CN113162953B - Network threat message detection and source tracing evidence obtaining method and device - Google Patents

Network threat message detection and source tracing evidence obtaining method and device Download PDF

Info

Publication number
CN113162953B
CN113162953B CN202110640273.2A CN202110640273A CN113162953B CN 113162953 B CN113162953 B CN 113162953B CN 202110640273 A CN202110640273 A CN 202110640273A CN 113162953 B CN113162953 B CN 113162953B
Authority
CN
China
Prior art keywords
message
network threat
metadata
suspected
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110640273.2A
Other languages
Chinese (zh)
Other versions
CN113162953A (en
Inventor
王利宝
唐开达
陈虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Juming Network Technology Co ltd
Original Assignee
Nanjing Juming Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Juming Network Technology Co ltd filed Critical Nanjing Juming Network Technology Co ltd
Priority to CN202110640273.2A priority Critical patent/CN113162953B/en
Publication of CN113162953A publication Critical patent/CN113162953A/en
Application granted granted Critical
Publication of CN113162953B publication Critical patent/CN113162953B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a device, equipment and a storage medium for detecting and tracing a network threat message and obtaining evidence. A detection and source tracing evidence obtaining method for network threat message includes: judging whether the received message is a network threat message or not according to a network threat message information library synchronized with a cloud information platform; and if the message is a network threat message, sending out safety alarm information. The method improves the identification capability of the network threat message and improves the safety.

Description

Network threat message detection and source tracing evidence obtaining method and device
Technical Field
The application relates to the technical field of computers, in particular to a network threat message detection and source tracing evidence obtaining method and device.
Background
With the development of intelligence technology, many security detection products at home and abroad incorporate intelligence analysis into a network threat analysis model. In the prior art, the information is difficult to find out as network threat information, so that enterprises, institutions and other units are often attacked by hackers to cause network insecurity, and the message lacks of an identification capability.
Disclosure of Invention
The main objective of the present application is to provide a method and an apparatus for detecting a network threat packet and tracing to source for evidence obtaining, so as to solve the above problems.
In order to achieve the above object, according to an aspect of the present application, a method for detecting a network threat packet and tracing to source and forensics is provided, including:
judging whether the received message is a network threat message or not according to a network threat message information library synchronized with a cloud information platform;
and if the network threat message is determined, sending out safety alarm information.
In one embodiment, the intelligence library includes a first recognition model, a second recognition model and an intelligence list that are trained in advance;
judging whether the received message is a network threat message according to a preset information library, comprising the following steps:
obtaining metadata of the message, wherein the metadata comprises: a first type of metadata, a second type of metadata, and a third type of metadata;
judging whether the third type metadata is matched with the feature data in the intelligence list or not;
if yes, inputting the first type of metadata into a first recognition model to obtain a first recognition result;
if the first recognition result is greater than a predetermined first recognition threshold;
inputting the second type of metadata into a second recognition model to obtain a second recognition result;
if the second recognition result is greater than a predetermined second recognition threshold;
an alarm message is sent.
In one embodiment, after sending the security alarm information, the method further comprises:
sending a notification message to an intelligence platform so that the intelligence platform generates a traceability report of the network threat message according to the notification message;
receiving a traceability report sent by the intelligence platform;
the traceability report comprises one or more of the following: information sources, information related reports, communication samples, sandbox detection results and information development processes; the intelligence development process specifically comprises the following steps: organization of the attacker, recent activation time, recent attack target, recently adopted attack.
In one embodiment, the method further comprises: and synchronously updating the network threat message information base with an information platform in real time.
In a second aspect, a network threat message detection and source tracing evidence obtaining method is applied to a cloud intelligence platform, and the method includes:
receiving a notification message which is sent by a detection device and used for finding a network threat message, wherein the detection device finds the network threat message according to a network threat message information library which is synchronous with the information platform;
the content of the notification message includes: the user identification, attack time and attack means of the detection device belong to;
supplementing the content of the notification message into an intelligence development process record table and generating a traceability report of the network threat message;
and sending the source tracing report to the detection device.
In one embodiment, before receiving a discovery network threat message notification message sent by a detection device, the method further includes:
acquiring a first set of suspected network threat messages from each website information platform;
screening the credibility of the first set of the suspected network threat messages to obtain a second set of the suspected network threat messages, wherein the range of the second set is smaller than that of the first set;
and performing parameter screening on the second set of the suspected network threat messages to obtain a third set of the suspected network threat messages, wherein the range of the third set is smaller than that of the second set.
In one embodiment, screening the first set of suspected cyber-threat messages for trustworthiness to obtain a second set of suspected cyber-threat messages includes:
for any suspected cyber-threat message in the first set of suspected cyber-threat messages,
calculating the credibility of the suspected network threat message;
if the credibility of the suspected network threat message is greater than a preset threshold of the credibility of the suspected network threat message;
adding the suspected network threat message to the second set;
performing parameter screening on the second set of suspected network threat messages to obtain a third set of suspected network threat messages, including:
for any suspected network threat message in the second set, obtaining relevant parameters of the suspected network threat message, wherein the relevant parameters comprise a communication message sample, a domain name and a file sample;
further screening the suspected network threat message according to the related parameters;
and adding the screened suspected network threat message into the third set.
In one embodiment, the further screening of the suspected cyber-threat message according to the relevant parameter includes:
respectively acquiring a communication message sample, a domain name and a file sample of the suspected network threat message;
and respectively sending the communication message sample, the domain name and the file sample to corresponding detection equipment for detection, and receiving a detection result returned by the corresponding detection equipment.
In one embodiment, calculating the credibility of the suspected cyber threat message includes:
counting the number m of website information platforms reporting the suspected network threat message;
calculating a proportional value K = m/n;
wherein K is the credibility and n is the total number of the website information platforms.
In order to achieve the above object, according to a third aspect of the present application, there is provided a network threat message detection apparatus; the device includes:
the judging module is used for judging whether the received message is a network threat message according to a network threat message information library synchronized with the cloud information platform;
and the sending module is used for sending out safety alarm information if the judging module determines that the message is a network threat message.
In order to achieve the above object, according to a fourth aspect of the present application, there is provided an electronic apparatus; comprising at least one processor and at least one memory; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform any of the above steps.
According to a fifth aspect of the present application, there is provided a computer readable storage medium having one or more program instructions embodied therein for performing the steps of any one of the methods described above.
According to the technical scheme, whether the received message is the network threat message or not is judged according to the network threat message information library synchronized with the cloud information platform; if the network threat message is determined, sending safety alarm information; the method greatly improves the safety of the users such as enterprises and the like.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, serve to provide a further understanding of the application and to enable other features, objects, and advantages of the application to be more apparent. The drawings and their description illustrate the embodiments of the invention and do not limit it. In the drawings:
fig. 1 is a flowchart of a network threat message detection and source tracing forensics method according to an embodiment of the present application;
fig. 2 is a flowchart of another network threat message detection and source tracing forensics method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network threat message detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another network threat message detection apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
Data centers and servers of enterprises, institutions, units and the like often or frequently receive externally accessed data messages, and if the messages have network threat, once the messages are accessed, serious loss is caused to the enterprises. In the prior art, no effective method for identifying the network threat message exists in the aspect of detecting the network threat message.
Based on this, the application provides an attack detection and source tracing evidence obtaining method based on threat intelligence analysis and source tracing evidence obtaining, referring to a flow diagram of a network threat message detection and source tracing evidence obtaining method shown in fig. 1; the network security monitoring equipment applied to the user can be an enterprise, an organization, a data center and other units or individuals needing to protect data security, and the method comprises the following steps:
step S102, judging whether the received message is a network threat message according to a network threat message information library synchronized with a cloud information platform;
specifically, the main body of the method may be a detection device dedicated to network security of a unit in each enterprise, organization, or unit, and the detection device may be a server. And the server receives the externally accessed message and performs detection. And a special acquisition device can be arranged to specially acquire the external message.
And step S104, if the network threat message is a network threat message, sending out safety alarm information.
Besides sending out safety alarm information locally, the method also sends notification information to the intelligence platform, and the intelligence platform can trace the source and generate a tracing report after receiving the information.
It is worth emphasizing that the network threat message intelligence library is generated for the intelligence platform and synchronized to the detection device. The information platform can construct an information base by using the advantage of comprehensive data, thereby improving the distinguishing capability of the detection device and better distinguishing the messages from the attackers.
The method of the invention uses the network threat message intelligence library to judge whether the received intelligence message is safe or not. The ability to discover malicious attackers is improved. If not, alarm information is sent out in time, so that the safety of the user is improved.
In one embodiment, step S104, the determining, by the detecting device, whether the received message is safe according to a network threat message information library synchronized with a cloud information platform includes:
step S201, obtaining metadata of the message;
wherein the metadata comprises a first type of metadata, a second type of metadata and a third type of metadata;
the first type of metadata may be communication metadata, and the communication metadata includes one or more of the following: duration, packet average size, total number of bytes, protocol, application protocol, encryption suite, extension length, extension type.
The second type of metadata is file metadata, wherein the file metadata includes one or more of the following: file hash value, file byte distribution, sliding window byte entropy, printable strings, import API, export API, mutex.
The third type of metadata is intelligence metadata; the intelligence metadata includes one or more of: source address, destination port, domain name, file hash, protocol, application protocol.
The intelligence library comprises a first recognition model, a second recognition model and an intelligence list which are trained in advance;
the first recognition model is a Support Vector Machine (SVM) model.
Specifically, sample data of a large amount of communication metadata is obtained; there are communication metadata of security messages and also communication metadata of network threat messages.
Illustratively, when the SVM model is trained, inputting the acquired communication metadata determining that the network threat message is the network threat message into the model, identifying the SVM model, ending training of the SVM model if the output probability is greater than a predetermined probability value, for example, the predetermined probability value is 0.9, and adjusting parameters in the SVM model if the output probability value of the SVM model is less than 0.9 until the output probability value is greater than 0.9.
The second recognition model is a lightgbm model. The types of training method and SVM training method are not described in detail.
Step S202, judging whether the third type metadata is matched with the feature data in the intelligence list; if so, executing step S204;
step S204, inputting the first type metadata into a first recognition model to obtain a first recognition result;
step S206, judging whether the first identification result is larger than a preset first identification threshold value; if yes, go to step S208;
step S208, inputting the second type metadata into a second recognition model to obtain a second recognition result;
for example, the first recognition threshold may be 0.9, and the second recognition threshold may be 0.8; the setting can be flexibly set, and the application is not limited.
Step S210, judging whether the second identification result is larger than a preset second identification threshold value; if yes, go to step S212;
specifically, each metadata in the third type metadata is compared with the feature data in the information list one by one, and if the metadata in the third type metadata are the same, the matching is performed, and the message hit information list is determined. The message has a network threat. Or when the matching number reaches a preset proportion threshold value, the message is also determined to be hit, and the message to be identified is determined to be a network threat message. The proportional threshold may be 0.8, and may be flexibly set, and is not particularly limited.
Step S212, reporting the hit to the information platform so that the information platform can supplement the information to the attack situation of the information development process.
In one embodiment, after sending the security alarm information, the method further includes: sending a notification message to an intelligence platform so that the intelligence platform generates a traceability report of the network threat message according to the notification message; receiving a traceability report sent by the intelligence platform; the traceability report comprises: an initiator of the cyber threat message, a set of recent attack targets of the initiator. The detection equipment sends a notification message to the intelligence platform and receives the traceability report of the network threat message generated by the intelligence platform.
Specifically, after receiving the notification message, the information platform generates an information evidence obtaining traceability report; and feeding back the generated intelligence forensics traceability report to the detection equipment and other detection equipment.
The intelligence evidence obtaining source tracing comprises one or more of the following: information sources corresponding to the information, information related reports, communication samples, sandbox detection results and information development processes; wherein, the intelligence development process comprises: organization of attackers, recent activity, recent attack targets, and recent attacked situation.
The relevant reports may be several informative lists, and an exemplary, foreign organization reports a certain network attack event. A special field is used to record the source of the intelligence.
The method of the invention firstly adopts the information list to filter, if the information list passes the filtering, the first identification model identifies the message with the problem of the communication metadata, and the second filtering is carried out; and finally, the second recognition model can recognize the message with the problem of the file metadata, and the third filtering is carried out. Finally, the message network threat is determined, and an alarm is given.
In one embodiment, the method further comprises: and synchronously updating the network threat message information base with an information platform in real time.
Specifically, the cloud-side information platform updates the information base in real time or periodically updates the information base, the period can be 1 hour, and the information platform synchronizes the updated information base to each detection device.
According to a second aspect of the present invention, the present application further provides a network threat message detection and source tracing and forensics method, which is applied to a cloud intelligence platform with reference to a flow chart of another network threat message detection and source tracing and forensics method shown in fig. 2, and the method includes:
step S302, receiving a notification message of a network threat discovery message sent by a detection device; the detection device finds the network threat message according to the network threat message information base synchronous with the information platform. The network threat intelligence base is generated by the intelligence platform and is updated synchronously with each detection device. The detection device may be a terminal device responsible for network security located at each unit or individual.
The content of the notification message includes: the user identification, attack time and attack means of the detection device belong to; and step S304, supplementing the content of the network threat message notification message into an intelligence development history record table and generating a traceability report of the network threat message.
Wherein, a special field is set in the information database to record the information record in the latest period of time;
for example, university A suffers from a cyber attack X months and X days in X years; university B's network is exposed to network attacks X months and X days in X years.
Step S306, sending the source tracing report to the detection apparatus.
According to the method, the information platform generates the network threat message information library, and the information library is synchronous with the detection device, so that the detection device of each terminal responsible for network security can identify and judge the network threat message according to the information library, and the identification capability is improved.
In one embodiment, before receiving a discovery network threat message notification message sent by a detection device, the method further includes:
acquiring a first set of suspected network threat messages from each website information platform;
screening the credibility of the first set of the suspected network threat messages to obtain a second set of the suspected network threat messages, wherein the range of the second set is smaller than that of the first set;
and performing parameter screening on the second set of the suspected network threat messages to obtain a third set of the suspected network threat messages, wherein the range of the third set is smaller than that of the second set.
In one embodiment, screening the first set of suspected cyber-threat messages for trustworthiness to obtain a second set of suspected cyber-threat messages includes:
for any suspected cyber-threat message in the first set of suspected cyber-threat messages,
calculating the credibility of the suspected network threat message;
if the credibility of the suspected network threat message is greater than a preset threshold of the credibility of the suspected network threat message;
adding the suspected network threat message to the second set;
performing parameter screening on the second set of suspected network threat messages to obtain a third set of suspected network threat messages, including:
for any suspected network threat message in the second set, obtaining relevant parameters of the suspected network threat message, wherein the relevant parameters comprise a communication message sample, a domain name and a file sample;
further screening the suspected network threat message according to the related parameters;
and adding the screened suspected network threat message into the third set.
Illustratively, 5000 IP addresses are in the set, a communication sample of each IP address is obtained, 5000 communication samples are obtained, and the 5000 communication samples are sent to related detection equipment, wherein the detection equipment can be a flow analysis product, performs detection, and receives a message returned by the flow analysis product. For example, it is detected that there are malicious behaviors in 2000 communication packet samples, and the corresponding IP address is a black IP address, that is, a network threat IP address. After the second round of screening, the range of the set is reduced.
Aiming at the condition of the black domain name, a cloud sandbox is adopted to detect the threat; specifically, 5000 domain names in the set are sent to the cloud sandbox for detection, detection results sent by the cloud sandbox are received, 2000 of the detection results are black domain names, 3000 domain names are screened out, the range of the set is narrowed,
and (3) extracting a sample file from the intelligence aiming at the hash value of the black file, and adopting a malicious file scanner and a sandbox detector to threaten. Specifically, 5000 file samples exist in the set, 5000 file samples are sent to a scanner for scanning detection, returned results are received, 3000 files are screened out, 2000 files are left, and the range of the set is reduced.
In one embodiment, the further screening of the suspected cyber-threat message according to the relevant parameter includes:
respectively acquiring a communication message sample, a domain name and a file sample of the suspected network threat message;
and respectively sending the communication sample, the domain name and the sample file of the IP address to corresponding detection equipment for detection, and receiving a detection result returned by the corresponding detection equipment.
In one embodiment, calculating the credibility of the suspected cyber threat message includes:
counting the number m of website information platforms reporting the suspected network threat message;
calculating a proportional value K = m/n;
wherein K is the credibility and n is the total number of the website information platforms.
In one embodiment, the method further comprises: and updating the network threat message information base regularly, and synchronizing the updated network threat message information base to each detection device.
According to the technical scheme, the real-time information is collected and cleaned, so that the real-time performance and quality of the information are greatly improved; comprehensive rule matching and machine learning algorithms are adopted, and the information hit quality is improved; the information base is synchronized on line in real time, so that the information real-time performance of the detection equipment is improved; for the generated threat alarm, evidence support is supplemented in a evidence obtaining report mode, and the credibility of the user for information hit is improved
In a third aspect of the present application, the present invention further provides a network threat message detection apparatus, referring to a schematic structural diagram of the network threat message detection apparatus shown in fig. 3, the apparatus is applied to each enterprise, organization, unit, etc. and is used to improve the security of the enterprise, etc., and the apparatus includes:
the judging module 21 is configured to judge whether the received message is a network threat message according to a network threat message information library synchronized with the cloud information platform;
and the alarm module 22 is configured to send out security alarm information if the determination module determines that the network threat packet is a network threat packet.
In one embodiment, the intelligence library includes a first recognition model, a second recognition model and an intelligence list that are trained in advance;
the determining module 21 is further configured to obtain metadata of the packet, where the metadata includes: a first type of metadata, a second type of metadata, and a third type of metadata;
judging whether the third type metadata is matched with the feature data in the intelligence list or not; if yes, inputting the first type of metadata into a first recognition model to obtain a first recognition result;
if the first recognition result is greater than a predetermined first recognition threshold;
inputting the second type of metadata into a second recognition model to obtain a second recognition result;
and if the second recognition result is larger than a preset second recognition threshold value, sending alarm information.
In an implementation manner, the system further includes a sending module 23, configured to send a notification message to an intelligence platform, so that the intelligence platform generates a traceability report of the cyber threat message according to the notification message;
a receiving module 24, configured to receive a traceability report of the network threat packet generated by the detection platform, where the traceability report includes: an initiator of the cyber threat message, a set of recent attack targets of the initiator.
In one embodiment, the system further comprises a synchronization module 25, configured to update the network threat message intelligence library in real time with an intelligence platform.
Specifically, the network threat message intelligence library may be periodically updated.
In a fourth aspect, the present invention further provides another network threat message detection apparatus, which is applied to a cloud intelligence platform, and referring to fig. 4, the apparatus includes:
a receiving module 31, configured to receive a network threat discovery message notification message sent by a detection apparatus; the detection device finds the network threat message according to the network threat message information base synchronous with the information platform;
the content of the notification message includes: the user identification, attack time and attack means of the detection device belong to;
a report generation module 32, configured to supplement the content of the notification message to an intelligence development history record table and generate a traceability report of the network threat message;
a sending module 33, configured to send the source tracing report to a detection device.
In one embodiment, the method further comprises: a collecting module 34, configured to obtain a first set of suspected cyber threat messages from each website information platform before the receiving module receives the message for notifying that a cyber threat message is found and sent by the detection device;
a screening module 35, configured to perform reliability screening on the first set of suspected network threat packets to obtain a second set of suspected network threat packets, where a range of the second set is smaller than a range of the first set; and performing parameter screening on the second set of suspected network threat messages to obtain a third set of suspected network threat messages, wherein the range of the third set is smaller than that of the second set.
In one embodiment, the screening module 35 is further configured to calculate, for any suspected cyber-threat packet in the first set of suspected cyber-threat packets, a reliability of the suspected cyber-threat packet;
if the credibility of the suspected network threat message is greater than a preset threshold of the credibility of the suspected network threat message; adding the suspected network threat message to the second set;
for any suspected network threat message in the second set, obtaining relevant parameters of the suspected network threat message, wherein the relevant parameters comprise a communication message sample, a domain name and a file sample;
further screening the suspected network threat message according to the related parameters;
adding the screened suspected network threat message into a third set;
in an embodiment, the screening module 35 is further configured to obtain a communication packet sample, a domain name, and a file sample of the suspected network threat packet, respectively;
and respectively sending the communication sample of the IP address, the domain name and the sample file of the hash value to corresponding detection equipment for detection, and receiving a detection result returned by the corresponding detection equipment.
In one embodiment, the screening module 35 is further configured to count the number m of website information platforms reporting the suspected cyber threat message;
calculating a proportional value K = m/n;
wherein K is the credibility and n is the total number of the website information platforms.
In one embodiment, the system further includes an updating module 36, configured to periodically update the network threat message information base, and synchronize the updated network threat message information base with each detection device.
According to a fifth aspect of the present application, there is provided an electronic device comprising at least one processor and at least one memory; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform any of the methods described above.
According to a sixth aspect of the present application, there is also provided a computer readable storage medium having one or more program instructions embodied therein for performing the method of any of the above.
The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or which may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), SLDRAM (SLDRAM), and Direct Rambus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (3)

1. A network threat message detection and source tracing evidence obtaining method is applied to a detection device, and the method comprises the following steps:
judging whether the received message is a network threat message or not according to a network threat message information library synchronized with a cloud information platform;
if the message is a network threat message, sending out safety alarm information;
the intelligence library comprises a first recognition model, a second recognition model and an intelligence list which are trained in advance;
judging whether the received message is a network threat message according to a preset information library, comprising the following steps:
obtaining metadata of the message, wherein the metadata comprises: a first type of metadata, a second type of metadata, and a third type of metadata;
the first type metadata is communication metadata;
the second type of metadata is file metadata;
the third type of metadata is intelligence metadata;
judging whether the third type metadata is matched with the feature data in the intelligence list or not;
if yes, inputting the first type of metadata into a first recognition model to obtain a first recognition result;
if the first recognition result is greater than a predetermined first recognition threshold;
inputting the second type of metadata into a second recognition model to obtain a second recognition result;
if the second recognition result is greater than a predetermined second recognition threshold;
sending alarm information;
after sending the safety alarm information, the method further comprises the following steps:
sending a notification message to the cloud intelligence platform so that the cloud intelligence platform generates a traceability report of the network threat message according to the notification message;
receiving a traceability report sent by the cloud intelligence platform;
the traceability report comprises one or more of the following: information sources, information related reports, communication samples, sandbox detection results and information development processes; the intelligence development process specifically comprises the following steps: organization of an attacker, recent active time, recent attack target, recently adopted attack;
further comprising: and synchronously updating the network threat message information base with the cloud information platform in real time.
2. A network threat message detection and source tracing evidence obtaining method is applied to a cloud intelligence platform, and the method comprises the following steps:
receiving a notification message which is sent by a detection device and used for finding a network threat message, wherein the detection device finds the network threat message according to a network threat message information library which is synchronous with the information platform;
the content of the notification message includes: the user identification, attack time and attack means of the detection device belong to;
supplementing the content of the notification message into an intelligence development process record table and generating a traceability report of the network threat message;
sending the source tracing report to the detection device;
before receiving a message notifying that the network threat is discovered and sent by the detection device, the method further includes:
the method comprises the steps that a first set of suspected network threat messages is obtained from each website information platform through a detection, tracing and evidence obtaining method;
screening the credibility of the first set of the suspected network threat messages to obtain a second set of the suspected network threat messages, wherein the range of the second set is smaller than that of the first set;
performing parameter screening on the second set of suspected network threat messages to obtain a third set of suspected network threat messages, wherein the range of the third set is smaller than that of the second set;
screening the credibility of the first set of suspected network threat messages to obtain a second set of suspected network threat messages, wherein the screening comprises the following steps:
for any suspected cyber-threat message in the first set of suspected cyber-threat messages,
calculating the credibility of the suspected network threat message;
if the credibility of the suspected network threat message is greater than a preset threshold of the credibility of the suspected network threat message;
adding the suspected network threat message to the second set;
performing parameter screening on the second set of suspected network threat messages to obtain a third set of suspected network threat messages, including:
for any suspected network threat message in the second set, obtaining relevant parameters of the suspected network threat message, wherein the relevant parameters comprise a communication message sample, a domain name and a file sample;
further screening the suspected network threat message according to the related parameters;
adding the screened suspected network threat message into a third set;
further screening the suspected network threat message according to the related parameters, comprising:
respectively acquiring a communication message sample, a domain name and a file sample of the suspected network threat message;
respectively sending the communication message sample, the domain name and the file sample to corresponding detection equipment for detection, and receiving a detection result returned by the corresponding detection equipment;
calculating the credibility of the suspected network threat message, including:
counting the number m of website information platforms reporting the suspected network threat message;
calculating a proportional value K which is m/n;
wherein K is the credibility and n is the total number of the website information platforms.
3. A device for detecting a cyber-threat message, comprising:
the judging module is used for judging whether the received message is a network threat message according to a network threat message information library synchronized with the cloud information platform;
the sending module is used for sending out safety warning information if the judging module determines that the message is a network threat message;
the intelligence library comprises a first recognition model, a second recognition model and an intelligence list which are trained in advance;
the judging module is further configured to obtain metadata of the packet, where the metadata includes: a first type of metadata, a second type of metadata, and a third type of metadata;
judging whether the third type metadata is matched with the feature data in the intelligence list or not; if yes, inputting the first type of metadata into a first recognition model to obtain a first recognition result;
if the first recognition result is greater than a predetermined first recognition threshold;
inputting the second type of metadata into a second recognition model to obtain a second recognition result;
if the second recognition result is larger than a preset second recognition threshold value, sending alarm information;
the sending module is used for sending a notification message to the cloud intelligence platform so that the cloud intelligence platform can generate a traceability report of the network threat message according to the notification message;
a receiving module, configured to receive a traceability report of the cyber threat packet generated by the cloud intelligence platform, where the traceability report includes: an initiator of the network threat message, a set of recent attack targets of the initiator;
and the synchronization module is used for synchronously updating the network threat message information library with the cloud information platform in real time.
CN202110640273.2A 2021-06-09 2021-06-09 Network threat message detection and source tracing evidence obtaining method and device Active CN113162953B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110640273.2A CN113162953B (en) 2021-06-09 2021-06-09 Network threat message detection and source tracing evidence obtaining method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110640273.2A CN113162953B (en) 2021-06-09 2021-06-09 Network threat message detection and source tracing evidence obtaining method and device

Publications (2)

Publication Number Publication Date
CN113162953A CN113162953A (en) 2021-07-23
CN113162953B true CN113162953B (en) 2022-02-18

Family

ID=76875820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110640273.2A Active CN113162953B (en) 2021-06-09 2021-06-09 Network threat message detection and source tracing evidence obtaining method and device

Country Status (1)

Country Link
CN (1) CN113162953B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115987938A (en) * 2021-10-15 2023-04-18 华为技术有限公司 Method and device for determining lost host
CN114301696B (en) * 2021-12-30 2023-12-01 北京天融信网络安全技术有限公司 Malicious domain name detection method, malicious domain name detection device, computer equipment and storage medium
CN114218578A (en) * 2021-12-31 2022-03-22 奇安信科技集团股份有限公司 Method and device for generating threat information
CN115021984B (en) * 2022-05-23 2024-02-13 绿盟科技集团股份有限公司 Network security detection method and device, electronic equipment and storage medium
CN115622784A (en) * 2022-10-22 2023-01-17 胡蕊昕 Network threat identification method and system based on big data intelligence
CN116668106B (en) * 2023-05-22 2024-01-09 山东鼎夏智能科技有限公司 Threat information processing system and method

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI369623B (en) * 2008-11-07 2012-08-01 Chunghwa Telecom Co Ltd Control system and protection method for integrated information security service
CA2959340A1 (en) * 2014-08-25 2016-03-03 Ceb Inc. Customizable machine learning models
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
US11431745B2 (en) * 2018-04-30 2022-08-30 Microsoft Technology Licensing, Llc Techniques for curating threat intelligence data
US11115440B2 (en) * 2019-05-08 2021-09-07 Bank Of America Corporation Dynamic threat intelligence detection and control system
CN110719291B (en) * 2019-10-16 2022-10-14 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN110912912B (en) * 2019-11-29 2022-03-01 杭州迪普科技股份有限公司 Method and device for switching IP credit detection mode
CN111209564B (en) * 2020-01-03 2022-11-22 深信服科技股份有限公司 Cloud platform security state prediction method, device, equipment and storage medium
CN111526136A (en) * 2020-04-15 2020-08-11 优刻得科技股份有限公司 Malicious attack detection method, system, device and medium based on cloud WAF

Also Published As

Publication number Publication date
CN113162953A (en) 2021-07-23

Similar Documents

Publication Publication Date Title
CN113162953B (en) Network threat message detection and source tracing evidence obtaining method and device
US10867034B2 (en) Method for detecting a cyber attack
CN109951500B (en) Network attack detection method and device
US11797671B2 (en) Cyberanalysis workflow acceleration
CN108471429B (en) Network attack warning method and system
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN108683687B (en) Network attack identification method and system
Niakanlahiji et al. Phishmon: A machine learning framework for detecting phishing webpages
CN109474575B (en) DNS tunnel detection method and device
CN108881263B (en) Network attack result detection method and system
CN108183888B (en) Social engineering intrusion attack path detection method based on random forest algorithm
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
CN109495521B (en) Abnormal flow detection method and device
CN107682345B (en) IP address detection method and device and electronic equipment
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
CN107145779B (en) Method and device for identifying offline malicious software log
CN112003838A (en) Network threat detection method, device, electronic device and storage medium
CN110351237B (en) Honeypot method and device for numerical control machine tool
CN110061998B (en) Attack defense method and device
CN109005181B (en) Detection method, system and related components for DNS amplification attack
CN112929370B (en) Domain name system hidden channel detection method and device
CN115361235B (en) Network security detection method, equipment, device, electronic equipment and medium
CN113965419B (en) Method and device for judging attack success through reverse connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant