CN114157440B - Automatic network defense method, equipment and computer readable storage medium - Google Patents
Automatic network defense method, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114157440B CN114157440B CN202010831024.7A CN202010831024A CN114157440B CN 114157440 B CN114157440 B CN 114157440B CN 202010831024 A CN202010831024 A CN 202010831024A CN 114157440 B CN114157440 B CN 114157440B
- Authority
- CN
- China
- Prior art keywords
- threat intelligence
- intelligence information
- threat
- information
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000003860 storage Methods 0.000 title claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 description 11
- 238000004458 analytical method Methods 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 7
- 238000009826 distribution Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000036962 time dependent Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present disclosure relates to automated network defense methods, apparatus, and computer readable storage media. The automatic network defense method for the network side comprises the following steps: receiving threat intelligence information from a federation member node; calculating a trusted value of threat intelligence information submitted by the alliance member node based on the intelligence information; calculating a trusted value of the intelligence information based on the open source threat intelligence information; based on the calculated respective trusted values, calculating a comprehensive trusted value of the threat intelligence information; and issuing threat intelligence information to the plurality of federation member nodes when the integrated trust value is greater than a predetermined threshold.
Description
Technical Field
The present disclosure relates generally to the field of network security, and more particularly, to an automated network defense method, apparatus, and computer readable storage medium.
Background
With the rapid development of internet security technology, the traditional open source threat information analysis method cannot meet the security requirement of a single enterprise. The profession and pertinence of network attack are continuously improved, and the attack mode is developed from a single mode to multi-azimuth, multi-means and multi-method combination.
The traditional manual feature extraction deployment targeted defense strategy can not realize quick response to attack behaviors and has lower timeliness.
The method aims at the problems of single data source, high false alarm rate, long attack timeliness and the like of the traditional threat information linkage mode. The method adopts distributed collection of attack data of each department, makes a severe judgment on threat information submitted by each alliance member node, issues the trusted value attack information to the alliance member node and makes a device linkage defense mode, and reduces the problems of false alarm rate and the like of the traditional open source threat information. The problem that the prior art cannot realize quick response to attack behaviors and the defense is always lagged behind network attack is solved. The combined defense problems under different enterprise network architectures are solved by adopting the modes of single point attack, multi-point distribution and multi-point defense.
Therefore, there is a need in the art to address the problem of joint defense under different enterprise network architectures.
Disclosure of Invention
The patent proposes that an endpoint module is deployed in each member node of the federation first, and the endpoint module is configured to receive the mirror traffic of the core switch of each member node of the federation, and the traffic detection module continuously identifies malicious attack behaviors, stores and issues the malicious traffic to the endpoint transceiver module. The endpoint transceiver module has two functions, namely malicious behavior flow receiving and threat information receiving and issuing. And transmitting the integrated data to an analysis cluster of the intelligent operation center to perform multidimensional credible discrimination calculation. And the threat information receiving and issuing function is used for periodically retrieving threat information base data and issuing the latest information data to the equipment linkage module. The equipment linkage module stores security policies of different equipment, and the threat information issued by the endpoint transceiver module drives different security product equipment to change or add security protection policies.
According to one aspect of the disclosure, the present invention uses a multi-point threat identification plus open source intelligence fusion mechanism. The mode of fusing the alliance member node attack information and the open source threat information enables the information sources to be wider and more timely. According to another aspect of the present disclosure, the present invention uses a single point attack, multi-point linked defense mechanism. When a single alliance member node faces a security threat, all the alliance member nodes adopt security equipment linkage defense measures. According to yet another aspect of the present disclosure, the present invention uses a multi-dimensional trusted discrimination algorithm. The algorithm adopts a coalition member node and open source threat information fusion mechanism to perform multidimensional trusted computation on time dimension, information source dimension, authority coefficient, hazard value and the like.
To achieve the above object, according to one aspect of the present invention, there is provided an automated network defense method for a network side, including: receiving threat intelligence information from a federation member node; calculating a trusted value of threat intelligence information submitted by the alliance member node based on the intelligence information; calculating a trusted value of the intelligence information based on the open source threat intelligence information; based on the calculated respective trusted values, calculating a comprehensive trusted value of the threat intelligence information; and issuing threat intelligence information to the plurality of federation member nodes when the integrated trust value is greater than a predetermined threshold.
To achieve the above object, according to another aspect of the present invention, there is provided an automated network defense method for a federation member node side, including: identifying malicious traffic indicating malicious attack behavior from core switch mirror traffic of the alliance member node; extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … }; and sending the obtained threat information to a network side.
In order to achieve the above object, according to still another aspect of the present invention, there is provided an automated network defense device including means for implementing the steps of the above-mentioned scheduling decision method.
To achieve the above object, according to yet another aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-mentioned automated network defense method steps.
Drawings
Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Note that in the present specification and the drawings, structural elements having substantially the same functions and structures are denoted by the same reference numerals, and repeated description of these structural elements is omitted.
FIG. 1 is a schematic diagram illustrating an automated network defense system according to one embodiment of the present disclosure;
FIG. 2 is a schematic diagram illustrating an automated network defense method according to an embodiment of the present disclosure; and
fig. 3 is a diagram illustrating multi-device linkage defense according to an embodiment of the present disclosure.
Detailed Description
The following detailed description of exemplary embodiments refers to the accompanying drawings. The same reference numbers in different drawings identify the same or similar elements. Moreover, the drawings are not necessarily drawn to scale. Moreover, the following detailed description does not limit the invention. Rather, the scope of the invention is defined by the appended claims.
Reference throughout this specification to "one embodiment" or "an embodiment" or "some embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the subject matter disclosed. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment(s). Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The present inventors have devised an automated network defense method, apparatus and computer storage medium that address the problems presented in the prior art. On the network side, the automatic network defense method according to the invention comprises the following steps: receiving threat intelligence information from a particular coalition member node of the plurality of coalition member nodes; calculating a trusted value of threat information submitted by a member node of a specific alliance based on the received threat information; calculating a trusted value of the open source threat intelligence information based on the open source threat intelligence information; based on the calculated respective trusted values, calculating a comprehensive trusted value of the threat intelligence information; and issuing threat intelligence information to the plurality of federation member nodes when the integrated trust value is greater than a predetermined threshold. On the node side of the alliance member, the automatic network defense method according to the invention comprises the following steps: identifying malicious traffic indicating malicious attack behavior from core switch mirror traffic of the alliance member node; extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … }; and sending the obtained threat information to a network side.
The invention creatively provides a transverse automatic threat defense method based on an information alliance, and designs a safety mechanism of transverse multipoint threat identification, distributed information collection and distribution and multipoint equipment linkage defense. Through the multi-point threat identification and distribution mechanism, the practical problem of the traditional open source threat information is effectively solved. Meanwhile, the method has the linkage defense capability of the safety equipment, and solves the problem that the defense is always lagged behind network attack due to longer timeliness of the existing open source threat information.
Figure 1 illustrates an automated network defense system 100 according to an embodiment of the present disclosure. As shown, the automated network defense system 100 includes one or more federation member nodes that participate in an organization or group that has signed a formal agreement (or treaty or contract) establishment for network security, thereby becoming its federation member nodes. These federation member nodes are connected to the network, on the device side with respect to the network.
The method comprises the steps that firstly, an endpoint module is deployed in each alliance member node, the module is used for receiving the mirror image flow of the core switch of each alliance member node, the flow detection module continuously identifies malicious attack behaviors, and the malicious flow is stored and issued to the endpoint transceiver module. The endpoint transceiver module has two functions, namely malicious behavior flow receiving and threat information receiving and issuing. And transmitting the integrated data to an analysis cluster of the intelligent operation center to perform multidimensional credible discrimination calculation. And the threat information receiving and issuing function is used for periodically retrieving threat information base data and issuing the latest information data to the equipment linkage module. The equipment linkage module stores security policies of different equipment, and the threat information issued by the endpoint transceiver module drives different security product equipment to change or add security protection policies.
The automated network defense system 100 also includes an intelligent cloud center in the network side. The intelligent cloud center may be a control center, which may include an analytics cluster, a threat intelligence database, and an open source threat intelligence module. The analysis cluster performs the following operations:
1. computing federation member node trust values
When the node of the member node of the alliance is attacked, the threat information key information is extracted and uploaded to an analysis cluster. According to the attack type and the event time, the trusted value of the alliance member node is calculated, and the calculation formula is as follows:
where i is a positive integer indicating the number of federation member nodes submitting the same type of threat intelligence information, si is a positive number between 0 and 1 indicating the timeliness between the time of receipt of the current threat intelligence information and the first time of receipt of the same threat intelligence information, pi indicates a hazard value, is a preset value, and a indicates a trusted value of a one-time threat event, which is equal to the sum of the timeliness of each of the i federation member nodes x the hazard value of the attack type added.
When the member nodes of the alliance are attacked, threat information is uploaded to an analysis cluster, and the analysis cluster extracts key information of the threat information, namely, classifies and labels the information, and extracts attack time, attack source, attack mode, feature codes and the like.
I in the above formula indicates the number of nodes submitting threat intelligence. For example, I submitted first by the federation is 0, and I submitted second by the federation becomes 1.S is S i Is a time-efficient calculation. For example, when two federations commit at the same time, the validity Si is 1. The smaller the Si value is if the interval time is very long, up to almost 0.Pi indicates a hazard value, which is predetermined. A is a trusted value, which = timeliness-a hazard value for the attack type. The trusted value a is the trusted value of a single event.
For example, attack source 3.3.3.3 attacks federation member nodes 1, 2, respectively. And E, performing mail phishing. The federation member node 1 uploads threat information and when the federation member node 2 uploads again. The above formula is used to calculate the trusted value of the attack source 3.3.3.3 for this event of mail phishing. Let the calculated result be 0.7.
2. Calculating open source threat intelligence credible value
The open source threat information can be threat information collected regularly in real time, and the credible value of the threat information is calculated according to the attack type, the event time, the authority coefficient and the like of the threat information, wherein the calculation formula is as follows:
wherein i is a positive integer indicating that the ith user submits threat intelligence information of the same type; si is a positive number between 0 and 1, indicating timeliness between the time of receiving the current threat intelligence information and the time of first receiving the same threat intelligence information; pi indicates a hazard value, which is a preset value; au indicates authority coefficients of the open source threat information platform; and the trusted value B is equal to the sum of hazard value x timeliness x authority coefficient sum corresponding to threat information submitted by i users.
Si in the above formula is also time-dependent for open source threat intelligence. The open source threat information is public and accepts threat information provided by the social node. Si submits the timeliness of the threat information to different social groups. B=hazard value corresponding to attack time-efficiency authority coefficient. Au indicates an authority coefficient, which is an open source threat intelligence platform, authority of official publication. The value of which is available on the network.
3. Calculating a comprehensive trusted value of the threat intelligence information
According to the trusted value of the alliance member node and the trusted value of the open source threat information, calculating the comprehensive trusted value of the threat information according to the following formula:
p=αA+βB
alpha and beta are adjustable parameters, and alpha, beta is more than or equal to 0 and alpha+beta=1. The α, β can be set as necessary.
4. Information distribution
And when the comprehensive trusted value is larger than the set trusted threshold, issuing the threat information to the node of the alliance member.
The threat intelligence library is used for storing intelligence with high threat. The information can be information reported by the member nodes of the alliance or can come from open source information. Typically, this information is stored in the following format: { attack source, attack time, attack mode, signature … … }.
The open source threat information module periodically acquires threat information through a third party threat information API interface disclosed by the Internet. And extracting { attack source, attack time, attack mode, feature code, threat index … … }.
Fig. 2 is a schematic diagram illustrating an automated network defense method according to an embodiment of the present disclosure. At block 100, an automated network defense process 100 according to some embodiments of the present disclosure begins. At block 100, information uploaded by a federation member node is obtained along with open source threat information fields.
At block 102, a determination is made as to whether the received information is up-to-date threat intelligence. Notably, this process is optional. If the determination is negative, proceed to block 104 where threat intelligence information may be discarded.
If so, proceed to block 106 where a comprehensive trusted value of the threat intelligence information is calculated from the acquired intelligence fields. The manner of calculation has been described in detail above.
At block 108, the integrated trust value is compared to a trust threshold. If the integrated trust value is less than the trust threshold, then proceed to block 110 where the analytics cluster temporarily stores threat intelligence information locally. Notably, this process is optional. Such threat intelligence information may also be discarded directly.
If the integrated trust value is greater than the trust threshold, then proceed to block 112 where threat intelligence information is uploaded to a threat intelligence library.
High threat intelligence information from the open source threat intelligence is also uploaded to a threat intelligence library at block 114.
At block 116, the threat intelligence library issues the acquired high threat intelligence information to the various federation member nodes.
At block 118, each federation member node generates a device linkage.
The process according to the present invention is described below using specific examples.
First, abnormal flow rate detection is performed. Specifically, an endpoint module is deployed in each member node of the federation, where the module is configured to receive the mirror traffic of the core switch of each member node of the federation, and the traffic detection module continuously identifies malicious attack behaviors (such as password guessing, command execution, trojan files, malicious scanning, etc.), and stores and issues the malicious traffic to the endpoint transceiver module.
And secondly, extracting information. Specifically, the endpoint transceiver module has two functions, namely malicious behavior flow receiving, threat information receiving and issuing. The malicious behavior flow receives the data sent by the flow detection module, extracts and integrates the flow information { attack source, attack time, attack mode, characteristic flow … … }, and sends the integrated data to an analysis cluster of the intelligent operation center for analysis and calculation.
Again, a confidence level is determined. Specifically, the analysis cluster receives threat information sent by the end point module of the alliance member node to perform multidimensional trusted computing, for example, attack information of 2 node nodes is received simultaneously, the same attack source ip address is used, the attack mode is that the violent cracking hazard value is 8, at this time, the open source threat information receives 0 alarms, the value of B is 0, the trusted value p is calculated according to the set adjustment parameter, and at this time, whether the information is issued to the node nodes is determined according to the comparison between the trusted value and the upper and lower intervals of the set trusted threshold.
Again, the federation member nodes perform intelligence collection and storage. Specifically, threat information { attack source, attack time, attack mode, feature code … … } is extracted from the information with high threat, and is issued to a threat information library.
And collecting and storing open source information. Specifically, threat information is periodically acquired through a third party threat information API interface disclosed by the Internet. And extracting { attack source, attack time, attack mode, feature code, threat index … … }.
And finally, carrying out linkage of safety protection equipment. Specifically, the device linkage module stores security policies of different devices, and the threat information issued by the endpoint transceiver module drives different security product devices to change or add security protection policies.
Fig. 3 is a diagram illustrating multi-device linkage defense according to an embodiment of the present disclosure. As shown, the federation member node 1 is under attack, which immediately reports the threat intelligence information to the intelligent cloud center. The intelligent cloud center calculates a federation member node trusted value based on the received threat intelligence information and calculates an open source threat intelligence trusted value based on the open source threat intelligence information. The intelligent cloud center calculates a comprehensive trusted value of the threat intelligence information based on the calculated two trusted values. By comparing the calculated integrated trust value to a predetermined threshold, the intelligent cloud center determines whether the threat is highly threatening. If so, the intelligent cloud center transmits threat information to all the alliance member nodes 1-8. Each federation member node 1-8 drives a different security product device to alter or add security protection policies in response to receiving threat intelligence information.
The invention provides a transverse automatic threat defense method based on an information alliance, and designs a safety mechanism for transverse multipoint threat identification, distributed information collection and distribution and multipoint equipment linkage defense. Through the multi-point threat identification and distribution mechanism, the practical problem of the traditional open source threat information is effectively solved. Meanwhile, the method has the linkage defense capability of the safety equipment, and solves the problem that the defense is always lagged behind network attack due to longer timeliness of the existing open source threat information.
As will be appreciated based on the foregoing specification, the above-described embodiments of the disclosure may be implemented using computer programming or engineering techniques including computer software, firmware, hardware, or any combination or subset thereof, wherein the technical effect is to establish and operate a file system based application network. Any such resulting program(s), having computer-readable code means, may be embodied or provided within one or more computer-readable media, thereby making a computer program product (i.e., article of manufacture) according to the discussed embodiments of the disclosure. The computer readable medium may be, for example, but is not limited to, a fixed (hard) drive, diskette, optical disk, magnetic tape, semiconductor memory such as read-only memory (ROM), and/or any transmitting/receiving medium such as the Internet or other communication network or link. The article of manufacture containing the computer code may be made and/or used by executing the code directly from one medium, by copying the code from one medium to another medium, or by transmitting the code over a network.
These computer programs (also known as programs, software applications, "applications" or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms "machine-readable medium," computer-readable medium "and/or" computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. However, the terms "machine-readable medium" and "computer-readable medium" do not include transient signals. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
Although the present disclosure has been described in connection with specific exemplary embodiments, it should be understood that various changes, substitutions and alterations can be made to the disclosed embodiments as would be apparent to one skilled in the art without departing from the spirit and scope of the disclosure as set forth in the appended claims.
Claims (11)
1. An automated network defense method for a network side, comprising:
receiving threat intelligence information from a federation member node;
calculating a trusted value of the threat intelligence information based on the threat intelligence information submitted by the alliance member node;
calculating a trusted value of the threat intelligence information based on the threat intelligence information of an open source;
based on the calculated respective trusted values, calculating a comprehensive trusted value of the threat intelligence information; and
and when the comprehensive credibility value is larger than a preset threshold value, the threat information is issued to a plurality of alliance member nodes.
2. The automated network defense method of claim 1 wherein the threat intelligence information is in the following format:
{ attack Source, attack time, attack mode, feature traffic … … }, and
wherein calculating a trusted value of the threat intelligence information based on the threat intelligence information submitted by the federation member node comprises: calculating a trusted value A of the threat intelligence information submitted by the alliance member node by using the following formula:
where i is a positive integer indicating the number of federation member nodes submitting the same type of threat intelligence information, si is a positive number between 0 and 1 indicating the timeliness between the time of receipt of the current threat intelligence information and the first time of receipt of the same threat intelligence information, pi indicates a hazard value, is a preset value, and a indicates a trusted value of a one-time threat event, which is equal to the sum of the timeliness of each of the i federation member nodes plus the hazard value of the attack type.
3. The automated network defense method of claim 1 wherein the threat intelligence information is in the following format:
{ attack Source, attack time, attack mode, feature traffic … … }, and
wherein calculating a trusted value of the threat intelligence information based on the threat intelligence information of an open source comprises: the trusted value B of the threat intelligence information is calculated using the following formula:
wherein i is a positive integer indicating that the ith user submits threat intelligence information of the same type; si is a positive number between 0 and 1, indicating timeliness between the time of receiving the current threat intelligence information and the time of first receiving the same threat intelligence information; pi indicates a hazard value, which is a preset value; au indicates authority coefficients of the open source threat information platform; and the trusted value B is equal to the sum of hazard value x timeliness x authority coefficient sum corresponding to threat information submitted by i users.
4. The automated network defense method of claim 1 wherein calculating the comprehensive trusted value of threat intelligence information comprises:
the integrated trust value is calculated using the following formula:
p=αA+βB
wherein a is a trusted value of the threat intelligence information calculated based on the threat intelligence information submitted by the alliance member node, B is a trusted value of the threat intelligence information calculated based on the threat intelligence information of an open source, α and β are adjustable coefficients, and α, β is equal to or greater than 0 and α+β=1.
5. The automated network defense method of claim 1 further comprising:
when the comprehensive credibility value is larger than a preset threshold value, the threat information is uploaded to a threat information database for storage and is issued to the plurality of alliance member nodes so as to realize linkage defense of each alliance member node; and
and when the comprehensive credibility value is smaller than a preset threshold value, the threat intelligence information is temporarily stored locally.
6. The automated network defense method of claim 1 wherein the threat intelligence information of an open source is periodically obtained from the internet and extracted from the threat intelligence information of an open source in the following format:
{ attack source, attack time, attack mode, feature traffic … … }.
7. An automated network defense method for a federation member node side, comprising:
identifying malicious traffic indicating malicious attack behavior from core switch mirror traffic of the alliance member node;
extracting and integrating threat intelligence information from the identified malicious traffic, wherein the threat intelligence information has the following format: { attack source, attack time, attack mode, feature traffic … … };
and sending the obtained threat information to a network side.
8. The automated network defense method of claim 7 further comprising:
the method comprises the steps of receiving threat information issued from a network side at a alliance member node; and
based on the security policies stored at the federation member nodes, different security product devices are driven to alter or add security protection policies.
9. An automated network defense device at the network side comprising means for implementing the method steps of any of claims 1-6.
10. An automated network defense device on the node side of a federation member comprising means for implementing the method steps of any of claims 7-8.
11. A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method steps of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010831024.7A CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010831024.7A CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114157440A CN114157440A (en) | 2022-03-08 |
| CN114157440B true CN114157440B (en) | 2024-01-26 |
Family
ID=80460435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010831024.7A Active CN114157440B (en) | 2020-08-18 | 2020-08-18 | Automatic network defense method, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157440B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
| CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
| WO2019142049A1 (en) * | 2018-01-17 | 2019-07-25 | Geeq Corporation | Blockchain methods, nodes, systems and products |
| CN110807209A (en) * | 2019-11-01 | 2020-02-18 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN111444277A (en) * | 2020-03-31 | 2020-07-24 | 中国刑事警察学院 | Anti-terrorist information collaborative sharing platform and method based on block chain technology |
-
2020
- 2020-08-18 CN CN202010831024.7A patent/CN114157440B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019142049A1 (en) * | 2018-01-17 | 2019-07-25 | Geeq Corporation | Blockchain methods, nodes, systems and products |
| CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
| CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
| CN110807209A (en) * | 2019-11-01 | 2020-02-18 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN111444277A (en) * | 2020-03-31 | 2020-07-24 | 中国刑事警察学院 | Anti-terrorist information collaborative sharing platform and method based on block chain technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114157440A (en) | 2022-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10805321B2 (en) | System and method for evaluating network threats and usage | |
| EP4154143A1 (en) | Cyber security for instant messaging across platforms | |
| CN107733863B (en) | Log debugging method and device under distributed hadoop environment | |
| EP2498471A1 (en) | Multiple hypothesis tracking | |
| US8515881B2 (en) | Multiple hypothesis tracking | |
| CN109218304B (en) | Network risk blocking method based on attack graph and co-evolution | |
| CN114422224B (en) | Threat information intelligent analysis method and system for attack tracing | |
| CN109218321A (en) | A kind of network inbreak detection method and system | |
| CN111586046A (en) | Network traffic analysis method and system combining threat intelligence and machine learning | |
| KR20210083936A (en) | System for collecting cyber threat information | |
| CN114338064B (en) | Method, device, system, equipment and storage medium for identifying network traffic type | |
| CN117614745B (en) | Cooperative defense method and system for processor network protection | |
| CN110290110B (en) | Encrypted malicious traffic identification method and system based on redundancy detection architecture | |
| CN114157440B (en) | Automatic network defense method, equipment and computer readable storage medium | |
| CN113902052A (en) | Distributed denial of service attack network anomaly detection method based on AE-SVM model | |
| WO2022109417A1 (en) | Threat mitigation system and method | |
| CN113938401A (en) | Naval vessel network security visualization system | |
| CN107911232B (en) | Method and device for determining business operation rule | |
| CN116232770B (en) | Enterprise network safety protection system and method based on SDN controller | |
| CN117176249A (en) | Intelligent monitoring system for optical fiber network | |
| CN115037561B (en) | Network security detection method and system | |
| CN115883213A (en) | APT detection method and system based on continuous time dynamic heterogeneous graph neural network | |
| CN115396885A (en) | Key safety management method and device, electronic equipment and storage medium | |
| CA3180341A1 (en) | Threat mitigation system and method | |
| CN113536381A (en) | Big data analysis processing method and system based on terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |