CN112019519A - Method and device for detecting threat degree of network security information and electronic device - Google Patents

Method and device for detecting threat degree of network security information and electronic device Download PDF

Info

Publication number
CN112019519A
CN112019519A CN202010782330.6A CN202010782330A CN112019519A CN 112019519 A CN112019519 A CN 112019519A CN 202010782330 A CN202010782330 A CN 202010782330A CN 112019519 A CN112019519 A CN 112019519A
Authority
CN
China
Prior art keywords
information
network security
confidence
intelligence
security information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010782330.6A
Other languages
Chinese (zh)
Other versions
CN112019519B (en
Inventor
温延龙
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202010782330.6A priority Critical patent/CN112019519B/en
Publication of CN112019519A publication Critical patent/CN112019519A/en
Application granted granted Critical
Publication of CN112019519B publication Critical patent/CN112019519B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a method and a device for detecting the threat degree of network security information, an electronic device and a storage medium, wherein the method for detecting the threat degree of the network security information comprises the following steps: acquiring network security intelligence data from a plurality of data sources; extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information; processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information; and judging whether the first network security information is threat information or not at least according to the first confidence coefficient. The problem of low detection accuracy of the threat level of the network security information in the related technology is solved, and the technical effect of improving the detection accuracy of the threat level of the network security information is achieved.

Description

Method and device for detecting threat degree of network security information and electronic device
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting threat level of network security information, an electronic apparatus, and a storage medium.
Background
With the continuous occurrence of novel threats and network attacks mainly based on APT, malicious mining, Legionella virus and the like, the number of the threats continuously rises, the network threats are rapidly and maliciously evolving, meanwhile, means and channels of the network attacks are also diversified, higher requirements are provided for the analysis and processing capacity of network security personnel, and enterprises and organizations need to rely on sufficient, efficient and accurate security threat information as support when preventing external attacks, so that the enterprises and organizations can better discover and deal with the novel threats.
Threat intelligence is some evidence-based knowledge, including context, mechanism, label, meaning, and actionable advice, that is relevant to a threat or hazard that an asset faces, has been or is in transit, and that can be used to provide information support for asset-related subjects to respond to the threat or hazard or to make processing decisions. In fact, the vast majority of threat intelligence is narrowly defined threat intelligence whose main content is objects for identifying and detecting threats, including but not limited to IP, domain name, URL, program run path, registry key, file HASH value, and home tags for these objects, including threat type, attribute, threat level, etc.
The threat intelligence can help users to make clear of online information assets and safety conditions, and relevant vulnerability repair and risk management can be carried out according to the importance degree and the influence surface of the assets per se. Threat intelligence may also help users learn about the threat environment of their industry, which attackers are, the tactical techniques used by the attackers, etc.
With the development and application of threat intelligence, especially for network security enterprises, how to quickly establish their own threat intelligence database is very important. At present, a large amount of open source network security information exists in a network, but the information is difficult to accurately judge whether the network security information is threat information, so that how to realize threat degree detection of the network security information by combining the multi-source information is important.
The threat degree detection of the network security information in the related technology usually adopts manual judgment of the threat degree of the open source network security information with huge quantity, but the quantity of data sources capable of acquiring the network security information is huge, so that the manual judgment of the threat degree of the multisource network security information consumes a large amount of manpower, and the detection accuracy of the threat degree of the network security information is also low.
At present, no effective solution is provided aiming at the problem of low detection accuracy of the threat degree of network security information in the related technology.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting threat degree of network security information, an electronic device and a storage medium, so as to at least solve the problem of low detection accuracy of threat degree of network security information in the related technology.
In a first aspect, an embodiment of the present application provides a method for detecting threat level of network security information, including: acquiring network security intelligence data from a plurality of data sources; extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information; processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information; judging whether the first network security intelligence is threat intelligence or not at least according to the first confidence coefficient; and storing the first network security information to a threat information database under the condition that the first network security information is threat information.
In some embodiments, processing the characteristic information of the first cyber-security intelligence through a cyber-security intelligence confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first cyber-security intelligence comprises: obtaining auxiliary information of the first network security intelligence from the plurality of data sources respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; matching the auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In some of these embodiments, the method further comprises: and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security intelligence as security intelligence.
In some embodiments, determining whether the first cyber-security intelligence is threat intelligence based at least on the first confidence level comprises: obtaining a second confidence level, the second confidence level comprising at least one of: a third confidence coefficient determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence coefficient determined by whether the first network security intelligence can be matched in a preset intelligence library, and a fifth confidence coefficient determined by the discovery time in the characteristic information of the first network security intelligence; and judging whether the first network security intelligence is threat intelligence or not according to the first confidence coefficient and the second confidence coefficient.
In some of these embodiments, obtaining the second confidence level comprises at least one of: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether a malicious communication behavior exists in the malicious file; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the feature information of the first network security information and according to whether the first network security information is failure information.
In some embodiments, determining whether the first network security intelligence is threat intelligence based on the first confidence level and the second confidence level comprises: determining a weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security intelligence; and under the condition that the sixth confidence of the first network security information is higher than a preset value, determining the first network security information as threat information.
In some of these embodiments, after obtaining network security intelligence data from a plurality of data sources, the method further comprises: and standardizing the network security information data to obtain standardized network security information data.
In a second aspect, an embodiment of the present application provides an apparatus for detecting threat level of network security information, including: the acquisition module is used for acquiring network security intelligence data from a plurality of data sources; the integration module is used for extracting the characteristics of a plurality of network safety informations from the network safety information data and integrating the characteristics of first network safety information in the plurality of network safety informations to obtain the characteristic information of the first network safety information; the evaluation module is used for processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence coefficient evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of threat information of the network security information according to the characteristic information of the network security information; the judging module is used for judging whether the first network security information is threat information or not at least according to the first confidence coefficient; and the storage module is used for storing the first network security information to a threat information database under the condition that the first network security information is threat information.
In a third aspect, an embodiment of the present application provides an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method for detecting network security threat as described in the first aspect.
In a fourth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting network security information threat as described in the first aspect.
Compared with the related art, the method, the device, the electronic device and the storage medium for detecting the threat degree of the network security information provided by the embodiment of the application solve the problem of low detection accuracy rate of the threat degree of the network security information in the related art, and realize the technical effect of improving the detection accuracy rate of the threat degree of the network security information.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for detecting threat of network security information according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for detecting network security intelligence threat in accordance with a preferred embodiment of the present application;
FIG. 3 is a block diagram of an apparatus for detecting threat level of network security information according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a method for detecting a threat degree of network security information according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, network security intelligence data is obtained from a plurality of data sources.
In this embodiment, the network security intelligence data includes, but is not limited to, at least one of: open source information data, enterprise internal information data and information partner information data, wherein the open source information data comprises open source network safety information data acquired from a network; the internal information data of the enterprise comprises honeypot data, safety products and other network safety information data generated inside the enterprise, and the quality of the internal information data of the enterprise is higher than that of open source information data; the intelligence partner intelligence data comprises network security intelligence data shared by intelligence manufacturers and enterprises in a cooperative manner.
After determining the data source for network security intelligence data acquisition, data acquisition can be performed on the network security intelligence data based on a web crawler. Network security intelligence data that can only be obtained from a single data source needs to be collected more carefully, for example: the method comprises the steps of determining information labels (botnet, C2 communication and the like) of the network security information data, finding time, malicious files related to the network security information data, related information articles and the like.
In some of these embodiments, after obtaining network security intelligence data from a plurality of data sources, the method further comprises: and standardizing the network security information data to obtain the standardized network security information data.
In this embodiment, the network security intelligence data may be standardized, the network security intelligence data may be converted into information data with a uniform format through standardized processing, and the standardized network security intelligence data may be stored in an initial information library for subsequent management and processing of the network security intelligence data, wherein the initial information library may be an HIVE data warehouse tool or an elastic search engine library.
Step S102, extracting the characteristics of a plurality of network security information from the network security information data, and integrating the characteristics of the first network security information in the plurality of network security information to obtain the characteristic information of the first network security information.
In this embodiment, the characteristic information of the network security intelligence includes, but is not limited to, at least one of the following: intelligence tags (botnet, C2 communication, etc.) of cyber-security intelligence data, discovery time, malicious files associated with cyber-security intelligence data, related intelligence articles associated with cyber-security intelligence data.
The characteristic information of the first network security intelligence may be obtained from network security intelligence data obtained from a plurality of data sources, for example: for network security intelligence relying on injection, an enterprise internally marks the intelligence label as botnet, and an informant marks the intelligence label as C2 for communication, and at the moment, two data sources are needed to be integrated with the intelligence label of the network security intelligence. Malicious files associated with the cyber-security intelligence data, related intelligence articles associated with the cyber-security intelligence data, and discovery time may also be integrated.
In some embodiments, processing the characteristic information of the first cyber-security intelligence through the cyber-security-intelligence confidence-degree evaluation model to obtain a first confidence degree corresponding to the characteristic information of the first cyber-security intelligence includes: the method comprises the steps of respectively obtaining auxiliary information of first network security intelligence from a plurality of data sources, wherein the auxiliary information comprises at least one of the following: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; matching auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In this embodiment, the auxiliary information of the first network security intelligence obtained from the plurality of data sources may be obtained based on a web crawler.
In some of these embodiments, the method further comprises: and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security information as security information.
In this embodiment, the white list data information in the preset white list library may be sorted based on Alexa ranking, dog search webpage rating, dog search domain name income amount, Baidu income amount, necessary income amount, website homepage integrity, whether it is a mainstream domain name suffix, domain name IP resolution geographical position, a record and CNAME, and domain name WHOIS data information.
The white list data information can be processed through a weighting algorithm, and the processed white list data is put into a preset white list library. In general, the malicious domain name cannot be a website domain name with very high traffic, the home page of the malicious domain name cannot be designed elaborately, and the integrity of the web page is relatively low. In addition, whether the domain name can be stored in a preset white list library can be determined by whether the IP of domain name resolution is abroad and whether the WHOIS information of the domain name is complete.
When matching is performed on IP data in a preset white list library, it is necessary to first obtain a geographic location of an IP, a domain name associated with the IP, and whether the IP is a private IP, where the private IP is a private IP owned by each company enterprise or by a government or a school, and the private IP is not easily used by others, and the private IP is basically white list data in the preset white list library.
Step S103, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information.
In this embodiment, the network security information confidence evaluation model may be trained based on a random forest algorithm, and the network security information confidence evaluation model processes feature information of the first network security information to determine whether the first network security information has a threat, for example, the first confidence of the first network security information may be set to 0.4 when the network security information confidence evaluation model determines that the first network security information has a threat, and the first confidence of the first network security information may be set to 0 when the network security information confidence evaluation model determines that the first network security information has no threat.
Step S104, at least according to the first confidence, judging whether the first network security information is threat information.
In this embodiment, a threshold may be set, for example, the threshold is 0.2, and when the first confidence is higher than 0.2, the first network security information is determined to be threat information; and under the condition that the first confidence coefficient is lower than 0.2, judging that the first network security information is security information.
In other embodiments, the threshold may also be other values, such as 0.3, 0.1.
Step S105, under the condition that the first network security information is threat information, storing the first network security information into a threat information database.
In this embodiment, by collecting the network security information data, processing the network security information data, and detecting the threat level, the threat report can be used to help establish the threat information database, and since the first network security information passes the evaluation of the first confidence level, the threat information in the threat information database is judged only when the first confidence level is higher than the threshold value, so that the threat information in the threat information database is more accurate.
The threat degree detection of the network security information in the related technology usually adopts manual judgment of the threat degree of the open source network security information with huge quantity, but the quantity of data sources capable of acquiring the network security information is huge, so that the manual judgment of the threat degree of the multisource network security information consumes a large amount of manpower, and the detection accuracy of the threat degree of the network security information is also low.
Through the steps S101 to S105, the application obtains the network security information data from the plurality of data sources, extracts and integrates the characteristics of the network security information data, processes the characteristic information of the first network security information through the network security information confidence evaluation model to obtain the first confidence corresponding to the first network security information, and determines whether the first network security information is threat information according to the first confidence, without manually determining the threat degree of the huge amount of open source network security information, thereby solving the problem of low detection accuracy of the threat degree of the network security information in the related art, and achieving the technical effect of improving the detection accuracy of the threat degree of the network security information.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 2 is a flow chart of a method for detecting network security intelligence threat according to a preferred embodiment of the present application, as shown in fig. 2, in some embodiments, the method includes:
step S201, network security intelligence data is acquired from a plurality of data sources.
Step S202, the network security information data is standardized to obtain standardized network security information data.
Step S203, respectively obtaining auxiliary information of the first network security intelligence from a plurality of data sources, where the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; and matching the auxiliary information in a preset white list library.
Step S204, under the condition that the preset white list library is not matched with the auxiliary information, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information; and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security information as security information.
Step S205, processing the characteristic information of the first network security information through the network security information confidence evaluation model to obtain the first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information.
Step S206, acquiring a second confidence level, wherein the second confidence level comprises at least one of the following: a third confidence degree determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence degree determined by whether the first network security intelligence can be matched in a preset intelligence base, and a fifth confidence degree determined by the discovery time in the characteristic information of the first network security intelligence.
In some of these embodiments, obtaining the second confidence level includes at least one of: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether the malicious file has malicious communication behaviors; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information.
In this embodiment, the confidence of the first network security intelligence can be obtained through four aspects, for example: the first confidence level of the first network security information may be set to 0.4 when the network security information confidence level evaluation model determines that the first network security information is threatening, and the first confidence level of the first network security information may be set to 0 when the network security information confidence level evaluation model determines that the first network security information is not threatening.
The malicious files in the characteristic information of the first network security intelligence can be operated in the simulation environment of the preset sandbox, the third confidence coefficient of the first network security intelligence is set to 1.0 when the malicious files are detected to initiate malicious communication behaviors, and the third confidence coefficient of the first network security intelligence is set to 0 when the malicious files are not detected to initiate the malicious communication behaviors.
The first network security intelligence can be matched in a preset intelligence library, wherein the preset intelligence library can be an intelligence library provided by an open source intelligence manufacturer, such as: and the online virus checking website-VirusTotal sets the fourth confidence coefficient of the first network security information to 0.4 under the condition that the first network security information is detected in the preset information library, and sets the fourth confidence coefficient of the first network security information to 0 under the condition that the first network security information is not detected in the preset information library.
Whether the first network security information is failure information can be judged according to the discovery time in the feature information of the first network security information, for example: and under the condition that the discovery time in the characteristic information of the first network security information is longer than the preset time and the first confidence coefficient, the third confidence coefficient and the fourth confidence coefficient of the first network security information are all 0, marking the first network security information as failure information, setting the fifth confidence coefficient of the first network security information as 0.2, and under the condition that the first network security information is effective, setting the fifth confidence coefficient of the first network security information as 0.4.
Step S207, determining whether the first network security information is threat information according to the first confidence level and the second confidence level.
In some embodiments, determining whether the first network security intelligence is threat intelligence according to the first confidence level and the second confidence level includes: determining the weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security information; and under the condition that the sixth confidence coefficient of the first network security information is higher than the preset value, determining the first network security information as threat information.
In this embodiment, the second confidence may be the sum of the third confidence, the fourth confidence and the fifth confidence, and in the above embodiment, for example, when the first confidence is 0.4, the third confidence is 1.0, the fourth confidence is 0.4 and the fifth confidence is 0.4, the second confidence is equal to 2.2. At this time, a weighted sum of the first confidence level and the second confidence level may be determined to obtain a sixth confidence level of the first network security information, for example, the sixth confidence level is 0.4+2.2 × 50% — 1.5, the preset value may be 1, and the sixth confidence level 1.5 is greater than 1, where the first network security information is determined to be threat information.
In other embodiments, the preset value may also be other values, such as 2 and 3, and the weighted value may also be changed accordingly, for example: and when the sixth confidence coefficient is 0.4+2.2 × 80%, and 3.16 is greater than 2, determining the first network security information as threat information.
In other embodiments, the first confidence level and the second confidence level may be directly added to obtain a sixth confidence level.
In other embodiments, a first preset value, a second preset value, and a third preset value may also be set, for example: the first preset value can be 1, the second preset value can be 0.6, the third preset value can be 0.4, and under the condition that the sixth confidence coefficient is greater than or equal to 1, the first network security information is determined to be threat information; determining the first network security information as medium threat information under the condition that the sixth confidence coefficient is greater than or equal to 0.6 and smaller than 1; and determining the first network security information as low-level threat information under the condition that the sixth confidence coefficient is less than or equal to 0.4.
Step S208, under the condition that the first network security information is threat information, storing the first network security information into a threat information database.
Through steps S201 to S208, a plurality of confidence evaluations are performed on the first network security information to obtain a first confidence, a third confidence, a fourth confidence and a fifth confidence of the first network security request, a second confidence can be obtained according to the sum of the third confidence, the fourth confidence and the fifth confidence, a sixth confidence is obtained according to the weighted sum of the first confidence and the second confidence, and whether the first network security information is threat information is judged according to the sixth confidence, the confidence evaluations are performed from a plurality of dimensions to avoid misjudgment of threat level detection of the first network security information, and the accuracy of threat level detection of the first network security information is further improved.
The embodiment also provides a device for detecting the threat degree of network security information, which is used for implementing the above embodiments and preferred embodiments, and the description of the device that has been already made is omitted. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram of an apparatus for detecting threat level of network security information according to an embodiment of the present application, and as shown in fig. 3, the apparatus includes: an obtaining module 30, configured to obtain network security intelligence data from multiple data sources; the integration module 31 is used for extracting the characteristics of a plurality of network security information from the network security information data and integrating the characteristics of first network security information in the plurality of network security information to obtain the characteristic information of the first network security information; the evaluation module 32 is used for processing the characteristic information of the first network security information through the network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information; the judging module 33 is used for judging whether the first network security information is threat information at least according to the first confidence coefficient; the storage module 34 is configured to store the first network security information into the threat information database when the first network security information is threat information.
In one embodiment, the evaluation module 32 is configured to obtain the auxiliary information of the first network security intelligence from a plurality of data sources, respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; matching auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In one embodiment, the evaluation module 32 is further configured to mark the first network security intelligence as security intelligence if the auxiliary information is matched in the preset whitelist library.
In one embodiment, the determining module 33 is configured to obtain a second confidence level, and the second confidence level includes at least one of: a third confidence coefficient determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence coefficient determined by whether the first network security intelligence can be matched in a preset intelligence library, and a fifth confidence coefficient determined by the discovery time in the characteristic information of the first network security intelligence; and judging whether the first network security information is threat information or not according to the first confidence coefficient and the second confidence coefficient.
In one embodiment, the determining module 33 is further configured to run a malicious file in the feature information of the first network security intelligence in a preset sandbox, and determine a third confidence level of the first network security intelligence according to whether the malicious file has a malicious communication behavior; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information.
In one embodiment, the determining module 33 is further configured to determine a weighted sum of the first confidence level and the second confidence level, resulting in a sixth confidence level of the first network security intelligence; and under the condition that the sixth confidence coefficient of the first network security information is higher than the preset value, determining the first network security information as threat information.
In one embodiment, the apparatus further comprises a standardization module, wherein the standardization module is configured to standardize the network security intelligence data to obtain standardized network security intelligence data.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 404 and a processor 402, the memory 404 having a computer program stored therein, the processor 402 being configured to execute the computer program to perform the steps of any of the above-described method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 404 may include, among other things, mass storage 404 for data or instructions. By way of example, and not limitation, memory 404 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 404 may include removable or non-removable (or fixed) media, where appropriate. The memory 404 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 404 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 404 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory 404 (FPMDRAM), an Extended data output Dynamic Random-Access Memory (eddram), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 404 may be used to store or cache various data files for processing and/or communication use, as well as possibly computer program instructions for execution by processor 402.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement any of the above-described methods for detecting network security threat.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 402 may be configured to execute the following steps by a computer program:
and S1, obtaining the network security information data from a plurality of data sources.
S2, extracting the characteristics of multiple network safety information from the network safety information data, and integrating the characteristics of the first network safety information in the multiple network safety information to obtain the characteristic information of the first network safety information.
S3, processing the characteristic information of the first network security information through the network security information confidence evaluation model to obtain the first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information.
S4, at least according to the first confidence, judging whether the first network security information is threat information.
S5, storing the first network security information to the threat information database under the condition that the first network security information is threat information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, by combining the method for detecting the threat degree of network security information in the above embodiments, the embodiments of the present application can provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements any one of the above-described methods for detecting network security information threat.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A network security information threat degree detection method is characterized by comprising the following steps:
acquiring network security intelligence data from a plurality of data sources;
extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information;
processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information;
judging whether the first network security intelligence is threat intelligence or not at least according to the first confidence coefficient;
and storing the first network security information to a threat information database under the condition that the first network security information is threat information.
2. The method of claim 1, wherein processing the characteristic information of the first cyber-security intelligence through a cyber-security intelligence confidence level evaluation model to obtain a first confidence level of the first cyber-security intelligence comprises:
obtaining auxiliary information of the first network security intelligence from the plurality of data sources respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information;
matching the auxiliary information in a preset white list library;
and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
3. The method of detecting network security intelligence threat of claim 2, further comprising:
and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security intelligence as security intelligence.
4. The method of claim 1, wherein determining whether the first cyber-security intelligence is threat intelligence based on at least the first confidence level comprises:
obtaining a second confidence level, the second confidence level comprising at least one of: a third confidence coefficient determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence coefficient determined by whether the first network security intelligence can be matched in a preset intelligence library, and a fifth confidence coefficient determined by the discovery time in the characteristic information of the first network security intelligence;
and judging whether the first network security intelligence is threat intelligence or not according to the first confidence coefficient and the second confidence coefficient.
5. The method of claim 4, wherein obtaining the second confidence level comprises at least one of:
running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether a malicious communication behavior exists in the malicious file;
matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result;
and determining a fifth confidence coefficient of the first network security information according to the discovery time in the feature information of the first network security information and according to whether the first network security information is failure information.
6. The method of claim 4, wherein determining whether the first cyber-security intelligence is threat intelligence based on the first confidence level and the second confidence level comprises:
determining a weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security intelligence;
and under the condition that the sixth confidence of the first network security information is higher than a preset value, determining the first network security information as threat information.
7. The method of any of claims 1-6, wherein after obtaining network security intelligence data from a plurality of data sources, the method further comprises:
and standardizing the network security information data to obtain standardized network security information data.
8. A detection device for network security information threat degree is characterized by comprising:
the acquisition module is used for acquiring network security intelligence data from a plurality of data sources;
the integration module is used for extracting the characteristics of a plurality of network safety informations from the network safety information data and integrating the characteristics of first network safety information in the plurality of network safety informations to obtain the characteristic information of the first network safety information;
the evaluation module is used for processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence coefficient evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of threat information of the network security information according to the characteristic information of the network security information;
the judging module is used for judging whether the first network security information is threat information or not at least according to the first confidence coefficient;
and the storage module is used for storing the first network security information to a threat information database under the condition that the first network security information is threat information.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting network security information threat according to any one of claims 1 to 7.
10. A storage medium having a computer program stored thereon, wherein the computer program is configured to execute the method for detecting network security threat as claimed in any one of claims 1 to 7 when the computer program is run.
CN202010782330.6A 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device Active CN112019519B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010782330.6A CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010782330.6A CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Publications (2)

Publication Number Publication Date
CN112019519A true CN112019519A (en) 2020-12-01
CN112019519B CN112019519B (en) 2023-04-07

Family

ID=73500074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010782330.6A Active CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Country Status (1)

Country Link
CN (1) CN112019519B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671744A (en) * 2020-12-17 2021-04-16 杭州安恒信息技术股份有限公司 Threat information processing method, device, equipment and storage medium
CN113468384A (en) * 2021-07-20 2021-10-01 山石网科通信技术股份有限公司 Network information source information processing method, device, storage medium and processor
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN114024736A (en) * 2021-11-02 2022-02-08 北京丁牛科技有限公司 Threat source relevance identification processing method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180004942A1 (en) * 2016-06-20 2018-01-04 Jask Labs Inc. Method for detecting a cyber attack
CN108460278A (en) * 2018-02-13 2018-08-28 北京奇安信科技有限公司 A kind of threat information processing method and device
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods
CN110177114A (en) * 2019-06-06 2019-08-27 腾讯科技(深圳)有限公司 The recognition methods of network security threats index, unit and computer readable storage medium
US20190334942A1 (en) * 2018-04-30 2019-10-31 Microsoft Technology Licensing, Llc Techniques for curating threat intelligence data
CN110868418A (en) * 2019-11-18 2020-03-06 杭州安恒信息技术股份有限公司 Threat information generation method and device
CN111125694A (en) * 2019-12-20 2020-05-08 杭州安恒信息技术股份有限公司 Threat information analysis method and system based on ant colony algorithm

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180004942A1 (en) * 2016-06-20 2018-01-04 Jask Labs Inc. Method for detecting a cyber attack
CN108460278A (en) * 2018-02-13 2018-08-28 北京奇安信科技有限公司 A kind of threat information processing method and device
US20190334942A1 (en) * 2018-04-30 2019-10-31 Microsoft Technology Licensing, Llc Techniques for curating threat intelligence data
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods
CN110177114A (en) * 2019-06-06 2019-08-27 腾讯科技(深圳)有限公司 The recognition methods of network security threats index, unit and computer readable storage medium
CN110868418A (en) * 2019-11-18 2020-03-06 杭州安恒信息技术股份有限公司 Threat information generation method and device
CN111125694A (en) * 2019-12-20 2020-05-08 杭州安恒信息技术股份有限公司 Threat information analysis method and system based on ant colony algorithm

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671744A (en) * 2020-12-17 2021-04-16 杭州安恒信息技术股份有限公司 Threat information processing method, device, equipment and storage medium
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN113542278B (en) * 2021-07-16 2023-04-25 北京源堡科技有限公司 Network security assessment method, system and device
CN113468384A (en) * 2021-07-20 2021-10-01 山石网科通信技术股份有限公司 Network information source information processing method, device, storage medium and processor
CN113468384B (en) * 2021-07-20 2023-11-03 山石网科通信技术股份有限公司 Processing method, device, storage medium and processor for network information source information
CN114024736A (en) * 2021-11-02 2022-02-08 北京丁牛科技有限公司 Threat source relevance identification processing method and device, electronic equipment and storage medium
CN114024736B (en) * 2021-11-02 2024-04-12 丁牛信息安全科技(江苏)有限公司 Threat source relevance identification processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112019519B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN112019519B (en) Method and device for detecting threat degree of network security information and electronic device
US20130340082A1 (en) Open source security monitoring
Panchenko et al. Analysis of fingerprinting techniques for Tor hidden services
CN112003838A (en) Network threat detection method, device, electronic device and storage medium
US20180191736A1 (en) Method and apparatus for collecting cyber incident information
CN111460445A (en) Method and device for automatically identifying malicious degree of sample program
CN107888606B (en) Domain name credit assessment method and system
CN111988341B (en) Data processing method, device, computer system and storage medium
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
US20220217160A1 (en) Web threat investigation using advanced web crawling
Le Page et al. Domain classifier: Compromised machines versus malicious registrations
Wu et al. Detect repackaged android application based on http traffic similarity
Acharya et al. Detecting malware, malicious URLs and virus using machine learning and signature matching
CN112769803A (en) Network threat detection method and device and electronic equipment
US11423099B2 (en) Classification apparatus, classification method, and classification program
CN111371757A (en) Malicious communication detection method and device, computer equipment and storage medium
US20170206619A1 (en) Method for managing violation incident information and violation incident management system and computer-readable recording medium
CN111970262B (en) Method and device for detecting third-party service enabling state of website and electronic device
CN114363002B (en) Method and device for generating network attack relation diagram
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN113992371B (en) Threat label generation method and device for traffic log and electronic equipment
Kergl et al. Detection of zero day exploits using real-time social media streams
Alamleh et al. Machine Learning-Based Detection of Smartphone Malware: Challenges and Solutions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant