CN114189361B - Situation awareness method, device and system for defending threat - Google Patents

Situation awareness method, device and system for defending threat Download PDF

Info

Publication number
CN114189361B
CN114189361B CN202111375012.9A CN202111375012A CN114189361B CN 114189361 B CN114189361 B CN 114189361B CN 202111375012 A CN202111375012 A CN 202111375012A CN 114189361 B CN114189361 B CN 114189361B
Authority
CN
China
Prior art keywords
threat
information
item
defense
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111375012.9A
Other languages
Chinese (zh)
Other versions
CN114189361A (en
Inventor
杨腾霄
崔政强
严涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Niudun Technology Co ltd
Original Assignee
Shanghai Niudun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Niudun Technology Co ltd filed Critical Shanghai Niudun Technology Co ltd
Priority to CN202111375012.9A priority Critical patent/CN114189361B/en
Publication of CN114189361A publication Critical patent/CN114189361A/en
Application granted granted Critical
Publication of CN114189361B publication Critical patent/CN114189361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a situation awareness method, device and system for defending threats, and relates to the technical field of network security. The processing method comprises the following steps: collecting alarm information and calling log information related to the alarm information in a network environment; the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in a network environment; and carrying out joint defense by combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information. The invention acquires the threat items and abnormal items in the network environment by analyzing threat information, and combines the target threat items and/or target abnormal items and associated threats and/or associated abnormal information in the threat items and the abnormal items to perform joint defense.

Description

Situation awareness method, device and system for defending threat
Technical Field
The invention relates to the technical field of network security, in particular to a situation awareness method for defending threats.
Background
In the prior art, the situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete evaluation of the current network environment condition and prediction of the future change trend of the network environment.
In order to ensure network security and perception capability of potential network threats, threat information analysis is performed on existing alarm information, log information of network nodes and security log information of network security equipment to obtain threat item and abnormal item information in a network environment, and defense is performed according to a defense scheme of a threat information database in a situation awareness system, so that precise defense and protection of network security are realized, and stable operation of network security is ensured. In practice, however, threat analysis from multiple aspects is required to face a complex network environment, and various defense methods are used to realize security defense against threat items and abnormal items in the network environment.
Therefore, the situation awareness method, the device and the system for defending the threats are provided, so that threat items and abnormal items in the network environment are obtained through analyzing threat information, and combined defending is carried out by combining target threat items and/or target abnormal items and associated threats and/or associated abnormal information in the threat items and the abnormal items, so that stable operation of network safety is guaranteed, and the method, the device and the system are technical problems to be solved currently urgently.
Disclosure of Invention
The invention aims at: the invention can collect alarm information and call log information related to the alarm information in network environment; the log information comprises system log information and log information of a network node; the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment; and combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
In order to solve the existing technical problems, the invention provides the following technical scheme:
a situation awareness method for defending threats is characterized by comprising the steps of,
collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node;
The log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment;
and combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
Further, the threat intelligence includes known threat intelligence and unknown threat intelligence; when the threat information is stored in a threat information database of the situation awareness system, the threat information is known threat information; otherwise, the threat intelligence is unknown threat intelligence.
Further, when the threat information is judged to be known, a defense scheme in a threat information database of a preset situation awareness system is called to defend threat items in the threat information; and when the threat information is judged to be unknown, analyzing abnormal items corresponding to the triggering alarm in the threat information to call a defending scheme of a network security database so as to cope with the unknown threat information.
Further, the step of analyzing the unknown threat intelligence information is as follows,
extracting threat features in the unknown threat information, marking the types of the threat features, and counting the number of threat features corresponding to various types;
selecting the type with the largest number of threat features as a preferred defending type, and selecting a corresponding defending scheme from the preset situation awareness threat database based on the preferred defending type;
based on the foregoing defense scheme, heuristic defenses are performed.
Further, the heuristic defense includes adopting one defense scheme or adopting sequential defense of a plurality of defense schemes or adopting out-of-order defense of a plurality of defense schemes; the out-of-order defense is to sequence all threat features extracted from the unknown threat information by a pointer from primary to secondary to common according to the condition affecting the network environment threat, and correspondingly adjust the steps and sequence of the defense in the defense scheme.
Further, the threat features contained in the invoked defense scheme are smaller than the threat features contained in the unknown threat intelligence information, and the number and the types of the threat features contained in the unknown threat intelligence information are smaller than those of the threat features contained in the unknown threat intelligence information; and after the heuristic defense corresponding to the first-choice defense type is finished, selecting a corresponding defense scheme from the situation awareness threat database for defense aiming at other defense types except the first-choice defense type.
Further, by combining the associated threats and/or associated anomalies caused by the threat items and/or the abnormal items to the network environment, whether the prediction of the situation awareness trend is correct or not is judged, wherein threat information corresponding to the threat information refers to behavior description information for generating network threats in real time, and the network threats comprise network attacks, trojan viruses and advanced continuous threats.
Further, the alarms include alarms for the threat items and/or abnormal items and alarms for the threat items and/or abnormal items causing associated threats and/or associated anomalies to the network environment.
A situation awareness device for defending threats is characterized by comprising the following structure:
the information acquisition unit is used for acquiring alarm information and calling log information related to the alarm information in the network environment; the log information comprises system log information and log information of a network node;
the information arrangement unit is used for arranging the log information to carry out threat information analysis to obtain threat information; the threat information comprises threat item information and abnormal item information in a network environment;
the information marking unit is used for acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in the network environment;
And the information defense unit is used for combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
A situational awareness system for defending against threats, comprising:
a network node for receiving and transmitting data;
the situation awareness system regularly detects the network nodes triggering the alarm and carries out security analysis on log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node; the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment; and combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
Based on the advantages and positive effects, the invention has the following advantages: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node; the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment; and combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
Further, the step of analyzing the unknown threat information includes extracting threat features from the unknown threat information, marking types of the threat features, and counting the number of the threat features corresponding to the types; selecting the type with the largest number of threat features as a preferred defending type, and selecting a corresponding defending scheme from the preset situation awareness threat database based on the preferred defending type; based on the foregoing defense scheme, heuristic defenses are performed.
Further, the heuristic defense includes adopting one defense scheme or adopting sequential defense of a plurality of defense schemes or adopting out-of-order defense of a plurality of defense schemes; the out-of-order defense is to sequence all threat features extracted from the unknown threat information by a pointer from primary to secondary to common according to the condition affecting the network environment threat, and correspondingly adjust the steps and sequence of the defense in the defense scheme.
Further, the threat features contained in the invoked defense scheme are smaller than the threat features contained in the unknown threat intelligence information, and the number and the types of the threat features contained in the unknown threat intelligence information are smaller than those of the threat features contained in the unknown threat intelligence information; and after the heuristic defense corresponding to the first-choice defense type is finished, selecting a corresponding defense scheme from the situation awareness threat database for defense aiming at other defense types except the first-choice defense type.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is another flowchart provided in an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Reference numerals illustrate:
the device 200, the information acquisition unit 201, the information arrangement unit 202, the information marking unit 203 and the information defending unit 204;
system 300, network node 301, situation awareness system 302, system server 303.
Detailed Description
The situation awareness method, device and system for defending threat disclosed by the invention are further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be regarded as being isolated, and they may be combined with each other to achieve a better technical effect. In the drawings of the embodiments described below, like reference numerals appearing in the various drawings represent like features or components and are applicable to the various embodiments. Thus, once an item is defined in one drawing, no further discussion thereof is required in subsequent drawings.
It should be noted that the structures, proportions, sizes, etc. shown in the drawings are merely used in conjunction with the disclosure of the present specification, and are not intended to limit the applicable scope of the present invention, but rather to limit the scope of the present invention. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be performed out of the order described or discussed, including in a substantially simultaneous manner or in an order that is reverse, depending on the function involved, as would be understood by those of skill in the art to which embodiments of the present invention pertain.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flowchart is provided in an embodiment of the present invention. The implementation step S100 of the method is as follows:
s101, collecting alarm information and calling log information related to the alarm information in a network environment; the log information includes system log information and log information of network nodes.
In a preferred implementation manner of this embodiment, the alarm is an event report for transmitting alarm information, which is also called an alarm event for short. It can be defined by the manufacturer or by the network manager in combination with alarms in the network. In one alarm, the monitoring unit of the network management system gives alarm signals according to the fault condition, and each time the system receives an alarm signal, the system represents the occurrence of one alarm event, performs fault description in the form of alarm information and displays the alarm information in the alarm information management center of the network management system. The failure is the cause of an alarm event generated by a device in the network.
The alarm information comprises the alarm information of the network node and the alarm information triggering the alarm of the network node. The alarm information includes, but is not limited to, information about the name of the fault device, symptoms of the fault, the location of occurrence, time of occurrence, reason of occurrence, etc.
Meanwhile, the alarm information can be divided into historical alarm information and real-time alarm information according to time.
The system log is managed and protected by the system and cannot be changed arbitrarily. The system log strictly records the system behavior, and potential system intrusion can be timely recorded and predicted through the system log information.
By way of example and not limitation, when a system log records that the system has received uninterrupted, repeated connection requests for network ports for a short period of time, for this indication, it may be determined with a high probability that an intruder is experiencing access actions of the system that use the port scanner to scan the system externally. Then, according to the intrusion trail in the system log information, the network equipment used by the intruder can be tracked, and corresponding defending operation is adopted to ensure the safe and stable operation of the network.
The system log information includes, but is not limited to: system security log, network log, audit data, access operation behavior information of each network node in the network environment, and the like.
The network node refers to a terminal having independent network addresses and data processing functions in a network environment, including, but not limited to, functions of transmitting data, receiving data, and/or analyzing data. The network node may be a workstation, a client, a network user or a personal computer, or may be a server, a printer or other network-connected device.
The whole network environment comprises a plurality of network nodes which are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The log information of the network node refers to event records generated during operation of network equipment, a system, a service program and the like, wherein each row of log records the description of related operations such as date, time, users, actions and the like. The log information of the network node includes, but is not limited to, duration of connection, protocol type, network service type of the target host, status of normal or erroneous connection, number of data bytes from source host to target host, number of data bytes from target host to source host, number of erroneous segments, number of urgent packets, etc.
S102, arranging the log information to perform threat information analysis to obtain threat information; the threat intelligence information includes threat item information and abnormal item information in a network environment.
The sorting may preferably be that the log information is subjected to data processing before the log information is analyzed, where the data processing includes, but is not limited to, performing operations such as data filtering, data normalization processing, and data cleaning on the log information in the prior art, so as to facilitate subsequent data analysis and reduce resource waste during calculation.
The threat information can obtain threat source information based on threat information analysis rules, and further threat information is obtained. Wherein the threat source may be a network node that is compromised in a network environment, a device that is subject to a network vulnerability, a node that is subject to a network attack, etc.
The threat intelligence may originate from two aspects: firstly, internal threat information, wherein the data sources relate to asset and environmental attribute data to be protected in an enterprise internal network environment, log data on various internal devices and systems, alarm data, captured data packet information, statistical information, metadata and the like; and external threat information, namely data collected from an external network environment relative to the internal network environment of an enterprise, and correlating the data with data collected from the internal threat information sources, wherein the data is regarded as external threat information when being correlated with a protected object.
The threat information analysis refers to analyzing the log information based on a preset threat information analysis rule, so as to obtain threat information. The threat information is used for describing threat information in a network environment, and the threat information can describe paths of threat items positioned in a network node in a user terminal, file characteristics of the threat items, such as MD5 characteristics and the like.
The threat information analysis identifies possible threat events which mainly comprise invasion behaviors which are difficult to be found directly, such as malicious domain name access, malicious download source access, malicious IP access and the like, by carrying out association analysis on data information, such as access flow, log information of network nodes and the like by using a threat information library.
The threat intelligence analysis rules are based on associative analysis of threat intelligence data. The existence of the threat information analysis rule can improve the security event analysis efficiency, the detection capability of threat behaviors and the response speed.
The threat intelligence analysis rules can be automatically acquired from a threat intelligence database of the network security database. Often, the threat intelligence analysis rules include a plurality of sub-rules, wherein each sub-rule may be used to process one or more threats.
When the analysis rule is based on the preset threat information, firstly, the problem on which the threat object is based can be analyzed from the log to cause invasion, such as CPU occupation abnormality and memory occupation abnormality; further, the attack route thereof may be determined according to the timing. It should be noted that the aforementioned threatened object may be an affected system, device, process, or the like.
The threat item may be a system object, a non-system object, etc. that presents a threat and/or forms a threat to the network node. By way of example and not limitation, the threat item may be a process, URL (uniform resource locator ) access behavior, IP (internet protocol between networks, internet Protocol) access, port access, DNS (domain name system ), mailbox address, mail attachment, or the like.
By abnormal items is meant warnings or errors occurring during the running of the program or system, which often affect the robustness, reliability and safety of the program. By way of example and not limitation, the exception items include, but are not limited to, an exception state, an exception signal, an exception operation, an exception behavior, an exception value, and the like in a network environment.
In a preferred implementation of this embodiment, the anomaly may preferably be an anomaly that the aforementioned threat causes to exist in the network environment. The abnormal item may be a compromised and/or potentially compromised system object, a non-system object, etc., and the abnormal item may be a compromised computer, a compromised port, access rights, control rights, etc.
The abnormal items may include, but are not limited to, processes, URL access behaviors, IP access, port access, DNS, mailbox addresses, mail attachments, gaining access and control rights, and the like.
It is further worth noting that the threat item and the abnormal item may be the same system object, non-system object, etc. I.e., when the threat item poses a threat to the network node and/or associated network node, there is a likelihood that the threat item is an abnormal item in the network environment.
When a threat item exists in the network environment, a new abnormal item in the network environment is caused to occur, so that the threat item and the abnormal item in the network environment are different system objects, non-system objects and the like.
By way of example and not limitation, when a threat item in a network environment is a system object a or a non-system object B, an abnormal item in the network environment is the same system object a or non-system object B; or when the abnormal item is a system object A1 or a non-system object B1 obtained by the system object a or the non-system object B through network mirroring, the system object A1 or the non-system object B1 is considered to be identical to the system object a or the non-system object B, that is, the threat item in the network environment is identical to the abnormal item, and is the same system object or the non-system object.
Similarly, when the threat item in the network environment is the system object a or the non-system object B, new abnormal items C and D are caused to appear in the network environment at this time, so that there is a threat item in the network environment and the abnormal items are different system objects, non-system objects, and the like.
S103, acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment.
The target threat item can be selected by a user from the threat items, or can be automatically selected by a situation awareness system, for example, the situation awareness system can select one threat item with the greatest threat influence from the threat items as the target threat item.
The target abnormal item can be selected by a user from the abnormal items, and can also be automatically selected by a situation awareness system, for example, the situation awareness system can select one abnormal item with the largest abnormal influence in the abnormal items as the target abnormal item.
The tracking mark can set marks for the target threat item and the target abnormal item, and is used for tracking and tracking association threats and/or association anomalies caused by the target threat item and/or the target abnormal item in a network environment.
The association threat refers to a situation that when a network node carrying the target threat item performs related operations (such as access, copy, upload, etc.) in a network environment, the target threat item causes the associated network node to have the related threat item.
The association exception refers to a situation that when a network node carrying the target exception item performs related operations (such as access authority exception, CPU cache exception and the like) in a network environment, the target exception item causes related exception items in the associated network node.
S104, combining the target threat item and/or the target abnormal item, the associated threat and/or the associated abnormal information thereof, and calling a corresponding defending scheme in the situation awareness threat database to perform joint defending.
The defensive schemes in the situation awareness threat database may include, but are not limited to: a threat invasion defense system is established for rapidly detecting, preventing and restraining threat invasion; the process with threat is put into an isolation area, URL, IP, DNS or the like with threat is intercepted through firewall rules, a mailbox address is intercepted through a mail server, and the attachment with threat is withdrawn through the mail server; adding the source IP address, the terminal identification number and the user identification which are displayed abnormally into a blacklist, adding the source IP address, the terminal identification number and the user identification which are not abnormal into a whitelist, and requesting access rights and the like according to the blacklist and the whitelist control data.
The method has the advantages that after the threat item is detected, the defending scheme of the threat item corresponding to the preset situation awareness threat database can be automatically called to perform corresponding operation of network security defending.
The combined defense may be preferably a defensive operation performed by calling a corresponding defensive scheme in a situation-aware threat database in combination with the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
The defensive operation includes, but is not limited to, detection, protection, interception and the like of the target threat item and/or the target abnormal item and the associated threat and/or the associated anomaly thereof after the target threat item and/or the target abnormal item and the associated threat and/or the associated anomaly thereof are combined.
Preferably, the threat intelligence includes known threat intelligence and unknown threat intelligence; when the threat information is stored in a threat information database of the situation awareness system, the threat information is known threat information; otherwise, the threat intelligence is unknown threat intelligence.
Preferably, when the threat information is determined to be known, a defense scheme in a threat information database of a preset situation awareness system is called to defend threat items in the threat information; and when the threat information is judged to be unknown, analyzing abnormal items corresponding to the triggering alarm in the threat information to call a defending scheme of a network security database so as to cope with the unknown threat information.
Referring to fig. 2, another flowchart is provided for an embodiment of the present invention, in which step S110 of analyzing the unknown threat intelligence information is as follows,
s111, extracting threat features in the unknown threat information, marking the types of the threat features, and counting the number of the threat features corresponding to various types.
The threat features include, but are not limited to, malicious code transmission behavior, C & C attacks, malicious IP addresses, malicious uniform resource locators (URLs, uniform Resource Locator), malicious domain names, malicious sample MD5, and the like.
The types of the threat features can be classified into HASH values, IP addresses, domain names, network or host features and the like according to the attribute classification of the threat features; threat features can be classified into tactical informations mainly based on automatic detection and analysis, carrier informations aiming at safety response analysis, strategic informations guiding the whole safety investment strategy and the like according to the use scenes; the threat features may also be classified into singular, non-numerical, combined, etc. based on the type of threat feature.
By way of example and not limitation, all technical features in the now acquired unknown threat intelligence information a are threat feature 1, threat feature 2, threat feature N (N is a positive integer equal to or greater than 2), and the types of threat features 1 through N are labeled.
At this time, the types of threat features 1 to N may be sequentially labeled as type 1, type 2, type M (M is a positive integer less than or equal to N), and the numbers of threat features corresponding to the types are counted, that is, P1, P2, and PL (P1 to PL are all positive integers less than or equal to N, and the sum of the numbers of threat features corresponding to the types is equal to N).
S112, selecting the type with the largest number of the included threat features as a preferred defending type, and selecting a corresponding defending scheme from the preset situation awareness threat database based on the preferred defending type.
By way of example and not limitation, when the types of threat features 1 through N are sequentially labeled as type 1, type 2, and type M (M is a positive integer less than or equal to N), and the number of threat features of each type is counted, that is, P1, P2, and PM, a plurality of defense schemes with the number of threat features the same as the types of threat features extracted from the unknown threat intelligence information and the number of threat features the largest are selected from the preset situation awareness threat database, and the threat features can solve the largest unknown threats.
Namely, the defending scheme is selected from the preset situation awareness threat database to be compared with the threat features, the types of the threat features and the number of the threat features. For example, the number of threat features is 7, n=7, the threat features are of the types 1, 2 and 3, m=3, and the number of threat features is 4, 2 and 1, p1=4, p2=2, p3=1, in order corresponding to the types. Since P1 is the largest, when selecting the defense scheme, the preferred defense category is category 1, i.e., the defense scheme is selected first based on category 1.
Because the threat features come from unknown threat information, it is difficult to select a defense scheme which is matched with the threat features, the types of the threat features and the number of the threat features one by one from the preset situation awareness threat database so as to perform accurate network security defense. In actual situations, the threat features of the unknown threat information, the types of the threat features and the number of the threat features are more than those provided by the defense schemes in the situation awareness threat database.
When the threat features, the types of the threat features and the number of the threat features of the unknown threat information are more than those provided by the defense scheme in the situation awareness threat database, the threat features and the number of the threat features can be preferentially selected, and the threat features with the largest threat features in the unknown threat information can be selected as the preferred defense types to select the defense scheme for heuristic defense.
S113, performing heuristic defense based on the defense scheme.
When the heuristic defense scheme sets a plurality of sequentially arranged defense schemes based on the existing threat intelligence defense scheme, the heuristic defense scheme may be sequentially set as a heuristic defense scheme 1, a heuristic defense scheme 2, and a heuristic defense scheme N, where N is a positive integer greater than 2. At this time, the system will try to make security defenses in turn according to the ranking of the heuristic defenses until the defenses are successful.
In order to shorten the time for finding a suitable heuristic defense scheme, the heuristic defense schemes may be sequentially arranged according to the most recently used, most preferentially used, most frequently used, and other criteria.
Preferably, the heuristic defense includes adopting a defense scheme or adopting a sequential defense of a plurality of defense schemes or adopting an out-of-order defense of a plurality of defense schemes; the out-of-order defense is to sequence all threat features extracted from the unknown threat information by a pointer from primary to secondary to common according to the condition affecting the network environment threat, and correspondingly adjust the steps and sequence of the defense in the defense scheme.
The out-of-order defense is a defense scheme which is formed by combining the defense schemes according to a certain defense sequence after the defense sequence of the defense scheme in a preset situation awareness threat database is disturbed.
By way of example and not limitation, the out-of-order defense may prioritize the conditions of the threat features in the unknown threat information affecting the network environment threat in a first, second, and common order, and rank the ranked technical features according to the steps and the ranks of the defending in the defending scheme, and adjust the steps and the ranks of the defending in the technical features to become a new defending scheme.
The evaluation of the condition of the threat influence of the network environment can be based on the evaluation index in the prior situation awareness technology to evaluate the condition of the threat influence of the threat features in the unknown threat information.
Preferably, the threat features contained in the invoked defense scheme are smaller than the threat features contained in the unknown threat intelligence information, and the number and the types of the threat features contained in the unknown threat intelligence information are smaller than those of the threat features contained in the unknown threat intelligence information; and after the heuristic defense corresponding to the first-choice defense type is finished, selecting a corresponding defense scheme from the situation awareness threat database for defense aiming at other defense types except the first-choice defense type.
By way of example and not limitation, the threat features are 7 in total, n=7, the types of threat features are type 1, type 2 and type 3, m=3, and the number of threat features is 4, 2 and 1 in order corresponding to the types, p1=4, p2=2, p3=1. Since P1 is the largest, when selecting the defense scheme, the preferred defense category is category 1, i.e., the defense scheme is selected first based on category 1.
After the defense scheme is selected based on the category 1, the corresponding defense scheme is selected from the situation awareness threat database for defense aiming at other defense categories except the first-choice defense category. Namely, aiming at the category 2 and the category 3, corresponding defense schemes are selected from the situation awareness threat database to defend.
It should be noted that, when selecting a defense scheme for category 2 and category 3, the defense scheme may be selected together for threat features in category 2 and category 3; or firstly selecting a defense scheme for threat features in the category 2, and then selecting the defense scheme for threat features in the category 3; the protection scheme may also be selected for threat features in class 3 before the protection scheme is selected for threat features in class 2.
Preferably, the associated threat and/or the associated abnormality caused by the threat item and/or the abnormal item to the network environment are combined, and whether the prediction of the situation awareness trend is correct is judged, wherein threat information corresponding to the threat information refers to behavior description information for generating the network threat in real time, and the network threat comprises network attack, trojan horse virus and advanced continuous threat.
By way of example and not limitation, for example, if a preset association threat is a malicious code transmission behavior in a network environment and is simultaneously subject to a C & C attack, the preset association threat is the association threat, and if the prediction of the situation awareness trend is the threat, the judgment is correct, otherwise, the judgment is wrong.
In addition, for example, when the association abnormality is preset as the port traffic abnormality of the network node in the network environment, the association abnormality is the case that the memory occupancy rate of the network node is also abnormal at the same time, and when the prediction of the situation awareness trend is abnormal, the judgment is correct, otherwise, the judgment is wrong.
Preferably, the alarm comprises an alarm for the threat item and/or abnormal item, and an alarm for the threat item and/or abnormal item causing associated threat and/or abnormal association to the network environment.
It is worth to say that the alarms include the historical alarms, real-time alarms and predictive alarms collected by the situation awareness system. When an alarm is triggered, the alarm can display port information of the network node for triggering the alarm, and meanwhile, the execution operation of ports of other network nodes which do not trigger the alarm is monitored, so that real-time or pre-control of network safety can be ensured, and the ports and/or IP network segments can keep normal communication and stable operation with other network nodes when the alarm is not triggered.
Optionally, the data monitoring is performed on the input/output ports of the network nodes, and when the network environment is abnormally changed, the operations performed on the network nodes are marked and traced.
When data monitoring is performed, the situation awareness system can monitor ports and/or IP network segments which do not trigger alarms in the network node where the alarms occur, and the ports and/or the IP network segments communicate in a multiplexing mode.
Other technical features are referred to the previous embodiments and will not be described here again.
Referring to fig. 3, the present invention further provides an embodiment of a situation awareness apparatus 200 for defending against threats, which is characterized by comprising:
the information acquisition unit 201 is configured to acquire alarm information and call log information related to the alarm information in the network environment; the log information includes system log information and log information of network nodes.
The information arrangement unit 202 is configured to arrange the log information to perform threat information analysis, so as to obtain threat information; the threat intelligence information includes threat item information and abnormal item information in a network environment.
The information marking unit 203 is configured to obtain a target threat item and/or a target abnormal item, set a tracking mark for the target threat item and/or the target abnormal item, and track an association threat and/or an association abnormality caused by the target threat item and/or the target abnormal item in the network environment.
The information defending unit 204 is configured to combine the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof, and invoke the corresponding defending scheme in the situation awareness threat database to perform joint defending.
In addition, referring to fig. 4, the present invention further provides an embodiment of a situation awareness system 300 for defending against threats, which is characterized by comprising:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically detects the network node triggering the alarm, and performs security analysis on log information of the network node.
The situation awareness system integrates a plurality of data information systems such as a gas wall, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete evaluation of the current network environment condition and prediction of the future change trend of the network environment.
The periodic detection can set detection time or detection time period, and the items of the periodic detection can include, but are not limited to, webpage tamper resistance, abnormal process behavior, abnormal login and the like.
A system server 303, said system server 303 connecting the network node 301 and the situation awareness system 302.
The system server 303 is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node; the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment; and combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
Other technical features are referred to the previous embodiments and will not be described here again.
In the above description, the components may be selectively and operatively combined in any number within the scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be construed by default as inclusive or open-ended, rather than exclusive or closed-ended, unless expressly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Common terms found in dictionaries should not be too idealized or too unrealistically interpreted in the context of the relevant technical document unless the present disclosure explicitly defines them as such.
Although the exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is merely illustrative of preferred embodiments of the invention and is not intended to limit the scope of the invention in any way, including additional implementations in which functions may be performed out of the order of presentation or discussion. Any alterations and modifications of the present invention, which are made by those of ordinary skill in the art based on the above disclosure, are intended to be within the scope of the appended claims.

Claims (7)

1. A situation awareness method for defending threats is characterized by comprising the steps of,
collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node;
the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment;
combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in a situation awareness threat database to perform joint defense;
wherein the threat intelligence includes known threat intelligence and unknown threat intelligence; when the threat information is stored in a threat information database of the situation awareness system, the threat information is known threat information; otherwise, the threat intelligence is unknown threat intelligence;
When the threat information is judged to be known, a defense scheme in a threat information database of a preset situation awareness system is called to defend threat items in the threat information; when the threat information is judged to be unknown, the abnormal items corresponding to the trigger alarms in the threat information are analyzed, and the method specifically comprises the following steps: extracting threat features in the unknown threat information, marking the types of the threat features, and counting the number of threat features corresponding to various types; selecting the type with the largest number of threat features as a preferred defending type, and selecting a corresponding defending scheme from the preset situation awareness threat database based on the preferred defending type; based on the foregoing defense scheme, heuristic defenses are performed.
2. The method of claim 1, wherein the heuristic defense comprises a sequential defense that takes one defense scheme or takes multiple defense schemes, or an out-of-order defense that takes multiple defense schemes; the out-of-order defense is to sequence all threat features extracted from the unknown threat information by a pointer from primary to secondary to common according to the condition affecting the network environment threat, and correspondingly adjust the steps and sequence of the defense in the defense scheme.
3. The method of claim 2, wherein the retrieved defense scheme includes threat features that are less numerous and less similar than threat features included in the unknown threat intelligence information;
and after the heuristic defense corresponding to the first-choice defense type is finished, selecting a corresponding defense scheme from the situation awareness threat database for defense aiming at other defense types except the first-choice defense type.
4. The method according to claim 1, wherein, in combination with the associated threat and/or associated anomaly caused by the threat item and/or the anomaly item to the network environment, whether the prediction of the situation awareness trend is correct is determined, wherein, threat information corresponding to the threat information refers to behavior description information for generating the network threat in real time, and the network threat comprises network attack, trojan virus and advanced persistent threat.
5. The method of claim 1, wherein the alert comprises an alert of the threat item and/or abnormal item and an alert of the threat item and/or abnormal item causing an associated threat and/or associated abnormality to the network environment.
6. Situation awareness device for defending against threats, performing the method according to any of claims 1-5, characterized by comprising the structure:
the information acquisition unit is used for acquiring alarm information and calling log information related to the alarm information in the network environment; the log information comprises system log information and log information of a network node;
the information arrangement unit is used for arranging the log information to carry out threat information analysis to obtain threat information; the threat information comprises threat item information and abnormal item information in a network environment;
the information marking unit is used for acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in the network environment;
and the information defense unit is used for combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof, and calling a corresponding defense scheme in the situation awareness threat database to perform joint defense.
7. A situational awareness system for defending against threats, performing the method of any of claims 1-5, comprising:
A network node for receiving and transmitting data;
the situation awareness system regularly detects network nodes triggering alarms and carries out security analysis on log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of a network node;
the log information is arranged for threat information analysis, so that threat information is obtained; the threat information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking association threat and/or association abnormality caused by the target threat item and/or the target abnormal item in a network environment;
combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information, and calling a corresponding defense scheme in a situation awareness threat database to perform joint defense;
wherein the threat intelligence includes known threat intelligence and unknown threat intelligence; when the threat information is stored in a threat information database of the situation awareness system, the threat information is known threat information; otherwise, the threat intelligence is unknown threat intelligence;
When the threat information is judged to be known, a defense scheme in a threat information database of a preset situation awareness system is called to defend threat items in the threat information; when the threat information is judged to be unknown, the abnormal items corresponding to the trigger alarms in the threat information are analyzed, and the method specifically comprises the following steps: extracting threat features in the unknown threat information, marking the types of the threat features, and counting the number of threat features corresponding to various types; selecting the type with the largest number of threat features as a preferred defending type, and selecting a corresponding defending scheme from the preset situation awareness threat database based on the preferred defending type; based on the foregoing defense scheme, heuristic defenses are performed.
CN202111375012.9A 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat Active CN114189361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111375012.9A CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111375012.9A CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Publications (2)

Publication Number Publication Date
CN114189361A CN114189361A (en) 2022-03-15
CN114189361B true CN114189361B (en) 2023-06-02

Family

ID=80541015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111375012.9A Active CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Country Status (1)

Country Link
CN (1) CN114189361B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117353966A (en) * 2022-06-29 2024-01-05 华为技术有限公司 Network risk assessment method and related device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113422771A (en) * 2021-06-22 2021-09-21 北京华圣龙源科技有限公司 Threat early warning method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
AU2017200941B2 (en) * 2016-02-10 2018-03-15 Accenture Global Solutions Limited Telemetry Analysis System for Physical Process Anomaly Detection
CN108881271B (en) * 2018-07-03 2021-01-26 杭州安恒信息技术股份有限公司 Reverse tracing method and device for proxy host
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN112995187B (en) * 2021-03-09 2022-12-06 中国人民解放军空军工程大学 Network cooperative defense system and method based on community structure
US11159546B1 (en) * 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection
CN113329029B (en) * 2021-06-18 2022-10-14 上海纽盾科技股份有限公司 Situation awareness node defense method and system for APT attack

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113422771A (en) * 2021-06-22 2021-09-21 北京华圣龙源科技有限公司 Threat early warning method and system

Also Published As

Publication number Publication date
CN114189361A (en) 2022-03-15

Similar Documents

Publication Publication Date Title
US7752665B1 (en) Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
CN106537872B (en) Method for detecting attacks in a computer network
CN113839935B (en) Network situation awareness method, device and system
CN114006723B (en) Network security prediction method, device and system based on threat information
CN110460481B (en) Identification method of network key assets
CN114124516B (en) Situation awareness prediction method, device and system
Debar et al. Intrusion detection: Introduction to intrusion detection and security information management
CN113660115B (en) Alarm-based network security data processing method, device and system
CN111970300A (en) Network intrusion prevention system based on behavior inspection
CN114189361B (en) Situation awareness method, device and system for defending threat
CN114006722B (en) Situation awareness verification method, device and system for detecting threat
CN113794590B (en) Method, device and system for processing network security situation awareness information
Yu et al. TRINETR: an intrusion detection alert management systems
CN114301700A (en) Method, device, system and storage medium for adjusting network security defense scheme
CN115017502A (en) Flow processing method and protection system
CN114006719B (en) AI verification method, device and system based on situation awareness
CN114172881B (en) Network security verification method, device and system based on prediction
CN114301796B (en) Verification method, device and system for prediction situation awareness
EP4044505A1 (en) Detecting botnets
EP3484122A1 (en) Malicious relay and jump-system detection using behavioral indicators of actors
CN114338189B (en) Situation awareness defense method, device and system based on node topology relation chain
CN113660223B (en) Network security data processing method, device and system based on alarm information
CN114189360B (en) Situation-aware network vulnerability defense method, device and system
Kushwah et al. An approach to meta-alert generation for anomalous tcp traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant