CN114157440A - Automated network defense method, apparatus, and computer-readable storage medium - Google Patents
Automated network defense method, apparatus, and computer-readable storage medium Download PDFInfo
- Publication number
- CN114157440A CN114157440A CN202010831024.7A CN202010831024A CN114157440A CN 114157440 A CN114157440 A CN 114157440A CN 202010831024 A CN202010831024 A CN 202010831024A CN 114157440 A CN114157440 A CN 114157440A
- Authority
- CN
- China
- Prior art keywords
- threat
- information
- value
- attack
- threat intelligence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000003860 storage Methods 0.000 title claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 12
- 230000008859 change Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 5
- 239000002131 composite material Substances 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000009826 distribution Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an automated network defense method, an automated network defense device and a computer-readable storage medium. The automatic network defense method for the network side comprises the following steps: receiving threat intelligence information from the federation member nodes; calculating a credible value of threat intelligence information submitted by the nodes of the coalition members; calculating a credible value of the information based on the open source threat information; calculating a comprehensive credibility value of the threat information based on each calculated credibility value; and when the comprehensive credibility value is larger than a preset threshold value, sending threat information to the plurality of alliance member nodes.
Description
Technical Field
The present disclosure relates generally to the field of network security and, more particularly, to automated network defense methods, devices, and computer-readable storage media.
Background
With the rapid development of internet security technology, the security requirements of a single enterprise cannot be met by a traditional open source threat information analysis method. The speciality and pertinence of network attacks are continuously improved, and attack modes are developed from a single mode to multi-azimuth, multi-means and multi-method combination.
The traditional method for manually extracting the features and deploying the targeted defense strategy cannot realize quick response to the attack behavior, and has low timeliness.
The method aims at the problems that the traditional threat information linkage mode is single in data source, high in false alarm rate, long in attack coping timeliness and the like. The method adopts distributed collection of attack data of all departments, strictly judges threat information submitted by member nodes of all alliances, issues credible value attack information to the member nodes of the alliances and carries out equipment linkage defense mode, and solves the problems of false alarm rate and the like of traditional open source threat information. The problem that rapid response to attack behaviors cannot be achieved in the prior art and defense lags behind network attack all the time is solved. The joint defense problem under different enterprise network architectures is solved by adopting the modes of single-point attack, multi-point distribution and multi-point defense.
Therefore, there is a need in the art to solve the joint defense problem under different enterprise network architectures.
Disclosure of Invention
The method comprises the steps that firstly, an endpoint module is arranged in each alliance member node and used for receiving the mirror flow of each core switch of the alliance member node, the flow detection module continuously identifies malicious attack behaviors and stores and sends the malicious flow to the endpoint transceiver module. The endpoint transceiver module has two functions, namely malicious behavior traffic receiving and threat intelligence receiving and issuing. And issuing the integrated data to an analysis cluster of the intelligent operation center to perform multi-dimensional credible judgment calculation. And the threat information receiving and issuing function is used for periodically calling the data of the threat information database and issuing the latest information data to the equipment linkage module. The equipment linkage module stores the security strategies of different equipment, and drives equipment of different security products to change or add security protection strategies for threat information sent by the endpoint transceiver module.
According to one aspect of the disclosure, the present invention uses a multi-point threat identification plus open source intelligence fusion mechanism. The mode of fusing the node attack information of the coalition members and the open source threat information makes the information source more extensive and timely. According to another aspect of the disclosure, the present invention uses a single point attack, multi-point linked defense mechanism. And when the single alliance member node faces the security threat, all the alliance member nodes adopt security equipment linkage defense measures. According to yet another aspect of the present disclosure, the present invention uses a multi-dimensional trusted discriminant algorithm. The algorithm adopts a coalition member node and open source threat information fusion mechanism to perform multidimensional credible calculation on time dimension, information source dimension, authority coefficient, hazard value and the like.
In order to achieve the above object, according to an aspect of the present invention, there is provided an automated network defense method for a network side, including: receiving threat intelligence information from the federation member nodes; calculating a credible value of threat intelligence information submitted by the nodes of the coalition members; calculating a credible value of the information based on the open source threat information; calculating a comprehensive credibility value of the threat information based on each calculated credibility value; and when the comprehensive credibility value is larger than a preset threshold value, sending threat information to the plurality of alliance member nodes.
In order to achieve the above object, according to another aspect of the present invention, there is provided an automated network defense method for a node side of a federation member, comprising: identifying malicious traffic indicating malicious attack behaviors from core switch image traffic of a member node of the federation; extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … }; and sending the obtained threat intelligence information to a network side.
In order to achieve the above object, according to still another aspect of the present invention, there is provided an automated network defense apparatus including means for implementing the steps of the scheduling decision method.
In order to achieve the above object, according to yet another aspect of the present invention, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, carries out the above automated network defense method steps.
Drawings
Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Note that in the present specification and the drawings, structural elements having substantially the same function and structure are denoted by the same reference numerals, and repeated description of these structural elements is omitted.
FIG. 1 is a schematic diagram illustrating an automated network defense system according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram illustrating an automated network defense method according to an embodiment of the present disclosure; and
FIG. 3 is a schematic diagram illustrating a multi-device linkage defense according to an embodiment of the present disclosure.
Detailed Description
The following detailed description of exemplary embodiments refers to the accompanying drawings. The same reference numbers in different drawings identify the same or similar elements. Furthermore, the drawings are not necessarily drawn to scale. Also, the following detailed description does not limit the invention. Rather, the scope of the invention is defined by the appended claims.
Reference throughout the specification to "one embodiment" or "an embodiment" or "some embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the subject matter disclosed. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment(s). Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The invention provides an automatic network defense method, an automatic network defense device and a computer storage medium aiming at the problems in the prior art. On the network side, the automatic network defense method comprises the following steps: receiving threat intelligence information from a particular coalition member node of a plurality of coalition member nodes; calculating a credible value of threat intelligence information submitted by a specific alliance member node based on the received threat intelligence information; calculating a credible value of the open source threat information based on the open source threat information; calculating a comprehensive credibility value of the threat information based on each calculated credibility value; and when the comprehensive credibility value is larger than a preset threshold value, sending threat information to the plurality of alliance member nodes. On the side of the nodes of the alliance members, the automatic network defense method comprises the following steps: identifying malicious traffic indicating malicious attack behaviors from core switch image traffic of a member node of the federation; extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … }; and sending the obtained threat intelligence information to a network side.
The invention creatively provides a transverse automatic threat defense method based on an information alliance, and designs a safety mechanism for transverse multi-point threat identification, distributed information collection and distribution and multi-point equipment linkage defense. Through a multipoint threat identification and distribution mechanism, the practicability problem of the traditional open source threat information is effectively solved. Meanwhile, the method has the capability of security equipment linkage defense, and solves the problem that the defense always lags behind the network attack due to longer timeliness of the existing open source threat information.
FIG. 1 illustrates an automated network defense system 100 according to an embodiment of the present disclosure. As shown, the automated network defense system 100 includes one or more federation member nodes participating in an organization or group that has signed the establishment of a formal agreement (or treaty or contract) for network security to become its federation member nodes. These federation member nodes are connected to the network on the device side with respect to the network.
Firstly, an endpoint module is deployed in each alliance member node and is used for receiving the mirror flow of each core switch of the alliance member node, the flow detection module continuously identifies malicious attack behaviors and stores and issues the malicious flow to the endpoint transceiver module. The endpoint transceiver module has two functions, namely malicious behavior traffic receiving and threat intelligence receiving and issuing. And issuing the integrated data to an analysis cluster of the intelligent operation center to perform multi-dimensional credible judgment calculation. And the threat information receiving and issuing function is used for periodically calling the data of the threat information database and issuing the latest information data to the equipment linkage module. The equipment linkage module stores the security strategies of different equipment, and drives equipment of different security products to change or add security protection strategies for threat information sent by the endpoint transceiver module.
The automated network defense system 100 also includes an intelligent cloud center in the network side. The smart cloud center may be a control center that may include an analytics cluster, a threat intelligence database, and an open source threat intelligence module. The analysis cluster performs the following operations:
1. computing federation member node trust value
When the node nodes of the alliance members are attacked, extracting key information of threat intelligence and uploading the key information to the analysis cluster. And calculating the credibility value of the member node of the alliance according to the attack type and the event time, wherein the calculation formula is as follows:
wherein i is a positive integer indicating the number of coalition member nodes submitting the same type of threat information, Si is a positive number between 0 and 1 indicating the timeliness between the moment when the current threat information is received and the moment when the same threat information is received for the first time, Pi indicates a hazard value, which is a preset value, and a indicates a confidence value of a threat event, which is equal to the sum of the timeliness of each node in the i coalition member nodes multiplied by the hazard value of the attack type.
When the node of the member of the alliance is attacked, threat information is uploaded to an analysis cluster, the analysis cluster extracts key information of the threat information, namely, the information is classified and labeled, and attack time, an attack source, an attack mode, a feature code and the like are extracted.
I in the above formula indicates the number of nodes that submit threat intelligence. E.g., federation firstI of the cross is 0, and the resubmission of i by federation two becomes 1. SiIs a calculation of timeliness. For example, when two federations are submitted simultaneously, the validity Si is 1. The smaller the Si value, up to almost 0, if the interval is very long. Pi indicates a hazard value, which is predefined. A is a confidence value, which is the time-efficiency value of the hazard of the attack type. The confidence value a is the confidence value of an event.
For example, attack source 3.3.3.3 attacks federation member nodes 1, 2, respectively. And fishing the mails. And uploading the threat information by the alliance member node 1, and uploading the threat information again by the alliance member node 2. The above formula is used to calculate the confidence value of the source of attack 3.3.3.3 for phishing this event. Assume that the calculated result is 0.7.
2. Calculating credible value of open source threat information
The open source threat information can be threat information regularly collected in real time, and a credible value of the threat information is calculated according to the attack type, the event time, the authority coefficient and the like of the threat information, wherein the calculation formula is as follows:
wherein i is a positive integer indicating that the ith user submits the same type of threat intelligence information; si is a positive number between 0 and 1, and indicates timeliness between the moment when the current threat information is received and the moment when the same threat information is received for the first time; pi indicates a hazard value, which is a preset value; au indicates an authority coefficient of the open source threat information platform; and the credibility value B is equal to the sum of the added hazard values, timeliness and authority coefficients corresponding to the threat information submitted by the i users.
Si in the above equation is also the timeliness of the open source threat intelligence. The open source threat intelligence is open and receives threat intelligence provided by the social nodes. Si presents the timeliness of this threat intelligence for different social groups. B ═ time efficiency ═ authority coefficient of the corresponding hazard value of the attack. Au indicates authority coefficient, which is the authority of open source threat intelligence platform, official publication. The value of which is searchable on the network.
3. Calculating a comprehensive credibility value of the threat information
Calculating the comprehensive credibility value of the threat information according to the credibility value of the alliance member node and the credibility value of the open source threat information and the following formula:
p=αA+βB
alpha and beta are adjustable parameters, and alpha, beta is more than or equal to 0, and alpha + beta is 1.α, β can be set as desired.
4. Information issuing
And when the comprehensive credibility value is larger than the set credibility threshold value, the threat information is issued to the node of the member node of the alliance.
Threat intelligence repositories are used to store intelligence with high threats. The information can be information reported by the nodes of the alliance members, and can also be from open source information. Typically, the intelligence is stored in the following format: { attack source, attack time origin, attack mode, signature … … }.
And the open source threat information module periodically acquires threat information through a third party threat information API interface disclosed by the Internet. And extracting the acquired threat intelligence information { attack source, attack time, attack mode, feature code and threat index … … }.
FIG. 2 is a schematic diagram illustrating an automated network defense method according to an embodiment of the present disclosure. At block 100, an automated network defense process 100 according to some embodiments of the present disclosure begins. At block 100, intelligence information uploaded by federation member nodes and open source threat intelligence information fields are obtained.
At block 102, it is determined whether the received information is up-to-date threat intelligence. Note that this process is optional. If the determination is no, then proceed to block 104 where the threat intelligence information may be discarded.
If so, the process proceeds to block 106 where a comprehensive confidence value for the threat intelligence information is calculated based on the obtained intelligence fields. The manner of calculation has been described in detail above.
At block 108, the composite confidence value is compared to a confidence threshold. If the composite confidence value is less than the confidence threshold, then proceed to block 110 where the analytics cluster temporarily stores threat intelligence information locally. Note that this process is optional. These threat intelligence information may also be discarded directly.
If the composite confidence value is greater than the confidence threshold, then proceed to block 112 where the threat intelligence information is uploaded to a threat intelligence repository.
High threat intelligence information from open source threat intelligence is also uploaded to a threat intelligence repository at block 114.
At block 116, the threat intelligence repository issues the obtained high-threat intelligence information to each coalition member node.
At block 118, each federation member node generates a device linkage.
The following describes the process according to the invention with a specific example.
First, abnormal flow rate detection is performed. Specifically, each alliance member node is provided with an endpoint module, the endpoint module is used for receiving the mirror image flow of each core switch of the alliance member node, the flow detection module continuously identifies malicious attack behaviors (password guessing, command execution, Trojan files, malicious scanning and the like), and stores and sends the malicious flow to the endpoint transceiver module.
Then, the intelligence extraction is performed. Specifically, the endpoint transceiver module has two functions, namely malicious behavior traffic receiving and threat intelligence receiving and issuing. And the malicious behavior traffic receiving module is used for receiving the data sent by the traffic detection module, extracting and integrating traffic information { attack source, attack time, attack mode and characteristic traffic … … }, and sending the integrated data to an analysis cluster of the intelligent operation center for analysis and calculation.
Again, a confidence level is determined. Specifically, the analysis cluster receives threat information sent by the alliance member node endpoint module and carries out multidimensional credible calculation, for example, attack information of 2 node nodes and the same attack source ip address are received at the same time, the attack mode is that the brute force cracking damage value is 8, at the moment, the open source threat information receives 0 alarms, the value of B is 0, the credible value p is calculated according to the set adjusting parameter, and at the moment, whether the information is sent to the node is determined according to the comparison between the credible value and the upper and lower intervals of the set credible threshold.
Thirdly, the alliance member nodes collect and store the intelligence. Specifically, threat intelligence information { attack source, attack time, attack mode, feature code … … } is extracted from intelligence with high threat and is sent to a threat intelligence library.
And thirdly, collecting and storing open source intelligence. Specifically, threat intelligence information is periodically acquired through a third-party threat intelligence API interface disclosed by the Internet. And extracting the acquired threat intelligence information { attack source, attack time, attack mode, feature code and threat index … … }.
And finally, carrying out linkage of safety protection equipment. Specifically, the device linkage module stores security policies of different devices, and drives devices of different security products to change or add security protection policies for threat information issued by the endpoint transceiver module.
FIG. 3 is a schematic diagram illustrating a multi-device linkage defense according to an embodiment of the present disclosure. As shown, the federation member node 1 is under attack, which immediately reports the threat intelligence information to the intelligent cloud center. And the intelligent cloud center calculates the credible value of the member node of the alliance based on the received threat intelligence information, and calculates the credible value of the open source threat intelligence based on the open source threat intelligence information. The intelligent cloud center calculates a comprehensive credible value of the threat intelligence information based on the two calculated credible values. By comparing the calculated integrated confidence value with a predetermined threshold value, the smart cloud center determines whether the threat is highly threatening. If yes, the intelligent cloud center issues threat information to all the alliance member nodes 1-8. Each coalition member node 1-8 responds to the received threat intelligence information to drive different security product devices to change or add security protection strategies.
The invention provides a transverse automatic threat defense method based on an intelligence alliance, and designs a safety mechanism for transverse multi-point threat identification, distributed intelligence collection and distribution and multi-point equipment linkage defense. Through a multipoint threat identification and distribution mechanism, the practicability problem of the traditional open source threat information is effectively solved. Meanwhile, the method has the security device linkage defense capability, and solves the problem that the defense always lags behind the network attack due to longer timeliness of the existing open source threat information.
As will be appreciated based on the foregoing specification, the above-described embodiments of the disclosure may be implemented using computer programming or engineering techniques including computer software, firmware, hardware or any combination or subset thereof, wherein the technical effect is to create and operate a file system based application network. Any such resulting program, having computer-readable code means, may be embodied or provided within one or more computer-readable media, thereby making a computer program product (i.e., an article of manufacture) according to the discussed embodiments of the disclosure. The computer readable media may be, for example, but is not limited to, a fixed (hard) drive, diskette, optical disk, magnetic tape, semiconductor memory such as read-only memory (ROM), and/or any transmitting/receiving medium such as the Internet or other communication network or link. The article of manufacture containing the computer code may be made and/or used by executing the code directly from one medium, by copying the code from one medium to another medium, or by transmitting the code over a network.
These computer programs (also known as programs, software applications, "or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms "machine-readable medium," "computer-readable medium" refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. However, "machine-readable medium" and "computer-readable medium" do not include transitory signals. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
Although the present disclosure has been described in connection with specific exemplary embodiments, it should be understood that various changes, substitutions, and alterations apparent to those skilled in the art may be made to the disclosed embodiments without departing from the spirit and scope of the present disclosure as set forth in the following claims.
Claims (11)
1. An automated network defense method for a network side, comprising:
receiving threat intelligence information from the federation member nodes;
calculating a credible value of threat intelligence information submitted by the nodes of the coalition members;
calculating a credible value of the information based on the open source threat information;
calculating a comprehensive credibility value of the threat information based on each calculated credibility value; and
and when the comprehensive credibility value is larger than a preset threshold value, sending threat information to the plurality of alliance member nodes.
2. The automated network defense method of claim 1 wherein the threat intelligence information has the following format:
{ attack source, attack time, attack mode, feature traffic … … }, and
wherein calculating the trustworthiness value of threat intelligence information submitted by coalition members based on the intelligence information comprises: calculating the credibility value of the intelligence information submitted by the nodes of the coalition members by using the following formula:
wherein i is a positive integer indicating the number of coalition member nodes submitting the same type of threat information, Si is a positive number between 0 and 1 indicating the timeliness between the moment when the current threat information is received and the moment when the same threat information is received for the first time, Pi indicates a hazard value, which is a preset value, and a indicates a confidence value of a threat event, which is equal to the sum of the timeliness of each node in the i coalition member nodes multiplied by the hazard value of the attack type.
3. The automated network defense method of claim 1 wherein the threat intelligence information has the following format:
{ attack source, attack time, attack mode, feature traffic … … }, and
wherein calculating the confidence value of the open-source threat intelligence information based on the open-source threat intelligence information comprises: calculating a confidence value of the open source threat intelligence information using the following formula:
wherein i is a positive integer indicating that the ith user submits the same type of threat intelligence information; si is a positive number between 0 and 1, and indicates timeliness between the moment when the current threat information is received and the moment when the same threat information is received for the first time; pi indicates a hazard value, which is a preset value; au indicates an authority coefficient of the open source threat information platform; and the credibility value B is equal to the sum of the added hazard values, timeliness and authority coefficients corresponding to the threat information submitted by the i users.
4. The automated network defense method of claim 1, wherein calculating a composite confidence value for the threat intelligence information comprises:
the open source integrated confidence value is calculated using the following formula:
p=αA+βB
the values alpha and beta are adjustable coefficients, and alpha, beta is more than or equal to 0, and alpha + beta is 1.
5. The automated network defense method of claim 1, further comprising:
when the comprehensive credibility value is larger than a preset threshold value, the threat information is uploaded to a threat information database for storage and is issued to the alliance member nodes so as to realize the linkage defense of each alliance member node; and
and when the comprehensive credibility value is smaller than a preset threshold value, temporarily storing the threat intelligence information in the local.
6. The automated network defense method of claim 1 wherein the open source threat intelligence information is periodically obtained from the internet and the threat intelligence information is extracted from the open source threat intelligence information in the format:
{ attack source, attack time, attack mode, feature traffic … … }.
7. An automated network defense method for a node side of a federation member, comprising:
identifying malicious traffic indicating malicious attack behaviors from core switch image traffic of a member node of the federation;
extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … };
and sending the obtained threat intelligence information to a network side.
8. The automated network defense method of claim 7 further comprising:
receiving threat information sent from a network side at a member node of the alliance; and
and driving different security product equipment to change or add security protection strategies based on the security strategies stored in the nodes of the alliance members.
9. An automated network defense device on the network side, comprising means for implementing the method steps of any of claims 1 to 6.
10. An automated network defense apparatus on the side of an affiliate member node, comprising means for implementing the method steps of any one of claims 7-8.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010831024.7A CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010831024.7A CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114157440A true CN114157440A (en) | 2022-03-08 |
| CN114157440B CN114157440B (en) | 2024-01-26 |
Family
ID=80460435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010831024.7A Active CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157440B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
| CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
| WO2019142049A1 (en) * | 2018-01-17 | 2019-07-25 | Geeq Corporation | Blockchain methods, nodes, systems and products |
| CN110807209A (en) * | 2019-11-01 | 2020-02-18 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN111444277A (en) * | 2020-03-31 | 2020-07-24 | 中国刑事警察学院 | Anti-terrorist information collaborative sharing platform and method based on block chain technology |
-
2020
- 2020-08-18 CN CN202010831024.7A patent/CN114157440B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019142049A1 (en) * | 2018-01-17 | 2019-07-25 | Geeq Corporation | Blockchain methods, nodes, systems and products |
| CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
| CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
| CN110807209A (en) * | 2019-11-01 | 2020-02-18 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN111444277A (en) * | 2020-03-31 | 2020-07-24 | 中国刑事警察学院 | Anti-terrorist information collaborative sharing platform and method based on block chain technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114157440B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10805321B2 (en) | System and method for evaluating network threats and usage | |
| US20210360027A1 (en) | Cyber Security for Instant Messaging Across Platforms | |
| US20210136089A1 (en) | Campaign intelligence and visualization for combating cyberattacks | |
| CA3102820A1 (en) | Threat mitigation system and method | |
| US20230012220A1 (en) | Method for determining likely malicious behavior based on abnormal behavior pattern comparison | |
| CN117614745B (en) | Cooperative defense method and system for processor network protection | |
| CA3159347A1 (en) | Threat mitigation system and method | |
| US20210075819A1 (en) | Threat mitigation system and method | |
| Milan et al. | Reducing false alarms in intrusion detection systems–a survey | |
| EP4248316A1 (en) | Threat mitigation system and method | |
| CN117176249A (en) | Intelligent monitoring system for optical fiber network | |
| CN114157440A (en) | Automated network defense method, apparatus, and computer-readable storage medium | |
| US20210377313A1 (en) | Threat Mitigation System and Method | |
| Zhang et al. | Detecting network intrusion using probabilistic neural network | |
| Jung et al. | Prioritizing cloud service threats for succession to information security management system | |
| Peng et al. | Automated intrusion response system algorithm with danger theory | |
| Xu et al. | Development of computer network security management technology based on artificial intelligence under big data | |
| Wang et al. | Continuous User Trust Assessment Based on Emphasized Contextual Differentiation Behavior Analysis | |
| Zhang et al. | A Security Event Correlation Algorithm Based On Attack Sequence | |
| CN115696341A (en) | Identification and analysis method and device for harmful events based on consistency and consensus | |
| CN109286629A (en) | A kind of data visualization situation early warning system based on the attack of WEB website |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |