CN115001867B - Network asset data threat hunting method and device, electronic equipment and storage medium - Google Patents
Network asset data threat hunting method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115001867B CN115001867B CN202210915411.8A CN202210915411A CN115001867B CN 115001867 B CN115001867 B CN 115001867B CN 202210915411 A CN202210915411 A CN 202210915411A CN 115001867 B CN115001867 B CN 115001867B
- Authority
- CN
- China
- Prior art keywords
- newly added
- domain name
- matching
- attribute information
- newly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a network asset data threat hunting method, device, electronic equipment and storage medium, wherein the network asset data threat hunting method comprises the following steps: acquiring intelligence data in a preset period; identifying a newly added domain name and a newly added IP in a preset period based on the intelligence data in the preset period; analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP; performing matching calculation on a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining a first calculation result; and determining the homologous analysis results of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base. The method and the device are used for realizing downward compatibility under the condition of increasing the data types, the system is not required to be adjusted, and only the data types are required to be directly accessed, so that the development cost is reduced.
Description
Technical Field
The application relates to the technical field of computers, in particular to a network asset data threat hunting method, device, electronic equipment and storage medium.
Background
At present, the conventional homology analysis mainly analyzes malicious codes manually, further analyzes the homology relationship of a sample based on the experience of a professional analyst, extracts common features in the sample to form a static rule, and matches the static rule after a new sample is collected, so as to achieve the purpose of hunting the homology sample, i.e., complete the homology analysis.
Disclosure of Invention
An object of the present invention is to provide a method, an apparatus, an electronic device and a storage medium for network asset data threat hunting, which are configured to be downward compatible with increasing data types, and only need to directly access the data types without adjusting the system itself, thereby reducing the development cost.
In a first aspect, the present application provides a method for hunting network asset data threats, the method comprising:
acquiring intelligence data in a preset period;
identifying a newly added domain name and a newly added IP in the preset period based on the intelligence data in the preset period;
analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a common domain name, acquiring historical registration information of the newly added domain name through an API (application programming interface) of a website supporting historical Whois inquiry, acquiring MX (executable instruction queue), SOA (service oriented architecture) and TXT (context extensible) records of the newly added domain name through a DNS (domain name system) protocol, acquiring a sub-domain name appearing in the newly added domain name, calculating the domain name length of the newly added domain name, and taking the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and the historical registration information of the newly added domain name as the attribute information of the newly added domain name;
acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
determining a first matching field for performing homology analysis on the newly added domain name and a second matching field for performing homology analysis on the newly added IP based on the custom matching configuration information;
matching calculation is carried out on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and a first calculation result is obtained;
and determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
In the first aspect of the application, through obtaining intelligence data in the preset period, and then can be based on intelligence data identification in the preset period newly-increased domain name and newly-increased IP in the preset period, and then can be right newly-increased domain name with newly-increased IP carry out analysis, and obtain the attribute information of newly-increased domain name with the attribute information of newly-increased IP, through obtaining the custom matching configuration information to newly-increased domain name with newly-increased IP, and then can confirm to carry out the first matching field of homologous analysis to newly-increased domain name based on the custom matching configuration information, and to the second matching field of homologous analysis is carried out to newly-increased IP, and then can be based on asset rule base right in the attribute information of newly-increased domain name the first matching field with in the attribute information of newly-increased IP the second matching field carry out matching calculation, and obtain the first calculation result, and then can confirm the IP and the analysis result of newly-increased domain name based on the first calculation result and newly-increased asset rule base.
Compared with the prior art, this application can be through obtaining aiming at newly-increased domain name with newly-increased IP's custom matching configuration information, and then based on custom matching configuration information confirms aiming at newly-increased domain name carries out the first matching field of homologous analysis, and aiming at newly-increased IP carries out the second matching field of homologous analysis, so, just can realize in the homologous analysis process, based on first matching field of the nimble adjustment of custom matching configuration information and second matching field, and then can be downward compatible under the condition that increases data type, and need not adjustment system itself, and only need direct access data type can to reduce development cost.
In an optional implementation manner, the performing, based on the asset rule base, matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP to obtain the first calculation result includes:
determining a matching expression of the asset rule base;
and matching and calculating the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP with the fields in the asset rule base based on the matching expression to obtain a first calculation result.
In this optional embodiment, by determining the matching expression of the asset rule base, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be further subjected to matching calculation with the fields in the asset rule base based on the matching expression, so as to obtain a first calculation result.
In an alternative embodiment, the method further comprises:
judging whether the asset rule base has an operational expression or not;
when the asset rule is stored in the operational expression, performing logic calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the operational expression to obtain a second calculation result;
and performing matching calculation on the second calculation result and the fields in the asset rule base based on the matching expression to obtain the first calculation result.
Compared with the prior art, the existing homologous analysis mode can be limited to data matching and cannot perform homologous analysis on the calculation process of the algorithm, and the optional implementation mode can firstly perform operation on relevant fields based on the operation expression of the asset rule base before performing matching, so that the optional implementation mode can match some fields which cannot be directly matched based on the fields, thereby widening the description dimension of the rules and improving the homologous analysis. And (4) accuracy.
In an optional embodiment, the matching expression includes at least one of an equality operation expression, an inequality operation expression, an inclusion operation expression, an exclusion operation expression, and a regular expression;
and the operational expression comprises at least one of a four-rule operational expression and a logic operational expression.
In the optional embodiment, matching the first field and the second field according to a multi-field matching mode can be achieved through an equal operation formula, an unequal operation formula, an inclusion operation formula, an exclusion operation formula and a regular expression, so that matching dimensionality of the first field and the second field is improved, and therefore homology analysis accuracy based on the first field and the second field is improved.
In an optional embodiment, the determining, based on the first calculation result and the asset rule base, a result of a homology analysis of the newly added IP and the newly added domain name includes:
determining a rule description based on the asset rule base;
judging whether the first calculation result accords with the rule description;
and when the first calculation result accords with the rule description, determining the homologous analysis result of the newly added IP and the newly added domain name.
In this optional embodiment, a rule description is determined based on the asset rule base, and then it can be determined whether the first calculation result meets the rule description, and further when the first calculation result meets the rule description, a result of a homology analysis of the newly added IP and the newly added domain name can be determined.
In an alternative embodiment, the first match field includes: at least one of a domain name provider, a domain name length, a sub domain name, whois of a domain name, an associated URL of a domain name, a resolved IP provider of a domain name, a top-level domain;
in an alternative embodiment, the second match field includes: port open status, cyberspace asset mapping result data, IP server provider matching, IP reverse lookup domain name Whois, IP associated URL, associated certificate JARM.
In a second aspect, the present application provides a network asset data threat hunting apparatus, comprising:
the first acquisition module is used for acquiring intelligence data in a preset period;
the identification module is used for identifying the newly added domain name and the newly added IP in the preset period based on the intelligence data in the preset period;
the analysis module is used for analyzing the newly added domain name and the newly added IP and obtaining attribute information of the newly added domain name and attribute information of the newly added IP;
a second obtaining module, configured to obtain custom matching configuration information for the newly added domain name and the newly added IP, where when the newly added domain name is a general domain name, obtaining historical registration information of the newly added domain name through an API of a website supporting historical Whois inquiry, obtaining MX, SOA, and TXT records of the newly added domain name through a DNS protocol, obtaining a sub-domain name appearing in the newly added domain name, calculating a domain name length of the newly added domain name, and using the MX, SOA, and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name, and the historical registration information of the newly added domain name as attribute information of the newly added domain name;
acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
the determining module is used for determining a first matching field for performing the homology analysis on the newly added domain name and a second matching field for performing the homology analysis on the newly added IP based on the custom matching configuration information;
the computing module is used for performing matching computation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and obtaining a first computation result;
and the judging module is used for determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
In this application second aspect, through obtaining the intelligence data in the preset period, and then can be based on intelligence data discernment in the preset period newly-increased domain name in the preset period and newly-increased IP, and then can be right newly-increased domain name with newly-increased IP carries out the analysis, and obtain newly-increased domain name's attribute information with newly-increased IP's attribute information, through obtaining to newly-increased domain name with newly-increased IP's custom matching configuration information, and then can be based on custom matching configuration information confirms to newly-increased domain name carries out the first matching field of homologous analysis, and to newly-increased IP carries out the second matching field of homologous analysis, and then can be based on asset rule base right in the attribute information of newly-increased domain name first matching field with in the attribute information of newly-increased IP the second matching field carries out the matching calculation, and obtains first calculation result, and then can be based on first calculation result with asset rule base, confirm newly-increased IP with the homologous analysis result of newly-increased domain name.
Compared with the prior art, the method and the device have the advantages that the newly added domain name and the newly added IP can be matched with the configuration information in a user-defined mode through obtaining, and then the first matching field for performing homologous analysis on the newly added domain name and the second matching field for performing homologous analysis on the newly added IP are determined based on the configuration information in the user-defined mode.
In a third aspect, the present application provides an electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the network asset data threat hunting method as described in any one of the preceding embodiments.
In the third aspect of the application, through acquiring intelligence data in a preset period, and then can be based on intelligence data identification in the preset period newly-increased domain name and newly-increased IP in the preset period, and then can be right newly-increased domain name with newly-increased IP carry out analysis, and obtain attribute information of newly-increased domain name with attribute information of newly-increased IP, through acquiring custom matching configuration information aiming at newly-increased domain name with newly-increased IP, and then can be based on custom matching configuration information confirms aiming at the newly-increased domain name carries out the first matching field of homology analysis, and aiming at newly-increased IP carries out the second matching field of homology analysis, and then can be based on asset rule base right in the attribute information of newly-increased domain name the first matching field with in the attribute information of newly-increased IP carry out matching calculation, and obtain the first calculation result, and then can be based on the first calculation result and the asset rule base, confirm the IP with the result of homology analysis of newly-increased domain name.
Compared with the prior art, this application can be through obtaining aiming at newly-increased domain name with newly-increased IP's custom matching configuration information, and then based on custom matching configuration information confirms aiming at newly-increased domain name carries out the first matching field of homologous analysis, and aiming at newly-increased IP carries out the second matching field of homologous analysis, so, just can realize in the homologous analysis process, based on first matching field of the nimble adjustment of custom matching configuration information and second matching field, and then can be downward compatible under the condition that increases data type, and need not adjustment system itself, and only need direct access data type can to reduce development cost.
In a fourth aspect, the present application provides a storage medium storing a computer program, wherein the computer program is executed by a processor to perform the method for network asset data threat hunting according to any one of the foregoing embodiments.
In the fourth aspect of the present application, through obtaining the intelligence data in the preset period, and then can be based on the intelligence data identification in the preset period newly-increased domain name and newly-increased IP in the preset period, and then can be right newly-increased domain name with newly-increased IP carry out analysis, and obtain the attribute information of newly-increased domain name with the attribute information of newly-increased IP, through obtaining to the custom matching configuration information of newly-increased domain name with newly-increased IP, and then can be based on the first matching field that custom matching configuration information confirms to newly-increased domain name carries out homology analysis, and to the second matching field that newly-increased IP carries out homology analysis, and then can be based on the asset rule base right in the attribute information of newly-increased domain name the first matching field with in the attribute information of newly-increased IP the second matching field carries out matching calculation, and obtain the first calculation result, and then can be based on the first calculation result and the newly-increased asset rule base, confirm the IP with the homology analysis result of newly-increased domain name.
Compared with the prior art, this application can be through obtaining aiming at newly-increased domain name with newly-increased IP's custom matching configuration information, and then based on custom matching configuration information confirms aiming at newly-increased domain name carries out the first matching field of homologous analysis, and aiming at newly-increased IP carries out the second matching field of homologous analysis, so, just can realize in the homologous analysis process, based on first matching field of the nimble adjustment of custom matching configuration information and second matching field, and then can be downward compatible under the condition that increases data type, and need not adjustment system itself, and only need direct access data type can to reduce development cost.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flow chart illustrating a method for hunting network asset data threats according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a network asset data threat hunting apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a schematic flow chart of a network asset data threat hunting method disclosed in the embodiment of the present application, and as shown in fig. 1, the method in the embodiment of the present application includes the following steps:
101. acquiring intelligence data in a preset period;
102. identifying a newly added domain name and a newly added IP in a preset period based on the intelligence data in the preset period;
103. analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a general domain name, acquiring historical registration information of the newly added domain name through an API (application program interface) of a website supporting historical Whois inquiry, acquiring MX (executable instruction queue), SOA (service oriented architecture) and TXT (context-based transaction) records of the newly added domain name through a DNS (domain name system) protocol, acquiring a sub-domain name appearing in the newly added domain name, calculating the domain name length of the newly added domain name, and taking the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and historical registration information of the newly added domain name as the attribute information of the newly added domain name;
104. acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
105. determining a first matching field for performing homology analysis on the newly added domain name and a second matching field for performing homology analysis on the newly added IP based on the custom matching configuration information;
106. performing matching calculation on a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining a first calculation result;
107. and determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
In the embodiment of the application, by acquiring the information data in the preset period, the newly added domain name and the newly added IP in the preset period can be identified based on the information data in the preset period, the newly added domain name and the newly added IP can be analyzed, the attribute information of the newly added domain name and the attribute information of the newly added IP can be obtained, and by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, the first matching field for performing the homology analysis on the newly added domain name and the second matching field for performing the homology analysis on the newly added IP can be determined based on the custom matching configuration information, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be matched and calculated based on the asset rule base, the first calculation result can be obtained, and the homology analysis result of the newly added IP and the domain name can be determined based on the first calculation result and the newly added rule base.
Compared with the prior art, the embodiment of the application can determine the first matching field for performing homologous analysis on the newly added domain name and the second matching field for performing homologous analysis on the newly added IP based on the custom matching configuration information by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, so that the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information in the homologous analysis process, the downward compatibility can be realized under the condition of increasing the data types, the system is not required to be adjusted, and only the data type is required to be directly accessed, thereby reducing the development cost.
In the embodiment of the present application, as an example, it is assumed that, for a scene S1, a field a and a field B need to be used as a first field to perform a homologous analysis on a target packet, and in a scene S2, a field a, a field B and a field C need to be used as a first field to perform a homologous analysis on a target packet, at this time, the embodiment of the present application can add a field C by customizing matching configuration information on the basis of the scene S1, and perform a homologous analysis on a target packet by using a field a, a field B and a field C as a first field.
In this embodiment of the present application, the preset period may be one day or one month for step 101, and this embodiment of the present application does not limit this.
In this embodiment, for step 102, the newly added domain name and the newly added IP in the preset period refer to the domain name and the IP that newly appear in relation to the history period, for example, in the S1 history period, the domain name a and the domain name B appear, and in the S2 period after the S1 period, the domain name a, the domain name B and the domain name C appear, and then the domain name C is the newly added domain name.
In this embodiment, for step 103, if the newly added domain name is a general domain name, the analysis process of the newly added domain name is as follows:
obtaining historical registration information of the newly added domain name through an API of a website (such as https:// x.threatbook. Cn /) supporting historical Whois inquiry, obtaining records of MX, SOA, TXT and the like of the newly added domain name through a DNS protocol, obtaining sub domain names appearing in the newly added domain name, and calculating the domain name length of the newly added domain name.
Correspondingly, records of MX, SOA, TXT and the like of the newly added domain name, sub-domain names appearing in the newly added domain name, the domain name length of the newly added domain name and historical registration information of the newly added domain name are used as attribute information of the newly added domain name.
In this embodiment, for step 103, if the newly added IP is the IP of the general IP server, the analysis process of the newly added IP is as follows:
and probing the IP server through a network space asset mapping system (such as HTTPs:// www. Zoomeye. Org/, data produced by a commercial network space mapping system or private data produced by a self-developed system), and taking a port and a service type (such as HTTP and Apache) which are open to the outside of the IP server.
And correspondingly, the port and the service type are used as attribute information of the newly added IP.
In this embodiment, in step 103, the URL where the new IP and the new domain name appear and the data (such as the HTTP response body and the response code) corresponding to the URL may be collected through a sandbox (HTTPs:// s. Threebook. Cn /), an open source data platform, and a charging data platform (VirusToal), and the URL where the new IP and the new domain name appear and the data corresponding to the URL are added to the attribute information of the new IP and the attribute information of the new domain name.
Accordingly, for step 105, the first match field includes: a domain name provider, a domain name length, a sub-domain name, whois of the domain name, an associated URL of the domain name, a resolved IP provider of the domain name, a top level domain, and the second matching field comprises: port open status, cyberspace asset mapping result data, IP server provider matching, IP reverse lookup domain name Whois, IP associated URL, associated certificate JARM.
In this embodiment of the present application, as for step 104, the custom matching configuration information may be stored in a configuration file, where the custom matching configuration information may be obtained by reading the configuration file and traversing the content of the configuration file in the embodiment of the present application.
In this embodiment, for step 107, the result of the homology analysis may refer to APT organizations to which the newly added IP and the newly added domain name belong.
In an alternative embodiment, the steps of: matching calculation is carried out on a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP based on the asset rule base, and a first calculation result is obtained, and the method comprises the following substeps:
determining a matching expression of an asset rule base;
and matching and calculating a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP with fields in the asset rule base based on the matching expression to obtain a first calculation result.
In the optional embodiment, by determining the matching expression of the asset rule base, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be matched and calculated with the fields in the asset rule base based on the matching expression, so as to obtain a first calculation result.
In an optional embodiment, the matching expression includes at least one of an equality operation expression, an inequality operation expression, an inclusion operation expression, an exclusion operation expression and a regular expression, for example, the matching expression includes an inequality operation expression and an inclusion operation expression, and accordingly, based on the inequality operation expression and the inclusion operation expression, it may be determined whether a certain field of the first field and the asset rule base is equal in value, and based on the inclusion operation expression, it may be determined whether the asset rule base includes the first field.
In an alternative implementation, the method of the embodiments of the present application further includes the steps of:
judging whether an operation expression exists in the asset rule base or not;
when the asset rule base has an operational expression, performing logic calculation on a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP based on the operational expression to obtain a second calculation result;
and performing matching calculation on the second calculation result and the fields in the asset rule base based on the matching expression to obtain a first calculation result.
Compared with the prior art, the existing homologous analysis mode can be limited to data matching and cannot perform homologous analysis on the calculation process of the algorithm, and the optional implementation mode can operate the relevant fields based on the operation expression of the asset rule base before matching, so that the optional implementation mode can match some fields which cannot be matched directly based on the fields, the rule description dimensionality can be widened, and the homologous analysis accuracy can be improved.
In this optional embodiment, as an example, in some scenarios, if the first field is directly matched with a field in the asset rule base, the obtained first calculation result cannot determine the new domain name APT organization, but the new domain name APT organization can be determined only by combining a plurality of fields in the first field, for example, the APT organization to which the new domain name belongs cannot be determined based on the value of the field a of the new domain name, but after the value of the field a of the new domain name is added to the value of the field B of the new domain name, the new domain name and the value of a certain field in the asset rule base can be successfully matched, and then the APT organization to which the new domain name belongs can be determined.
Accordingly, in this optional embodiment, the operation expression includes at least one of a four-way operation expression and a logic operation expression, for example, the operation expression may include only the four-way operation expression, or may include both the four-way operation expression and the logic operation expression. Further, the logical operation includes logical operations such as an or operation and an xor operation.
In the optional embodiment, matching the first field and the second field according to a multi-medium matching mode can be achieved through an equal operation expression, an unequal operation expression, an inclusion operation expression, an exclusion operation expression and a regular expression, so that the matching dimensionality of the first field and the second field is improved, and the accuracy of homologous analysis based on the first field and the second field is improved.
In an alternative embodiment, the steps of: determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base, and comprising the following substeps:
determining a rule description based on an asset rule base;
judging whether the first calculation result meets the rule description;
and when the first calculation result accords with the rule description, determining the homologous analysis result of the newly added IP and the newly added domain name.
In this optional embodiment, the rule description is determined based on the asset rule base, and it can be further determined whether the first calculation result meets the rule description, and further, when the first calculation result meets the rule description, the homologous analysis result of the newly added IP and the newly added domain name can be determined.
In an alternative embodiment, the rule description expresses what condition should be satisfied by the first calculation result to be able to determine the APT organization to which the new domain name and the new IP belong, for example, the rule description may be "when both the field a and the field B are included in the fields of the asset rule base, the APT organization is G".
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram illustrating a method for hunting on cyber asset data threats according to an embodiment of the present disclosure, and as shown in fig. 2, the apparatus according to the embodiment of the present disclosure includes the following functional modules:
a first obtaining module 201, configured to obtain intelligence data in a preset period;
the identification module 202 is configured to identify a newly added domain name and a newly added IP in a preset period based on intelligence data in the preset period;
the analysis module 203 is used for analyzing the newly added domain name and the newly added IP and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a general domain name, historical registration information of the newly added domain name is obtained through an API of a website supporting historical Whois inquiry, MX, SOA and TXT records of the newly added domain name are obtained through a DNS protocol, a sub-domain name appearing in the newly added domain name is obtained, the domain name length of the newly added domain name is calculated, and the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and historical registration information of the newly added domain name are used as the attribute information of the newly added domain name;
a second obtaining module 204, configured to obtain custom matching configuration information for the newly added domain name and the newly added IP;
a determining module 205, configured to determine, based on the custom matching configuration information, a first matching field for performing a homology analysis on the newly added domain name and a second matching field for performing a homology analysis on the newly added IP;
the calculating module 206 is configured to perform matching calculation on a first matching field in the attribute information of the newly added domain name and a second matching field in the attribute information of the newly added IP based on the asset rule base, and obtain a first calculation result;
and the judging module 207 is configured to determine a result of homologous analysis of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
In the embodiment of the application, by acquiring the information data in the preset period, the newly added domain name and the newly added IP in the preset period can be identified based on the information data in the preset period, the newly added domain name and the newly added IP can be analyzed, the attribute information of the newly added domain name and the attribute information of the newly added IP can be obtained, and by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, the first matching field for performing the homology analysis on the newly added domain name and the second matching field for performing the homology analysis on the newly added IP can be determined based on the custom matching configuration information, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be matched and calculated based on the asset rule base, the first calculation result can be obtained, and the homology analysis result of the newly added IP and the domain name can be determined based on the first calculation result and the newly added rule base.
Compared with the prior art, the embodiment of the application can determine the first matching field for performing homologous analysis on the newly added domain name and the second matching field for performing homologous analysis on the newly added IP based on the custom matching configuration information by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, so that the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information in the homologous analysis process, the downward compatibility can be realized under the condition of increasing the data types, the system is not required to be adjusted, and only the data type is required to be directly accessed, thereby reducing the development cost.
Please refer to the relevant description of the embodiments of the present application for other descriptions about the embodiments of the present application, which are not repeated herein.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application, and as shown in fig. 3, the electronic device in the embodiment of the present application includes:
a processor 301; and
the memory 302 is configured to store machine readable instructions that, when executed by the processor 301, perform the network asset data threat hunting method according to any of the preceding embodiments.
In the embodiment of the application, by acquiring the intelligence data in the preset period, the newly added domain name and the newly added IP in the preset period can be identified based on the intelligence data in the preset period, the newly added domain name and the newly added IP can be analyzed, the attribute information of the newly added domain name and the attribute information of the newly added IP can be acquired, the custom matching configuration information for the newly added domain name and the newly added IP can be acquired, the first matching field for performing homology analysis on the newly added domain name and the second matching field for performing homology analysis on the newly added IP can be determined based on the custom matching configuration information, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be matched and calculated based on the asset rule base, the first calculation result can be acquired, and the homology analysis result of the newly added IP and the newly added domain name can be determined based on the first calculation result and the asset rule base.
Compared with the prior art, the method and the device have the advantages that the user-defined matching configuration information for the newly-added domain name and the newly-added IP can be obtained, the first matching field for performing homologous analysis on the newly-added domain name and the second matching field for performing homologous analysis on the newly-added IP are determined based on the user-defined matching configuration information, in this way, the first matching field and the second matching field can be flexibly adjusted based on the user-defined matching configuration information in the homologous analysis process, downward compatibility can be achieved under the condition that the data type is increased, the system is not required to be adjusted, only the data type needs to be directly accessed, and accordingly development cost is reduced.
Example four
The present application provides a storage medium storing a computer program, wherein the computer program is executed by a processor to perform the method for network asset data threat hunting as described in any one of the foregoing embodiments.
In the embodiment of the application, by acquiring the information data in the preset period, the newly added domain name and the newly added IP in the preset period can be identified based on the information data in the preset period, the newly added domain name and the newly added IP can be analyzed, the attribute information of the newly added domain name and the attribute information of the newly added IP can be obtained, and by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, the first matching field for performing the homology analysis on the newly added domain name and the second matching field for performing the homology analysis on the newly added IP can be determined based on the custom matching configuration information, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP can be matched and calculated based on the asset rule base, the first calculation result can be obtained, and the homology analysis result of the newly added IP and the domain name can be determined based on the first calculation result and the newly added rule base.
Compared with the prior art, the embodiment of the application can determine the first matching field for performing homologous analysis on the newly added domain name and the second matching field for performing homologous analysis on the newly added IP based on the custom matching configuration information by acquiring the custom matching configuration information for the newly added domain name and the newly added IP, so that the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information in the homologous analysis process, the downward compatibility can be realized under the condition of increasing the data types, the system is not required to be adjusted, and only the data type is required to be directly accessed, thereby reducing the development cost.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is only a logical division, and other divisions may be realized in practice, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A method for hunting network asset data threats, the method comprising:
acquiring intelligence data in a preset period;
identifying a newly added domain name and a newly added IP in the preset period based on the intelligence data in the preset period;
analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a common domain name, acquiring historical registration information of the newly added domain name through an API (application programming interface) of a website supporting historical Whois inquiry, acquiring MX (executable instruction queue), SOA (service oriented architecture) and TXT (context extensible) records of the newly added domain name through a DNS (domain name system) protocol, acquiring a sub-domain name appearing in the newly added domain name, calculating the domain name length of the newly added domain name, and taking the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and the historical registration information of the newly added domain name as the attribute information of the newly added domain name;
acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
determining a first matching field for performing homology analysis on the newly added domain name and a second matching field for performing the homology analysis on the newly added IP based on the custom matching configuration information;
matching calculation is carried out on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and a first calculation result is obtained;
and determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
2. The method as claimed in claim 1, wherein the performing a matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base to obtain a first calculation result includes:
determining a matching expression of the asset rule base;
and matching and calculating the first matching field in the attribute information of the newly added domain name, the second matching field in the attribute information of the newly added IP and the fields in the asset rule base based on the matching expression to obtain a first calculation result.
3. The method of claim 2, wherein the method further comprises:
judging whether the asset rule base has an operational expression or not;
when the asset rule is stored in the operational expression, performing logic calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the operational expression to obtain a second calculation result;
and performing matching calculation on the second calculation result and the fields in the asset rule base based on the matching expression to obtain the first calculation result.
4. The method of claim 3, wherein the matching expressions comprise at least one of equality, inequality, inclusion, exclusion, and regular expressions;
and the operational expression comprises at least one of a four-rule operational expression and a logic operational expression.
5. The method of claim 3, wherein the determining the results of the homology analysis for the newly added IP and the newly added domain name based on the first calculation result and the asset rule base comprises:
determining a rule description based on the asset rule base;
judging whether the first calculation result meets the rule description;
and when the first calculation result accords with the rule description, determining the homologous analysis result of the newly added IP and the newly added domain name.
6. The method of claim 5, wherein the second match field comprises: port open status, cyberspace asset mapping result data, IP server provider matching, whois of IP back-check domain name, associated URL of IP, or JARM of associated certificate.
7. The method of claim 5, wherein the first match field comprises: at least one of a domain name provider, a domain name length, a sub-domain name, whois of a domain name, an associated URL of a domain name, a resolved IP provider of a domain name, a top-level domain.
8. A cyber asset data threat hunting apparatus, the apparatus comprising:
the first acquisition module is used for acquiring intelligence data in a preset period;
the identification module is used for identifying the newly added domain name and the newly added IP in the preset period based on the intelligence data in the preset period;
the analysis module is used for analyzing the newly added domain name and the newly added IP and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a general domain name, historical registration information of the newly added domain name is obtained through an API of a website supporting historical Whois inquiry, MX, SOA and TXT records of the newly added domain name are obtained through a DNS protocol, sub-domain names appearing in the newly added domain name are obtained, the domain name length of the newly added domain name is calculated, and the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and the historical registration information of the newly added domain name are used as the attribute information of the newly added domain name;
the second acquisition module is used for acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
the determining module is used for determining a first matching field for performing homologous analysis on the newly added domain name and a second matching field for performing homologous analysis on the newly added IP based on the custom matching configuration information;
the computing module is used for performing matching computation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and obtaining a first computation result;
and the judging module is used for determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
9. An electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the network asset data threat hunting method of any one of claims 1-7.
10. A storage medium storing a computer program for execution by a processor of the network asset data threat hunting method as recited in any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210915411.8A CN115001867B (en) | 2022-08-01 | 2022-08-01 | Network asset data threat hunting method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210915411.8A CN115001867B (en) | 2022-08-01 | 2022-08-01 | Network asset data threat hunting method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001867A CN115001867A (en) | 2022-09-02 |
| CN115001867B true CN115001867B (en) | 2022-11-04 |
Family
ID=83021897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210915411.8A Active CN115001867B (en) | 2022-08-01 | 2022-08-01 | Network asset data threat hunting method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001867B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8201257B1 (en) * | 2004-03-31 | 2012-06-12 | Mcafee, Inc. | System and method of managing network security risks |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
| CN112636924A (en) * | 2020-12-23 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Network asset identification method and device, storage medium and electronic equipment |
| CN114124586A (en) * | 2022-01-28 | 2022-03-01 | 奇安信科技集团股份有限公司 | Network threat detection method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8813228B2 (en) * | 2012-06-29 | 2014-08-19 | Deloitte Development Llc | Collective threat intelligence gathering system |
| CN111935192B (en) * | 2020-10-12 | 2021-03-23 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112738040A (en) * | 2020-12-18 | 2021-04-30 | 国家计算机网络与信息安全管理中心 | Network security threat detection method, system and device based on DNS log |
-
2022
- 2022-08-01 CN CN202210915411.8A patent/CN115001867B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8201257B1 (en) * | 2004-03-31 | 2012-06-12 | Mcafee, Inc. | System and method of managing network security risks |
| CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
| CN112636924A (en) * | 2020-12-23 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Network asset identification method and device, storage medium and electronic equipment |
| CN114124586A (en) * | 2022-01-28 | 2022-03-01 | 奇安信科技集团股份有限公司 | Network threat detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001867A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11343269B2 (en) | Techniques for detecting domain threats | |
| US20220078207A1 (en) | Domain name processing systems and methods | |
| US11388193B2 (en) | Systems and methods for detecting online fraud | |
| US11831785B2 (en) | Systems and methods for digital certificate security | |
| EP3396558B1 (en) | Method for user identifier processing, terminal and nonvolatile computer readable storage medium thereof | |
| US10862917B2 (en) | Network resource implementation prioritization | |
| US10489714B2 (en) | Fingerprinting and matching log streams | |
| US11477167B2 (en) | Systems and methods for performing dynamic firewall rule evaluation | |
| US10489715B2 (en) | Fingerprinting and matching log streams | |
| US11916964B2 (en) | Dynamic, runtime application programming interface parameter labeling, flow parameter tracking and security policy enforcement using API call graph | |
| US20180083999A1 (en) | Self-published security risk management | |
| CN112989313A (en) | Identification registration method and device, electronic equipment and storage medium | |
| US11811587B1 (en) | Generating incident response action flows using anonymized action implementation data | |
| US20190058687A1 (en) | Personal web address management system | |
| CN115001867B (en) | Network asset data threat hunting method and device, electronic equipment and storage medium | |
| US20190286671A1 (en) | Algorithmic computation of entity information from ip address | |
| CN113761517B (en) | Method, device, equipment and storage medium for determining third party SDK | |
| US20180101596A1 (en) | Deriving and interpreting users collective data asset use across analytic software systems | |
| CN111865976A (en) | Access control method, device and gateway | |
| CN115001868B (en) | APT attack homologous analysis method and device, electronic equipment and storage medium | |
| CN117910021B (en) | Data security management method and device, electronic equipment and medium | |
| CN109086428B (en) | Forwarding information access frequency counting method and device | |
| KR102353211B1 (en) | Electronic apparatus for processing information for providing page and method thereof | |
| KR20220144666A (en) | Method for detecting web scraping, and server for executing the same | |
| CN115883258A (en) | IP information processing method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |