intelligence document, is possibly stored to content fields, when data access method is with ADO, can utilize AppendChunk and GetChunk carry out access control field.It should be noted that intelligence document includes IOC information and safety notice etc., After receiving intelligence document, it can be periodically sent to the threat information platform of Intranet, to be stored in more new threat information platform Intelligence document.
The embodiment of the present invention receives the intelligence document that information Cloud Server is periodically sent by agent apparatus, and information is literary Part is stored in the form of binary stream, realizes the update of the intelligence document stored in agent apparatus.
On the basis of the above embodiments, the method further includes:
The information inquiry request that periodically sends of threat information platform is received, according to the information inquiry request by data The intelligence document in library is sent to the threat information platform so that the threat information platform to the intelligence document into Row is parsed and is stored.
Specifically, threaten information platform that can send information inquiry request to agent apparatus according to the preset period, Agent apparatus is after receiving and threatening the information inquiry request that periodically sends of information platform, according to information inquiry request from database It is middle to obtain corresponding intelligence document, and intelligence document is sent to and threatens information platform, it is to be understood that information inquiry request Can be all intelligence documents stored in inquiry proxy device, can also be inquiry from last time inquire current time this Intelligence document in period.It threatens information platform after receiving intelligence document, it is parsed and is stored in database In, in parsing, decompression can be decrypted according to different types of IOC information and read.It should be noted that information cloud service Device can periodically generate up-to-date information and be pushed every hour or daily, solve intelligence update timeliness sex chromosome mosaicism.
The embodiment of the present invention receives the information inquiry request for threatening information platform periodically to send by agent apparatus, according to feelings Corresponding intelligence document is sent to and threatens information platform by report inquiry request, realizes in being sent to the intelligence document of outer net Net, to threatening the intelligence document in information platform to timely update, to improve the safety of Intranet.
On the basis of the above embodiments, the method further includes:
If judging to know, as preset orientation information, the intelligence document is sent to for the intelligence document that receives The threat information platform.
Specifically, each industry can have the threat information for oneself comparing concern, therefore, according to the demand of industry, in advance Some orientation information are set, after agent apparatus receives the intelligence document that information Cloud Server periodically pushes, if finding information File includes pre-set orientation information, then is immediately sent to the intelligence document for belonging to orientation information and information is threatened to put down Platform, so as to threaten information platform can be in time to threatening information to handle.
The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to unknown data Unknown data in table sends inquiry request to information Cloud Server, and the threat information that query result is back to Intranet is put down The case where gateway limits network environment is crossed by platform, internal Netcom, realizes and threatens the shared of information, improves the peace of intranet environment Quan Xing.
Fig. 2 is a kind of threat intelligence sharing agent apparatus structural schematic diagram provided in an embodiment of the present invention, as described in Figure 2, Described device, including:Poller module 201, the first sending module 202 and pushing module 203, wherein:
Poller module 201 is for being polled the unknown data table in Intranet according to predetermined period, when Intranet initiates feelings When reporting inquiry request, updates and obtain the unknown data in the unknown data table;First sending module 202 is used for according to Unknown data sends inquiry request to information Cloud Server, and receives the query result that the information Cloud Server returns, described Query result includes the corresponding threat information of the unknown data;Pushing module 203 is used to push to the query result interior The threat information platform of net threatens information so that the threat information platform stores the query result to realize It is shared.
Specifically, poller module 201 is polled the unknown data table in Intranet according to predetermined period, should illustrate It is that agent apparatus can be polled unknown data table by SQL statement, when Intranet initiates information inquiry request, needs Unknown data in more new location data table, and the unknown data in unknown data table is obtained by poll.Predetermined period can be with It is 1 second, can also be adjusted according to actual demand, the embodiment of the present invention is not specifically limited this.In unknown data table Unknown data can be multiple there are one that can also have.After getting unknown data, the first sending module 202 is to information cloud service Device sends the inquiry request inquired unknown data, and information Cloud Server is after receiving the inquiry request, by unknown number It is back to the first sending module 202 according to corresponding query result, the first sending module 202 can receive the return of information Cloud Server Query result.It is understood that query result includes IOC information and safety notice, can also include other information, The embodiment of the present invention is not specifically limited this.In the corresponding query result of unknown data for receiving the return of information Cloud Server Afterwards, which is pushed to the threat information platform of content by pushing module 203, due to there are agency's clothes in agent apparatus Business, therefore it can be communicated with Intranet.After threatening information platform to receive the query result of unknown data, it is carried out The threat information of outer net is pushed to Intranet by storage to realize by agent apparatus, and the shared of information is threatened to realize.
The embodiment of agent apparatus provided by the invention specifically can be used for executing the processing stream of above-mentioned each method embodiment Journey, details are not described herein for function, is referred to the detailed description of above method embodiment.
The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to unknown data Unknown data in table sends inquiry request to information Cloud Server, and the threat information that query result is back to Intranet is put down The case where gateway limits network environment is crossed by platform, internal Netcom, realizes and threatens the shared of information, improves the peace of intranet environment Quan Xing.
On the basis of the above embodiments, the agent apparatus further includes:
First receiving module, the intelligence document periodically sent for receiving information Cloud Server, and by the intelligence document It is stored in the form of binary stream.
Specifically, the first receiving module can receive the intelligence document that information Cloud Server is periodically sent, this is being received After intelligence document, the operations such as any decompression decryption is not done to intelligence document, directly intelligence document is stored, can be passed through Intelligence document is inserted into database by SQL statement, it should be noted that utilize storage of the database to information, by two into The form of system stream stores intelligence document.
The embodiment of the present invention receives the intelligence document that information Cloud Server is periodically sent by agent apparatus, and information is literary Part is stored in the form of binary stream, realizes the update of the intelligence document stored in agent apparatus.
On the basis of the above embodiments, the agent apparatus further includes:
Second receiving module, the information inquiry request periodically sent for receiving the threat information platform, according to described The intelligence document in database is sent to the threat information platform by information inquiry request, so that the threat information is flat Platform is parsed and is stored to the intelligence document.
Specifically, threaten information platform that can send information inquiry request to agent apparatus according to the preset period, Second receiving module is after receiving and threatening the information inquiry request that periodically sends of information platform, according to information inquiry request from number According to obtaining corresponding intelligence document in library, and intelligence document is sent to and threatens information platform, it is to be understood that information is inquired Request can be all intelligence documents stored in inquiry proxy device, can also be that inquiry inquired current time from last time Intelligence document in this period.It threatens information platform after receiving intelligence document, it is parsed and is stored, is being solved When analysis, decompression can be decrypted according to different types of IOC information and read.It should be noted that information Cloud Server can be with Timing generates up-to-date information and is pushed every hour or daily, solves intelligence update timeliness sex chromosome mosaicism.
The embodiment of the present invention receives the information inquiry request for threatening information platform periodically to send by agent apparatus, according to feelings Corresponding intelligence document is sent to and threatens information platform by report inquiry request, realizes in being sent to the intelligence document of outer net Net, to threatening the intelligence document in information platform to timely update, to improve the safety of Intranet.
On the basis of the above embodiments, the agent apparatus further includes:
If second sending module is incited somebody to action for judging to know the intelligence document received as preset orientation information The intelligence document is sent to the threat information platform.
Specifically, each industry can have the threat information for oneself comparing concern, therefore, according to the demand of industry, in advance Some orientation information are set, after the second sending module receives the intelligence document that information Cloud Server periodically pushes, if finding Intelligence document includes pre-set orientation information, then the intelligence document for belonging to orientation information is sent to threat information immediately Platform, so as to threaten information platform can be in time to threatening information to handle.
The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to unknown data Unknown data in table sends inquiry request to information Cloud Server, and the threat information that query result is back to Intranet is put down The case where gateway limits network environment is crossed by platform, internal Netcom, realizes and threatens the shared of information, improves the peace of intranet environment Quan Xing.
Fig. 3 is threat intelligence sharing system structure diagram provided in an embodiment of the present invention, as described in Figure 3, the system packet It includes:Big data platform 301 threatens information platform 302, agent apparatus 303 and information Cloud Server 304, wherein big data platform 301 belong to information Intranet with threat information platform 302, and information Cloud Server 304 belongs to internet, and agent apparatus 303 is between letter It ceases between Intranet and information outer net, for the communication between information Intranet and information outer net.Agent apparatus has agency service, main Dynamic connection Intranet serve port is polled acquisition unknown data to the unknown data table of Intranet, and to information Cloud Server 304 Inquiry request is sent, query result is returned to agent apparatus 303 by information Cloud Server 304, and agent apparatus 303 again ties inquiry Fruit, which is sent to, threatens information platform 302.Information Cloud Server 304 periodically can also push intelligence document to agent apparatus 303.It can With understanding, agent apparatus 303 is used to execute the process flows of the various embodiments described above, and details are not described herein for function, can be with With reference to the detailed description of above method embodiment.
The embodiment of the present invention carries out periodic polling by agent apparatus to the unknown data table in Intranet, according to unknown data Unknown data in table sends inquiry request to information Cloud Server, and the threat information that query result is back to Intranet is put down The case where gateway limits network environment is crossed by platform, internal Netcom, realizes and threatens the shared of information, improves the peace of intranet environment Quan Xing.
Fig. 4 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as described in Figure 4, the electronic equipment, Including:Processor (processor) 401, memory (memory) 402 and bus 403;Wherein,
The processor 401 and memory 402 complete mutual communication by the bus 403;
The processor 401 is used to call the program instruction in the memory 402, to execute above-mentioned each method embodiment The method provided, such as including:The unknown data table in Intranet is polled according to predetermined period, when Intranet initiates information When inquiry request, updates and obtain the unknown data in the unknown data table;According to the unknown data to information cloud service Device sends inquiry request, and receives the query result that the information Cloud Server returns, and the query result includes described unknown The corresponding threat information of data;The query result is pushed to the threat information platform of Intranet, so that the threat information is flat Platform stores the query result, and the shared of information is threatened to realize.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine executes, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:It is internal according to predetermined period Unknown data table in net is polled, and when Intranet initiates information inquiry request, is updated and is obtained in the unknown data table Unknown data;Inquiry request is sent to information Cloud Server according to the unknown data, and receives the information Cloud Server The query result of return, the query result include the corresponding threat information of the unknown data;The query result is pushed To the threat information platform of Intranet, so that the threat information platform stores the query result, to realize threat feelings Report is shared.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute the method that above-mentioned each method embodiment is provided, example Such as include:The unknown data table in Intranet is polled according to predetermined period, when Intranet initiates information inquiry request, update And obtain the unknown data in the unknown data table;Inquiry request is sent to information Cloud Server according to the unknown data, And the query result that the information Cloud Server returns is received, the query result includes the corresponding threat feelings of the unknown data Report;The query result is pushed to the threat information platform of Intranet, so that the threat information platform is by the query result It is stored, the shared of information is threatened to realize.
One of ordinary skill in the art will appreciate that:Realize that all or part of step of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer read/write memory medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes:ROM, RAM, magnetic disc or light The various media that can store program code such as disk.
The embodiments such as agent apparatus described above are only schematical, illustrate as separating component wherein described Unit may or may not be physically separated, and the component shown as unit may or may not be object Manage unit, you can be located at a place, or may be distributed over multiple network units.It can select according to the actual needs Some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying wound In the case of the labour for the property made, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features; And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (11)

1. a kind of method threatening intelligence sharing, which is characterized in that including:
The unknown data table in Intranet is polled according to predetermined period, when Intranet initiates information inquiry request, update is simultaneously Obtain the unknown data in the unknown data table;
Inquiry request is sent to information Cloud Server according to the unknown data, and receives looking into for the information Cloud Server return It askes as a result, the query result includes the corresponding threat information of the unknown data;
The query result is pushed to the threat information platform of Intranet, so that the threat information platform is by the query result It is stored, the shared of information is threatened to realize.
2. according to the method described in claim 1, it is characterized in that, the method, further includes:
The intelligence document that information Cloud Server is periodically sent is received, and the intelligence document is deposited in the form of binary stream Storage.
3. according to the method described in claim 2, it is characterized in that, the method, further includes:
The information inquiry request that the threat information platform is periodically sent is received, it will be in database according to the information inquiry request The intelligence document be sent to the threat information platform so that the threat information platform solves the intelligence document It analyses and stores.
4. according to the method described in claim 2, it is characterized in that, the method, further includes:
If judging to know, the intelligence document that receives as preset orientation information, the intelligence document is sent to described Threaten information platform.
5. a kind of agent apparatus threatening intelligence sharing, which is characterized in that including:
Poller module, for being polled to the unknown data table in Intranet according to predetermined period, when Intranet initiates information inquiry When request, updates and obtain the unknown data in the unknown data table;
First sending module for sending inquiry request to information Cloud Server according to the unknown data, and receives the feelings The query result for reporting Cloud Server to return, the query result includes the corresponding threat information of the unknown data;
Pushing module, the threat information platform for the query result to be pushed to Intranet, so that the threat information platform The query result is stored, the shared of information is threatened to realize.
6. agent apparatus according to claim 5, which is characterized in that the agent apparatus further includes:
First receiving module, the intelligence document periodically sent for receiving information Cloud Server, and by the intelligence document with two The form of system stream is stored.
7. agent apparatus according to claim 6, which is characterized in that the agent apparatus further includes:
Second receiving module, the information inquiry request periodically sent for receiving the threat information platform, according to the information The intelligence document in database is sent to the threat information platform by inquiry request, so that the threat information platform pair The intelligence document is parsed and is stored.
8. agent apparatus according to claim 6, which is characterized in that the agent apparatus further includes:
Second sending module, if for judging to know the intelligence document received as preset orientation information, it will be described Intelligence document is sent to the threat information platform.
9. a kind of system, which is characterized in that including:Threaten any one of information platform, information Cloud Server and claim 5-8 institutes The agent apparatus stated.
10. a kind of electronic equipment, which is characterized in that including:Processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy Enough execute method according to any one of claims 1-4.
11. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited Computer instruction is stored up, the computer instruction makes the computer execute method according to any one of claims 1-4.
CN201810150285.5A 2018-02-13 2018-02-13 Method, agent device and system for sharing threat information Active CN108388631B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810150285.5A CN108388631B (en) 2018-02-13 2018-02-13 Method, agent device and system for sharing threat information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810150285.5A CN108388631B (en) 2018-02-13 2018-02-13 Method, agent device and system for sharing threat information

Publications (2)

Publication Number Publication Date
CN108388631A true CN108388631A (en) 2018-08-10
CN108388631B CN108388631B (en) 2021-05-25

Family

ID=63069690

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810150285.5A Active CN108388631B (en) 2018-02-13 2018-02-13 Method, agent device and system for sharing threat information

Country Status (1)

Country Link
CN (1) CN108388631B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213055A (en) * 2019-05-07 2019-09-06 北京奇安信科技有限公司 Intelligence update method, apparatus, computer equipment and computer readable storage medium
CN111092886A (en) * 2019-12-17 2020-05-01 深信服科技股份有限公司 Terminal defense method, system, equipment and computer readable storage medium
CN113709176A (en) * 2021-09-06 2021-11-26 北京华清信安科技有限公司 Threat detection and response method and system based on secure cloud platform
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145150A (en) * 2006-09-15 2008-03-19 中国银联股份有限公司 Batch file processing method and system
CN102346828A (en) * 2011-09-20 2012-02-08 海南意源高科技有限公司 Malicious program judging method based on cloud security
CN102609645A (en) * 2012-01-19 2012-07-25 北京工业大学 Website data tampering preventing method based on network isolation structure
CN204376941U (en) * 2014-12-11 2015-06-03 中国石油天然气股份有限公司 Outer net middleware, Intranet middleware and middleware system
US20150172321A1 (en) * 2013-12-13 2015-06-18 Palerra, Inc. Systems and Methods for Cloud Security Monitoring and Threat Intelligence
US20160072836A1 (en) * 2014-09-05 2016-03-10 Resilient Systems, Inc. System for Tracking Data Security Threats and Method for Same
CN106055981A (en) * 2016-06-03 2016-10-26 北京奇虎科技有限公司 Method and device for generating threat intelligence
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145150A (en) * 2006-09-15 2008-03-19 中国银联股份有限公司 Batch file processing method and system
CN102346828A (en) * 2011-09-20 2012-02-08 海南意源高科技有限公司 Malicious program judging method based on cloud security
CN102609645A (en) * 2012-01-19 2012-07-25 北京工业大学 Website data tampering preventing method based on network isolation structure
US20150172321A1 (en) * 2013-12-13 2015-06-18 Palerra, Inc. Systems and Methods for Cloud Security Monitoring and Threat Intelligence
US20160072836A1 (en) * 2014-09-05 2016-03-10 Resilient Systems, Inc. System for Tracking Data Security Threats and Method for Same
CN204376941U (en) * 2014-12-11 2015-06-03 中国石油天然气股份有限公司 Outer net middleware, Intranet middleware and middleware system
CN106055981A (en) * 2016-06-03 2016-10-26 北京奇虎科技有限公司 Method and device for generating threat intelligence
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李静等: "互联网未知威胁监测及应用技术研究", 《网络安全技术与应用 》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213055A (en) * 2019-05-07 2019-09-06 北京奇安信科技有限公司 Intelligence update method, apparatus, computer equipment and computer readable storage medium
CN110213055B (en) * 2019-05-07 2021-11-23 奇安信科技集团股份有限公司 Information updating method and device, computer equipment and computer readable storage medium
CN111092886A (en) * 2019-12-17 2020-05-01 深信服科技股份有限公司 Terminal defense method, system, equipment and computer readable storage medium
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium
CN113709176A (en) * 2021-09-06 2021-11-26 北京华清信安科技有限公司 Threat detection and response method and system based on secure cloud platform

Also Published As

Publication number Publication date
CN108388631B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
US11615101B2 (en) Anomaly detection in data ingested to a data intake and query system
US11620157B2 (en) Data ingestion pipeline anomaly detection
US20220269727A1 (en) Processing data using containerized state-free indexing nodes in a containerized scalable environment
US11269939B1 (en) Iterative message-based data processing including streaming analytics
US11250056B1 (en) Updating a location marker of an ingestion buffer based on storing buckets in a shared storage system
US11310284B2 (en) Validation of cloud security policies
US11086869B1 (en) Data intake and query system gateway
US20220035775A1 (en) Data field extraction model training for a data intake and query system
US11704490B2 (en) Log sourcetype inference model training for a data intake and query system
US20220036177A1 (en) Data field extraction by a data intake and query system
US10873596B1 (en) Cybersecurity alert, assessment, and remediation engine
CN108388631A (en) A kind of method, agent apparatus and system threatening intelligence sharing
US11550847B1 (en) Hashing bucket identifiers to identify search nodes for efficient query execution
US11562023B1 (en) Merging buckets in a data intake and query system
US9992269B1 (en) Distributed complex event processing
CN109074454A (en) Malware is grouped automatically based on artefact
US20200272734A1 (en) System and method for file artifact metadata collection and analysis
CN108182215A (en) A kind of method and device of structured query language SQL performance statistics
US10659335B1 (en) Contextual analyses of network traffic
US20220103586A1 (en) Tailored network risk analysis using deep learning modeling
US11886844B1 (en) Updating reusable custom functions across playbooks
CN112738040A (en) Network security threat detection method, system and device based on DNS log
US11687487B1 (en) Text files updates to an active processing pipeline
Serketzis et al. Actionable threat intelligence for digital forensics readiness
CN108833389A (en) A kind of shared processing method and processing device of information data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee before: Beijing Qi'anxin Technology Co.,Ltd.