CN111541702A - Network threat security detection method and device - Google Patents

Network threat security detection method and device Download PDF

Info

Publication number
CN111541702A
CN111541702A CN202010342153.XA CN202010342153A CN111541702A CN 111541702 A CN111541702 A CN 111541702A CN 202010342153 A CN202010342153 A CN 202010342153A CN 111541702 A CN111541702 A CN 111541702A
Authority
CN
China
Prior art keywords
data
detection
value
initial
correlation coefficient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010342153.XA
Other languages
Chinese (zh)
Other versions
CN111541702B (en
Inventor
董龙飞
杨大路
翟湛鹏
王伟光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tianji Youmeng Information Technology Co ltd
Original Assignee
Beijing Tianji Youmeng Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tianji Youmeng Information Technology Co ltd filed Critical Beijing Tianji Youmeng Information Technology Co ltd
Priority to CN202010342153.XA priority Critical patent/CN111541702B/en
Publication of CN111541702A publication Critical patent/CN111541702A/en
Application granted granted Critical
Publication of CN111541702B publication Critical patent/CN111541702B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a network threat security detection method and device. Wherein, the method comprises the following steps: preprocessing acquired data which are automatically acquired, and introducing a plurality of items of influence factor information related to the acquired data; establishing an initial evaluation system based on the plurality of influence factors, wherein the weight value of each influence factor is solved through an analytic hierarchy process, a correlation coefficient matrix based on the weight values of the influence factors is established, and an initial credit value of the acquired data is further obtained; and detecting and/or filtering the collected data with the initial reputation value, determining the safety state of the collected data, and performing safety control on the data source corresponding to the collected data according to the safety state. According to the technical scheme, the self-adaptive dynamic adjustment capability of the network threat security detection is realized, and the efficiency and the accuracy of the security detection are improved.

Description

Network threat security detection method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting security of a network threat, an electronic device, and a storage medium.
Background
Under the complex environment of the current internet, events which can threaten the network security are no longer single-form single sources, for example, due to the diversity of network resources, attacks can be hidden in mails, pictures, videos, website codes, plug-ins or various files; due to the diversity of networking devices, attacks may come from (or be directed to) PCs, mobile phones, tablet computers, USB devices, or various intelligent terminals, which all bring great difficulty to current network security prevention. More typically, in an APT (Advanced Persistent Threat) attack, an attacker even forms an organization, repeatedly and variously launches a long-term Persistent attack on a target, and great pressure is brought to the network security of the attacked target.
In order to deal with more complex network attacks, threat information is detected quickly and timely, and it is very important to accurately find and effectively respond to attack events. Towards a new threat form, the network threat security detection is advanced from the past passive defense thought taking a vulnerability as a center to the active defense thought taking a threat as a center. By actively collecting, analyzing and sharing information which may threaten network security, the current security detection mode changes time by space, compared with the traditional security defense, the efficiency of threat detection and emergency response can be greatly improved, the attack can be discovered and prevented as soon as possible before spreading in the network, and the loss caused by the threat event is reduced.
Based on the development of the current big data analysis technology and the cognitive intelligent technology, the network threat security detection system in the prior art performs extensive and comprehensive data mining and identification by collecting internet infrastructure data, latest attack tools and attack methods as much as possible so as to help users to find potential safety hazards in advance, intercept threats in time and effectively resist attacks. Typically, big data based threat information analysis is evidence based knowledge analysis, and multiple types of situations are automatically identified through machine-aware intelligence technology, including but not limited to scenes, mechanisms, indicators, meanings, actionable suggestions, and the like; discovery and identification can be automatically completed for existing or emerging threats, providing decision information for the subject to respond to the relevant threats. In the prior art, big data analysis is performed based on a threat Indicator (IoC), IoC refers to index data for identifying or pointing out a specific threat in a specific network environment or information system, and the core of the index data is an indication expression for combining network observable data, and the key characteristics of the data are usually presented by credibility (reputation).
However, the inventor finds that the network threat security detection scheme in the prior art still faces some challenges in the process of implementing the related technical scheme of the embodiment of the present application: firstly, the focus of information attention on safety threat in the prior art is still at the stage of data diversity and completeness, so that overload occurs to both analyzed data and generated result data, and great pressure is brought to system operation and response. Secondly, the existing internet information often has multi-level and multi-class association relationship, the existing technology can not accurately evaluate the influence of the association information, the hidden threat is hard to be found due to insufficient analysis, a large amount of false positive indexes can be caused due to excessive analysis, and the utilization efficiency of the detection result is seriously influenced.
Disclosure of Invention
In view of the above technical problems in the prior art, embodiments of the present application provide a method and an apparatus for detecting security of a network threat, an electronic device, and a computer-readable storage medium, so as to solve the problems of low efficiency and poor accuracy of detecting network security data in the prior art.
A first aspect of an embodiment of the present application provides a method for detecting security of a cyber threat, including:
preprocessing acquired data which are automatically acquired, and introducing a plurality of items of influence factor information related to the acquired data;
establishing an initial evaluation system based on the plurality of influence factors, wherein the weight value of each influence factor is solved through an analytic hierarchy process, a correlation coefficient matrix based on the weight values of the influence factors is established, and an initial credit value of the acquired data is further obtained;
and detecting and/or filtering the collected data with the initial reputation value, determining the safety state of the collected data, and performing safety control on the data source corresponding to the collected data according to the safety state.
In some embodiments, said obtaining an initial reputation value for said acquisition data comprises: calculating to obtain the initial reputation value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure BDA0002468915750000031
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
In some embodiments, the solving, by an analytic hierarchy process, the weight value of each of the influencing factors, and the constructing the correlation coefficient matrix based on the weight values of the influencing factors includes:
constructing a judgment matrix according to the importance level between every two influencing factors;
solving a feature vector of the judgment matrix as a weight vector;
calculating the maximum characteristic value of the judgment matrix, and carrying out consistency detection on the judgment matrix according to the maximum characteristic value;
and finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix.
In some embodiments, the influencing factors include at least one of vendor, data category, data source, and time span, the method further comprising: and counting the data category and/or data source in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the statistical condition.
In some embodiments, said dynamically updating said base score according to statistics comprises:
periodically counting the proportion of data which fails to pass the detection in the data of each source and/or type in the detection of effectiveness and survivability;
and for the data which does not pass the detection and occupies the ratio exceeding the preset interval, iteratively updating the corresponding basic score according to the ratio of the offset exceeding the preset interval to the span of the preset interval.
In some embodiments, the detecting and/or filtering comprises at least one of viability detection, effectiveness detection, and white list filtering, the method further comprising: and performing attenuation processing on the initial reputation value according to the condition that the detection and/or the filtering is not passed.
A second aspect of an embodiment of the present application provides a cyber threat security detection apparatus, including:
the data input module is used for preprocessing the automatically acquired data and introducing a plurality of items of influence factor information related to the acquired data;
the initial evaluation system building module is used for building an initial evaluation system based on the multiple influence factors, solving the weight value of each influence factor through an analytic hierarchy process, building a correlation coefficient matrix based on the weight values of the influence factors, and further obtaining an initial credit value of the acquired data;
and the safety detection control module is used for detecting and/or filtering the acquired data with the initial credit value, determining the safety state of the acquired data, and performing safety control on the data source corresponding to the acquired data according to the safety state.
In some embodiments, the initial evaluation architecture building module comprises: an initial credit value calculation module for calculating the initial credit value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure BDA0002468915750000041
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
In some embodiments, the initial evaluation architecture building module further comprises:
the judgment matrix constructing module is used for constructing a judgment matrix according to the importance level between every two influencing factors;
the vector calculation module is used for calculating a characteristic vector of the judgment matrix as a weight vector;
the consistency detection module is used for calculating the maximum characteristic value of the judgment matrix and carrying out consistency detection on the judgment matrix according to the maximum characteristic value;
and finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix.
In some embodiments, the influencing factors include at least one of vendor, data category, data source, and time span, the apparatus further comprising: and the basic score processing module is used for counting the data types and/or data sources in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the counting condition.
A third aspect of an embodiment of the present application provides an electronic device, including:
a memory and one or more processors;
wherein the memory is communicatively coupled to the one or more processors, and the memory stores instructions executable by the one or more processors, and when the instructions are executed by the one or more processors, the electronic device is configured to implement the method according to the foregoing embodiments.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium having stored thereon computer-executable instructions, which, when executed by a computing apparatus, may be used to implement the method according to the foregoing embodiments.
A fifth aspect of embodiments of the present application provides a computer program product comprising a computer program stored on a computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, are operable to implement a method as in the preceding embodiments.
According to the embodiment of the application, the network collected data is subjected to security analysis through a dynamic self-adaptive multi-factor credit evaluation system, so that the self-adaptive dynamic adjustment capability of the network threat security detection is realized, and the problem of system misjudgment is effectively solved under the condition that the system reliability, the data security and the processing efficiency are ensured.
Drawings
The features and advantages of the present application will be more clearly understood by reference to the accompanying drawings, which are illustrative and not to be construed as limiting the present application in any way, and in which:
FIG. 1 is a schematic flow chart illustrating a security detection method for cyber threats according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating an exemplary data analysis output according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating an exemplary data security check according to an embodiment of the present application;
FIG. 4 is a block diagram of a security detection device for cyber threats according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the following detailed description, numerous specific details of the present application are set forth by way of examples in order to provide a thorough understanding of the relevant disclosure. It will be apparent, however, to one skilled in the art that the present application may be practiced without these specific details. It should be understood that the use of the terms "system," "apparatus," "unit" and/or "module" herein is a method for distinguishing between different components, elements, portions or assemblies at different levels of sequential arrangement. However, these terms may be replaced by other expressions if they can achieve the same purpose.
It will be understood that when a device, unit or module is referred to as being "on" … … "," connected to "or" coupled to "another device, unit or module, it can be directly on, connected or coupled to or in communication with the other device, unit or module, or intervening devices, units or modules may be present, unless the context clearly dictates otherwise. For example, as used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application. As used in the specification and claims of this application, the terms "a", "an", and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" are intended to cover only the explicitly identified features, integers, steps, operations, elements, and/or components, but not to constitute an exclusive list of such features, integers, steps, operations, elements, and/or components.
These and other features and characteristics of the present application, as well as the methods of operation and functions of the related elements of structure and the combination of parts and economies of manufacture, will be better understood upon consideration of the following description and the accompanying drawings, which form a part of this specification. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the application. It will be understood that the figures are not drawn to scale.
Various block diagrams are used in this application to illustrate various variations of embodiments according to the application. It should be understood that the foregoing and following structures are not intended to limit the present application. The protection scope of this application is subject to the claims.
In the prior art, big data analysis of network threat security detection is carried out based on threat indexes IoC, and IoCs are time-switched in space, so that the problem of early discovery and identification during active defense is solved, but the IoCs rely on data information provided by as many data sources as possible and are as comprehensive as possible, so that on one hand, a large operation pressure is brought to a system (if multi-level correlation among multi-source data is considered, the amount of indirectly generated data is exponentially increased); on the other hand, a large amount of misjudgments are generated, and the normal operation of other network systems is seriously influenced.
In view of this, the embodiment of the present application provides a network threat security detection method, which performs dynamic adaptive multi-factor evaluation on acquired data by actively introducing key influence factors, so as to ensure rationality and reliability of basic analysis throughput, reduce false alarm rate by means of multiple detection and filtering in a subsequent processing process, and effectively improve system operation efficiency and detection accuracy. Specifically, as shown in fig. 1, in an embodiment of the present application, the cyber-threat security detection method includes the steps of:
s101, preprocessing collected data which are automatically collected, and introducing a plurality of items of influence factor information related to the collected data.
In the prior art, because of the diversity and complexity of the collected data, the data security is often not evaluated by unified indexes, and the data can only be labeled one by one in a manual or semi-manual mode, so that the processing mode has huge workload on one hand, and is difficult to adjust in time according to the data change condition on the other hand, and therefore, the efficiency and the accuracy have serious defects. In an embodiment of the application, data information existing in a network is widely collected through an automatic collection mechanism, and the data is automatically preprocessed while being collected, so that on one hand, key elements of the data are automatically perfected, and on the other hand, the data are recorded in a standard format, so that the subsequent automatic analysis of the collected data is facilitated.
Preferably, in an embodiment of the present application, through analysis of historical data, it is determined that key influencing factors related to data security mainly include manufacturers (influencing data security due to detection capability differences), data types, data sources, time spans and the like, and therefore, while data is automatically collected, values of the key influencing factors are automatically recorded through newly added fields. Typically, fields such as value, value _ type, category, source, time (data valid time), tag (may be empty) are added to the collected data, and an exemplary collected data record is shown in table 1 below:
Figure BDA0002468915750000071
Figure BDA0002468915750000081
table 1: typical examples of collecting data
Further, the preprocessing also includes incremental acquisition and data deduplication. The incremental acquisition refers to screening newly acquired data according to historical data, and only completely new data or changed data which are not acquired are automatically recorded. The data deduplication refers to comparing multiple items of data acquired at the same time, regarding the data with the same content and key influence factors as duplicated data, recording only one of the duplicated data, and discarding the other duplicated data. The two optimal preprocessing steps can effectively control the scale of the acquired data, reduce the data space occupied by the same data and reduce the pressure of subsequent data processing.
S102, an initial evaluation system based on the multiple influence factors is established, wherein the weight value of each influence factor is solved through an analytic hierarchy process, a correlation coefficient matrix based on the weight values of the influence factors is established, and the initial credit value of the acquired data is further obtained.
Considering that each factor has different influences on the security, in order to perform uniform quantitative analysis under the comprehensive influence of multiple factors, in an embodiment of the present application, a dynamic adaptive multi-factor reputation evaluation system is constructed to perform multi-factor evaluation. Related mathematical models are introduced into the evaluation system, and the rationality of the score system of the IoCs at the basic scoring stage is guaranteed. In some embodiments, said obtaining an initial reputation value for said acquisition data comprises: calculating to obtain the initial reputation value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure BDA0002468915750000082
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
In the embodiment of the present application, the influence of the key factors is preferably considered, but some factors not considered may also have an influence on the evaluation system, such as errors in the data transmission or acquisition process. For an evaluation system, the undiscovered influence factor does not represent no effect on the final result, and thus it is preferable to add a perturbation term to represent other unknown influence factors. In the preferred embodiment of the present application, a perturbation term x is added to the evaluation system in consideration of the existence of a certain degree of multiple collinearity between the factors0And an initial value and a weighted value are given according to experience and experiments to balance data distribution and enhance the robustness of the system. Through a reasonable quantification model, on one hand, the workload of manual grading can be reduced, and the system efficiency is improved; on the other hand, the randomness and instability of subjective judgment are avoided, and the objectivity and reliability of the system are enhanced.
S103, detecting and/or filtering the collected data with the initial reputation value, determining the safety state of the collected data, and performing safety control on the data source corresponding to the collected data according to the safety state.
In an embodiment of the application, besides quantitative analysis of key attributes, a verification mechanism is further introduced, such as detection in aspects of survival, effectiveness and the like, and objective attenuation of security rating is performed according to a detection result; in addition, the false alarm rate is reduced by using filtering means such as a white list and the like, so that the detection of the safety state can be dynamically and adaptively adjusted and updated, and the timeliness and the accuracy of data are ensured.
The technical solution of the present application will be further described below by more specific preferred embodiments. In a preferred embodiment, the correlation coefficient matrix is composed of weight values for each factor. Since the proportion of each influence factor in the whole evaluation system (i.e., the possibility of causing insecurity) is different, the influence of each influence factor can be effectively quantified and analyzed by representing the influence factors by different weight values, and fig. 2 is a typical output schematic of data analysis (reputation evaluation). In a preferred embodiment of the present application, the weighted value is solved by an Analytic Hierarchy Process (AHP), and the specific Process is as follows:
a) and constructing a judgment matrix according to the importance level between every two influencing factors. Supposing to construct a judgment matrix A, the element A [ i ] [ j ] of the ith row and the jth column of the judgment matrix A represents the importance degree of the factor i to the factor j, and the judgment matrix A is determined according to the classical 9 importance levels and the assignment thereof proposed by Saaty and comprises the following steps:
of equal importance 1
Of slight importance 3
Of greater importance 5
Of strong importance 7
Of extreme importance 9
And the setting of the degree of importance in two adjacent judgments is the median 2, 4, 6, 8. In this manner, an exemplary decision matrix (i.e., a positive reciprocal matrix) is as follows:
Figure BDA0002468915750000101
b) and solving the characteristic vector of the judgment matrix as a weight vector. Firstly, calculating a product of each row of elements of a judgment matrix to obtain an intermediate matrix M with n rows and 1 column; calculating the square root of the middle matrix M for n times; then, normalization (i.e., dividing each element by the sum of the total elements) is performed to obtain a feature vector.
c) And calculating the maximum characteristic value of the judgment matrix, and carrying out consistency detection on the judgment matrix according to the maximum characteristic value. In the embodiment of the present application, when the factor a is more important than the factor c, and the factor b is more slightly important than the factor c, it is obvious that the factor a is more important than the factor b, and the logics of the importance degree should be embodied in the judgment matrix and the correlation coefficient matrix and are consistent with each other, otherwise, the result of the security detection is unreliable or even contradictory due to the obvious non-compliance with the real situation. Ideally, the decision matrix would have a unique non-zero and simultaneously maximum eigenvalue λ under the condition of satisfying the above-mentioned complete consistencymaxN (n is the order of the judgment matrix, i.e. the number of terms of the influencing factors including disturbance terms); in the real world, however, the importance level ratio w between the influencing factors isi/wj(i.e., determining the element A [ i ] in the matrix][j]) And may not be completely accurate and precise, and many times may be a historical statistical or empirical estimate, and thus some deviation may occur.
In order to ensure that the conclusion obtained by applying the AHP is basically reasonable, consistency detection needs to be carried out on the constructed judgment matrix. In a preferred embodiment of the present application, the maximum eigenvalue λ of the judgment matrix a is calculated firstmaxThen, according to the maximum characteristic value, calculating consistency index
Figure BDA0002468915750000102
(n is the order of the decision matrix, i.e. the place containing the disturbance termThe number of terms of the influencing factors).
When the consistency index CI is 0, judging that the matrix A meets the requirement of complete consistency; and the larger the CI is, the more serious the inconsistency of the matrix A is judged to be.
d) And finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix. In the embodiment of the present application, as described above, the determination matrix may not meet the requirement of complete consistency many times, and a deviation may occur; at the same time, however, the requirement for perfect consistency is too stringent, which may lead to too frequent adjustments and increased system load if used as a detection criterion. Therefore, in the preferred embodiment of the present application, whether the decision matrix passes the consistency detection is determined by satisfying the consistency. Wherein, further introducing an average random consistency index RI value of the judgment matrix, and for the 1-9 th order judgment matrix, the empirical RI value is as follows: 1 st 0.00, 2 nd 0.00, 3 rd 0.58, 4 th 0.90, 5 th 1.12, 6 th 1.24, 7 th 1.32, 8 th 1.41, 9 th 1.45. When the order is more than 2, judging the ratio of the consistency index CI of the matrix to the consistency index RI of the average random number of the same order to be called as random consistency ratio, and marking as CR as CI/RI; preferably, when the CR is less than 0.1, the judgment matrix is considered to have satisfactory consistency, and consistency detection is allowed, otherwise, the judgment matrix is considered to have failed detection, and needs to be adjusted to have satisfactory consistency. The foregoing exemplary determination matrix obtains a correlation coefficient matrix (weight vector) having satisfactory consistency in the above manner as [0.22,0.16,0.16,0.43,0.03 ].
In addition, in the preferred embodiment of the present application, manufacturers, data categories, data sources, and time spans are still used as influencing factors, and for a certain collected data, each influencing factor has its corresponding basic score, which is usually given according to statistics or experience; for uniform quantitative analysis, the base score x of each factor iiIs in the score interval of [0,100 ]]. For example, the basic score of the manufacturer item indicates the detection capability corresponding to the manufacturer, and the score can be given according to the historical data condition or the professional analysis result of the manufacturer; the basic scores of the data category items should also be derived through a large number of statistical analyses, indicating this categoryOverall trustworthiness of the data. The data source items are determined according to the number of sources, and preferably, the base scores are determined by combining the discrimination degrees and the angles of Lagrange multipliers as shown in the following table 2:
number of occurrences 1 2 3 4 5 6 >6
Base score 70 75 80 85 90 95 100
Table 2: typical examples of data source item base scores
The base scores of the time span terms are preferably determined by scaling of the lagrange multiplier angles, a typical example being shown in table 3 below:
time span (h) <24 24-48 48-72 >72
Base score 70 40 10 0
Table 3: typical examples of time span item base scores
However, the score given in terms of a 24-hour span is somewhat too coarse, and in a more preferred embodiment of the present application, the time span score is further refined on the basis of Table 3
Figure BDA0002468915750000121
Figure BDA0002468915750000122
Wherein, the BaseCoreTFor the base score defined in table 3, deltaTime is the difference between the current time and the timestamp in the data (i.e., the specific value of time span), and the unit is hour, deltaTime mod 24 is the remainder operation.
The above preferred embodiment is a typical setting mode of the basic scores of the various influencing factors, and it should be understood by those skilled in the art that the above typical setting mode is determined according to statistics or experience of historical data, theoretically should be only a setting mode of a default value/initial value, obviously not a static unchangeable mode, but should be dynamically set according to newly found data conditions or changes of statistical conditions. Preferably, therefore, the method further comprises: and counting the data category and/or data source in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the statistical condition.
In a preferred embodiment, when new categories and/or sources exist in the collected data, the basic scores of the corresponding items are represented by default values of 60 points at the initial discovery; when the subsequent statistics shows that the number of the collected data related to the new category and/or source is accumulated to exceed a certain number (for example, 20 preset thresholds are used, and the triggering is performed when the number is greater than or equal to 20), the basic score table corresponding to the influence factor item is updated. More preferably, in some embodiments, said dynamically updating said base score according to statistics comprises: periodically counting the proportion of data which fails to pass the detection in the data of each source and/or type in the detection of effectiveness and survivability; and for the data which does not pass the detection and occupies the ratio exceeding the preset interval, iteratively updating the corresponding basic score according to the ratio of the offset exceeding the preset interval to the span of the preset interval.
In a preferred embodiment, the detection of the collected data comprises viability detection and effectiveness detection, and the statistical updating period can be set by users or adjusted dynamically, and the basic score is assumed to be updated every half year in the preferred embodiment of the application. When updating every time, firstly counting the proportion of data which fails to pass detection in the data of each source and/or type in the detection of effectiveness and survivability; secondly, a predetermined interval [ a, b ] is set according to the statistical result, wherein the basic score does not need to be updated (which can be understood as a confidence interval, namely, the basic score can not be updated when the failed proportion is within the interval, the data is considered to have no significant difference).
And if the proportion of the failed detection exceeds the preset interval (i.e. the proportion p of the failed detection is not in the interval [ a, b ]]In), the preset area is matched according to the failed proportionThe ratio of the offset c to the span of the interval to the new basic score, with the offset ratio
Figure BDA0002468915750000131
Where | a-b | is the length of the span of the interval, the offset c is:
Figure BDA0002468915750000132
finally, the base score is dynamically updated according to the biased fraction cp, the new base score being equal to the original base score + (cp x 5). In order to avoid the basic score from changing too much each time of updating, the variation range of each basic score is limited not to exceed a certain value (such as a numerical value 5 in the above formula). Through the above iterative updating manner according to the proportion, the basic scores of the relevant influence factor items in the technical scheme of the application gradually converge and tend to be stable, so that the timeliness and the accuracy of the technical scheme of the application are ensured, and the method has strong self-adaptive capacity for detecting network security events.
In addition to dynamically updating the base score, in a preferred embodiment of the present application, the initial reputation value of the data is processed by detecting and/or filtering the collected data to ensure that the processed reputation value truly reflects the security status of the data. Preferably, as shown in the preferred cyber-threat security detection example of FIG. 3, the detecting and/or filtering includes at least one of liveness detection, validity detection, and white list filtering; the initial credit value of the detected and/or filtered data can be considered to be real and reliable, and corresponding safety control can be executed on the data and the source thereof according to the credit value; and if the data which does not pass the detection and/or the filtering, the currently evaluated reputation value is considered to have deviation with the real situation, and the data needs to be processed and adjusted according to the specific situation which does not pass the detection and/or the filtering, so that the final reputation value can truly reflect the safety state of the data.
Wherein survivability check generally refers to checking whether data is still present in the network. Typical viability assays include: establishing an IP queue, performing ping check on the IP, and detecting whether a host computer is alive or not; establishing a domain name and URL queue, converting the domain name into URL, using HTTP GET to access, and obtaining HTTP status code 200(ok) or 302 (jump) to prove survival. For the data passing the survivability test, the next stage can be entered for validity test; whereas those that failed the viability test entered non-survival attenuation. Preferably, non-survival decay attenuates the fixed score periodically (e.g., daily) according to different classes of IoCs.
Validity checking generally refers to checking whether the collected data is still valid (i.e., whether a change has occurred that requires a re-collection). Typical validity checks include: judging whether the attribution of the IP address changes or not according to the IP class; judging whether the registration information of the domain name changes or not according to the domain name class; whether the resolution for the domain name changes. For the data passing the validity check, the next stage of white list filtering can be carried out; and invalid attenuation is entered if the validity check is not passed. Preferably, the null attenuation is performed separately for the several test results described above, including: judging attribute change of the IP address aiming at the IP class, clearing the credit value if the attribute change is found, and logging; judging the change of the registration information of the domain name aiming at the domain name class, clearing the credit value if the change is found, and logging; for a change in resolution of a domain name, the change is found to attenuate the reputation value by a certain score, typically by, for example, 5.
The white list filtering is used to detect whether the current IoCs is present in the white list and can be directly output. Wherein, the data filtered by the white list can be output; preferably, the data expansion can be performed in various ways while outputting to inherit the attribute and reputation value of the original data, for example, the expansion is performed on the IP or domain name in the C2, trojan, ransomware category. Optionally, the IP extension comprises: the IP in the above classification is extended by a PDNS (Passive DNS) base implemented earlier and associated according to the IP address of the original classified domain name. For example, only data of the same day corresponding to the domain name last acquisition time of the IP address of the same day is associated, and a domain name list is obtained; and then correspondingly outputting according to the permission setting, wherein the output is automatically performed for 'release', the output is not displayed in the current list for 'ignore', and the expanded data does not enter any flow. Further, optionally, the domain name extension comprises: expanding the domain names in the classification through a real-time domain name Whois library, associating according to the registrant mail addresses of the original classified domain names, and only associating the domain names within one month (30 days) of the registration date of the original domain names as the expansion data of the domain names; and then correspondingly outputting according to the permission setting, wherein the output is automatically performed for 'release', the output is not displayed in the current list for 'ignore', and the expanded data does not enter any flow. For example, for a registrant email address for which the original C2 was classified as a "C2. com" domain name: xxc2@ gmail.com, the registration date is 2017/12/15, only the registration domain name associated with xxc2@ gmail.com within 2017/12/1-2017/12/30 is queried, and a domain name list is obtained as the extended data, and all the attributes of the original data are integrated.
And if the data which does not pass the white list filtering, further performing grey data auditing. Optionally, for data which is not filtered by the white list but matched into the white list, comprehensive rating can be carried out through a plurality of online safety check interfaces; the white list may also be adjusted for data for which an anomaly is found. For example, the domain name and the IP data are comprehensively rated through a plurality of VT, Tencent, blue coat and Google security interfaces to check whether the domain name and the IP have malicious behaviors, and finally, the domain name and the IP data are correspondingly output according to the permission setting.
Table 4 below is an example of output data in an embodiment of the present application, in which a score field indicates a final security rating (quantification of security level) of the piece of data, and according to the information of the score field, corresponding security control can be performed on the data and its source. More preferably, the output data should also be classified, deduplicated, aggregated, etc. for storage management in the database. For example, the classification according to the same category type, the de-duplication of value, the aggregation of source, tag, the first _ time field, the last _ time field, and the like. And the security control includes, but is not limited to, full network notification, push early warning, detection level increase, permission reduction, access control, active clearing, and the like, and is correspondingly executed according to a control strategy suggested by a specific security rating, which is not described herein one by one.
Value value_type category source tag score first_time last_time
1.2.3.4 ip C2 Sec-un.com Rat 93 2017-12-13… 2017-12-16…
1.2.3.4 ip C2 Blacklist.com xRat 95 2017-12-12… 2017-12-16…
Table 4: typical examples of output data
The dynamic self-adaptive multi-factor reputation evaluation system constructed in the embodiment of the application performs multi-factor evaluation by utilizing a plurality of factors (such as five factors including manufacturer, category, multi-source, time span and disturbance term) in the initial reputation evaluation operation module, and introduces a related mathematical model to ensure that the score system of the IoCs is reasonable in the basic scoring stage. A mathematical model is introduced into the blind algorithm in the basic scoring stage, and the reliability of the mathematical model is ensured by still introducing the mathematical model into the correlation constant list. A verification mechanism is introduced on key attributes of the IoCs, the scores are attenuated in both survival and effectiveness, and a white list filtering means is additionally used for reducing the false alarm rate. The self-adaptive dynamic adjustment capability of the credit evaluation system is realized through a series of methods, the traceable interpretability is realized, the subjective factors in the evaluation system are reduced, and the quality of the credit value is improved.
FIG. 4 is a schematic diagram of a cyber-threat security detection apparatus according to some embodiments of the present application. As shown in fig. 4, the cyber-threat security detection apparatus 400 includes a data input module 401, an initial evaluation architecture building module 402, and a security detection control module 403; wherein the content of the first and second substances,
the data input module 401 is configured to pre-process acquired data that is automatically acquired, and introduce multiple items of influence factor information related to the acquired data;
an initial evaluation system constructing module 402, configured to construct an initial evaluation system based on the multiple influencing factors, where a weight value of each influencing factor is solved by an analytic hierarchy process, a correlation coefficient matrix based on the weight values of the influencing factors is constructed, and an initial reputation value of the collected data is further obtained;
the security detection control module 403 is configured to detect and/or filter the collected data with the initial reputation value, determine a security state of the collected data, and perform security control on a data source corresponding to the collected data according to the security state.
In some embodiments, the initial evaluation architecture building module comprises:
an initial credit value calculation module for calculating the initial credit value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure BDA0002468915750000161
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
In some embodiments, the initial evaluation architecture building module further comprises:
the judgment matrix constructing module is used for constructing a judgment matrix according to the importance level between every two influencing factors;
the vector calculation module is used for calculating a characteristic vector of the judgment matrix as a weight vector;
the consistency detection module is used for calculating the maximum characteristic value of the judgment matrix and carrying out consistency detection on the judgment matrix according to the maximum characteristic value;
and finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix.
In some embodiments, the influencing factors include at least one of vendor, data category, data source, and time span, the apparatus further comprising:
and the basic score processing module is used for counting the data types and/or data sources in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the counting condition.
Referring to fig. 5, a schematic diagram of an electronic device according to an embodiment of the present application is provided. As shown in fig. 5, the electronic device 500 includes:
memory 530 and one or more processors 510;
wherein the memory 530 is communicatively coupled to the one or more processors 510, and instructions 532 executable by the one or more processors are stored in the memory 530, and the instructions 532 are executed by the one or more processors 510 to cause the one or more processors 510 to perform the methods of the previous embodiments of the present application.
In particular, processor 510 and memory 530 may be connected by a bus or other means, such as bus 540 in FIG. 5. Processor 510 may be a Central Processing Unit (CPU). The Processor 510 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 530, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as the cascaded progressive network in the embodiments of the present application. The processor 510 performs various functional applications of the processor and data processing by executing non-transitory software programs, instructions, and functional modules 532 stored in the memory 530.
The memory 530 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 510, and the like. Further, memory 530 may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, memory 530 may optionally include memory located remotely from processor 510, which may be connected to processor 510 via a network, such as through communication interface 520. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
An embodiment of the present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are executed to perform the method in the foregoing embodiment of the present application.
The foregoing computer-readable storage media include physical volatile and nonvolatile, removable and non-removable media implemented in any manner or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. The computer-readable storage medium specifically includes, but is not limited to, a USB flash drive, a removable hard drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), an erasable programmable Read-Only Memory (EPROM), an electrically erasable programmable Read-Only Memory (EEPROM), flash Memory or other solid state Memory technology, a CD-ROM, a Digital Versatile Disk (DVD), an HD-DVD, a Blue-Ray or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
While the subject matter described herein is provided in the general context of execution in conjunction with the execution of an operating system and application programs on a computer system, those skilled in the art will recognize that other implementations may also be performed in combination with other types of program modules. Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Those skilled in the art will appreciate that the subject matter described herein may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like, as well as distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present application.
In summary, the present application provides a network threat security detection method, apparatus, electronic device and computer-readable storage medium thereof. According to the embodiment of the application, the network collected data are subjected to security analysis through a dynamic self-adaptive multi-factor credit evaluation system, and a relevant mathematical model is introduced, so that the reasonability and the reliability of a score system of the IoCs in a basic scoring stage are ensured; in addition, a verification mechanism is further introduced on key attributes, data are really and effectively attenuated according to multiple inspection results, and the false alarm rate is reduced through a white list filtering means. According to the technical scheme, the self-adaptive dynamic adjustment capability of the network threat security detection is realized, and the efficiency and the accuracy of the security detection are improved.
It is to be understood that the above-described embodiments of the present application are merely illustrative of or illustrative of the principles of the present application and are not to be construed as limiting the present application. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present application shall be included in the protection scope of the present application. Further, it is intended that the appended claims cover all such changes and modifications that fall within the scope and range of equivalents of the appended claims, or the equivalents of such scope and range.

Claims (10)

1. A method for security detection of cyber threats, comprising:
preprocessing acquired data which are automatically acquired, and introducing a plurality of items of influence factor information related to the acquired data;
establishing an initial evaluation system based on the plurality of influence factors, wherein the weight value of each influence factor is solved through an analytic hierarchy process, a correlation coefficient matrix based on the weight values of the influence factors is established, and an initial credit value of the acquired data is further obtained;
and detecting and/or filtering the collected data with the initial reputation value, determining the safety state of the collected data, and performing safety control on the data source corresponding to the collected data according to the safety state.
2. The method of claim 1, wherein obtaining the initial reputation value for the collected data comprises:
calculating to obtain the initial reputation value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure FDA0002468915740000011
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
3. The method according to claim 1 or 2, wherein the solving of the weight value of each of the influencing factors by an analytic hierarchy process, and the constructing of the correlation coefficient matrix based on the weight values of the influencing factors comprises:
constructing a judgment matrix according to the importance level between every two influencing factors;
solving a feature vector of the judgment matrix as a weight vector;
calculating the maximum characteristic value of the judgment matrix, and carrying out consistency detection on the judgment matrix according to the maximum characteristic value;
and finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix.
4. The method of claim 2, wherein the influencing factors include at least one of vendor, data category, data source, and time span, the method further comprising:
and counting the data category and/or data source in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the statistical condition.
5. The method of claim 4, wherein dynamically updating the base score according to statistics comprises:
periodically counting the proportion of data which fails to pass the detection in the data of each source and/or type in the detection of effectiveness and survivability;
and for the data which does not pass the detection and occupies the ratio exceeding the preset interval, iteratively updating the corresponding basic score according to the ratio of the offset exceeding the preset interval to the span of the preset interval.
6. The method of claim 1, wherein the detecting and/or filtering comprises at least one of viability detection, effectiveness detection, and white list filtering, the method further comprising:
and performing attenuation processing on the initial reputation value according to the condition that the detection and/or the filtering is not passed.
7. A cyber threat security detection apparatus, comprising:
the data input module is used for preprocessing the automatically acquired data and introducing a plurality of items of influence factor information related to the acquired data;
the initial evaluation system building module is used for building an initial evaluation system based on the multiple influence factors, solving the weight value of each influence factor through an analytic hierarchy process, building a correlation coefficient matrix based on the weight values of the influence factors, and further obtaining an initial credit value of the acquired data;
and the safety detection control module is used for detecting and/or filtering the acquired data with the initial credit value, determining the safety state of the acquired data, and performing safety control on the data source corresponding to the acquired data according to the safety state.
8. The apparatus of claim 7, wherein the initial evaluation architecture building module comprises:
an initial credit value calculation module for calculating the initial credit value according to the correlation coefficient matrix and the basic scores of the multiple influencing factors
Figure FDA0002468915740000021
Wherein n is the number of terms of the influencing factor, xiA base score of the influencing factor of item i, βiA weight value, x, representing the influencing factor of item i for an element of the correlation coefficient matrix0And β0The perturbation terms and their weight values.
9. The apparatus of claim 7 or 8, wherein the initial evaluation architecture building module further comprises:
the judgment matrix constructing module is used for constructing a judgment matrix according to the importance level between every two influencing factors;
the vector calculation module is used for calculating a characteristic vector of the judgment matrix as a weight vector;
the consistency detection module is used for calculating the maximum characteristic value of the judgment matrix and carrying out consistency detection on the judgment matrix according to the maximum characteristic value;
and finally, solving to obtain a weight vector with satisfactory consistency as the correlation coefficient matrix.
10. The apparatus of claim 8, wherein the influencing factors include at least one of vendor, data category, data source, and time span, the apparatus further comprising:
and the basic score processing module is used for counting the data types and/or data sources in the acquired data, setting default basic scores for newly found data, and dynamically updating the basic scores according to the counting condition.
CN202010342153.XA 2020-04-27 2020-04-27 Network threat security detection method and device Active CN111541702B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010342153.XA CN111541702B (en) 2020-04-27 2020-04-27 Network threat security detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010342153.XA CN111541702B (en) 2020-04-27 2020-04-27 Network threat security detection method and device

Publications (2)

Publication Number Publication Date
CN111541702A true CN111541702A (en) 2020-08-14
CN111541702B CN111541702B (en) 2023-04-07

Family

ID=71980087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010342153.XA Active CN111541702B (en) 2020-04-27 2020-04-27 Network threat security detection method and device

Country Status (1)

Country Link
CN (1) CN111541702B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113269572A (en) * 2021-07-01 2021-08-17 广西师范大学 Credibility-based block chain agricultural product traceability trusted data uploading method
CN113918963A (en) * 2021-09-10 2022-01-11 广州博依特智能信息科技有限公司 Authority authorization processing method and system based on business requirements
CN114095225A (en) * 2021-11-15 2022-02-25 中国电信股份有限公司 Security risk assessment method, device and storage medium
CN117118764A (en) * 2023-10-25 2023-11-24 天际友盟(珠海)科技有限公司 IOCs reputation dynamic evaluation and dynamic attenuation method and device and electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
CN102436622A (en) * 2011-12-28 2012-05-02 浙江汇信科技有限公司 Method for evaluating network market operator credit status
US20140059683A1 (en) * 2012-08-22 2014-02-27 International Business Machines Corporation Cooperative intrusion detection ecosystem for IP reputation-based security
CN105187405A (en) * 2015-08-14 2015-12-23 中国人民解放军理工大学 Reputation-based cloud computing identity management method
CN106790041A (en) * 2016-12-16 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Internet protocol IP prestige library generating method and device
CN107506941A (en) * 2017-09-09 2017-12-22 杭州数立方征信有限公司 A kind of enterprise in charge of construction's credit assessment method and system based on big data technology
CN109493182A (en) * 2018-11-14 2019-03-19 沈阳林科信息技术有限公司 A kind of credit worthiness system for evaluating user's charging step
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413076A (en) * 2011-12-22 2012-04-11 网易(杭州)网络有限公司 Spam mail judging system based on behavior analysis
CN102436622A (en) * 2011-12-28 2012-05-02 浙江汇信科技有限公司 Method for evaluating network market operator credit status
US20140059683A1 (en) * 2012-08-22 2014-02-27 International Business Machines Corporation Cooperative intrusion detection ecosystem for IP reputation-based security
CN105187405A (en) * 2015-08-14 2015-12-23 中国人民解放军理工大学 Reputation-based cloud computing identity management method
CN106790041A (en) * 2016-12-16 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Internet protocol IP prestige library generating method and device
CN107506941A (en) * 2017-09-09 2017-12-22 杭州数立方征信有限公司 A kind of enterprise in charge of construction's credit assessment method and system based on big data technology
CN109493182A (en) * 2018-11-14 2019-03-19 沈阳林科信息技术有限公司 A kind of credit worthiness system for evaluating user's charging step
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
肖宜轩: "基于网络舆情的企业信誉评价研究", 《中国优秀博硕士学位论文全文数据库(硕士)》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113269572A (en) * 2021-07-01 2021-08-17 广西师范大学 Credibility-based block chain agricultural product traceability trusted data uploading method
CN113269572B (en) * 2021-07-01 2023-12-12 广西师范大学 Credibility-based blockchain agricultural product traceability trusted data uploading method
CN113918963A (en) * 2021-09-10 2022-01-11 广州博依特智能信息科技有限公司 Authority authorization processing method and system based on business requirements
CN114095225A (en) * 2021-11-15 2022-02-25 中国电信股份有限公司 Security risk assessment method, device and storage medium
CN117118764A (en) * 2023-10-25 2023-11-24 天际友盟(珠海)科技有限公司 IOCs reputation dynamic evaluation and dynamic attenuation method and device and electronic equipment
CN117118764B (en) * 2023-10-25 2024-01-30 天际友盟(珠海)科技有限公司 IOCs reputation dynamic evaluation and dynamic attenuation method and device and electronic equipment

Also Published As

Publication number Publication date
CN111541702B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN111541702B (en) Network threat security detection method and device
US11848760B2 (en) Malware data clustering
US10878102B2 (en) Risk scores for entities
CN110958220B (en) Network space security threat detection method and system based on heterogeneous graph embedding
US9832214B2 (en) Method and apparatus for classifying and combining computer attack information
CN110677380B (en) Method and related apparatus for cyber threat indicator extraction and response
CN107204960B (en) Webpage identification method and device and server
US20060074621A1 (en) Apparatus and method for prioritized grouping of data representing events
RU2017118317A (en) SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER RISK IN BUSINESS CRITICAL APPLICATIONS
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
CN110602029A (en) Method and system for identifying network attack
US11671435B2 (en) Process for automated investigation of flagged users based upon previously collected data and automated observation on a go-forward basis
Folino et al. An ensemble-based framework for user behaviour anomaly detection and classification for cybersecurity
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN115632884B (en) Network security situation perception method and system based on event analysis
Suthaharan et al. An approach for automatic selection of relevance features in intrusion detection systems
Faria et al. Intrusion detection in computer networks based on KNN, K-Means++ and J48
Fedorchenko et al. IOT Security event correlation based on the analysis of event types
Alshaikh et al. On the variability in the application and measurement of supervised machine learning in cyber security
CN113300997A (en) Multi-dimensional network equipment evaluation method and device and computer readable storage medium
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
Crowe et al. Use of classification techniques to predict targets of cyber attacks for improving cyber situational awareness during the COVID-19 pandemic
Tierney Knowledge discovery in cyber vulnerability databases
JP7409978B2 (en) Risk assessment system and risk assessment method
Morrison Toward automatic censorship detection in microblogs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant