CN105743877A - Network security threat information processing method and system - Google Patents
Network security threat information processing method and system Download PDFInfo
- Publication number
- CN105743877A CN105743877A CN201510725335.4A CN201510725335A CN105743877A CN 105743877 A CN105743877 A CN 105743877A CN 201510725335 A CN201510725335 A CN 201510725335A CN 105743877 A CN105743877 A CN 105743877A
- Authority
- CN
- China
- Prior art keywords
- sample
- information bank
- characteristics information
- sample characteristics
- static nature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention provides a network security threat information processing method and system. The method includes the following steps that: all dynamic and static characteristics of a known malicious code sample are acquired; the dynamic and static characteristics of a known white sample are obtained, so that a white sample characteristic information bank can be established; all the dynamic and static characteristics of the malicious code sample are filtered through the white sample characteristic information bank, and dynamic and static characteristics of the malicious code sample which are left after filtering form a black sample characteristic information bank; and the above steps are executed periodically, so that the white sample characteristic information bank and the black sample characteristic information bank can be supplemented; and the white sample characteristic information bank and the black sample characteristic information bank are outputted regularly, and accuracy and validity verification are carried out, and false-positive characteristics which are detected out are updated. The invention also provides a corresponding system. With the method and system of the invention adopted, information from trusted sources can be obtained and transformed into threat information, and therefore, accuracy can be constantly improved, a false positive rate can be reduced, the high-coverage rate characteristic information banks can be outputted, and family and sample characteristic analysis and recognition can be assisted, and general detection ability can be enhanced.
Description
Technical field
The present invention relates to computer network security field, particularly to a kind of network security threats information processing method and system.
Background technology
Along with constantly increasing with the APT novel threat being Typical Representative and attack, enterprise and be organized in take precautions against and need all the more in outside attack process to rely on security threat information abundant, effective as support, to help its better these novel threats of reply.Arise at the historic moment in security threat intelligence analysis market, and flourish.
There is a critically important feature in present intelligence analysis market, it is simply that more and more stronger to the specificity of the information of client's offer.Information supplier can according to the environmental information of the network/application of buyer, it is provided that specifically threaten information to them, but not simple general information.For the equipment not having any protection to detect, by threatening intelligence channel, we can get the relevant issues about malicious attack sample, including the domain name of some malice, attacking ways, attack background etc., the IP address of relevant server can also be associated with, including the on line between the domain name being correlated with, domain name.Whole visual process is namely based on the analysis of whole network data, and this is a visual analysis process, and is not only one and represents process, and everything leans on is all big data analysis capabilities.
In the past, too many energy is placed on above Real-time defence by we, but threat is not blocked completely.We need to set up a complete defense system, from defence, response detected, and even with threatening information the prediction of attack to be done, and the core of everything seeks to grasp the data of magnanimity, and possesses powerful data analysis capabilities.
Although disclosed information has the advantage that source is wide, contain much information, but also have that source numerous and complicated, quality be very different, information unilateral ambiguous, be easily tampered the inherent shortcomings such as swindle, and any one link such as offer, processing, issue, transmission is likely to additions and deletions, amendment, cause a deviation from the negative characteristics such as style, its effective analysis method is also one of major defect, and the information treatment technology also immaturity of magnanimity information, it is one of current technology bottleneck.
Reality is that most enterprises does not have enough personnel, time, fund and energy to tackle threat.Enterprise security puts into resource-constrained, and organized specialty hacker always may leading several steps.The data leak event emerged in an endless stream is very severe on the impact of corporate reputation and finance.Therefore, threatening information in high risk key industry big business frequently under attack, effect obviously it is expected to.
Although APT attacks cycle length and maneuver is complicated, utilize threaten between information interrelated, it is possible to excavate multiple potential attack mode, but often enterprise does not have such analysis ability and employee, pile up magnanimity information may run counter to desire, cause information availability inadequate.
Summary of the invention
The present invention proposes a kind of network security threats information processing method and system, by the process threatening information, improving the high accuracy threatening information and ageing.
A kind of network security threats information processing method, including:
Obtain the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;In acquisition process, it is necessary to ensure the high value of data, it is to avoid subsequent analysis is brought confusion and poor efficiency, namely needs sample analysis service provider and online sandbox are effectively screened;
Obtain the dynamic static nature of known white sample, set up white sample characteristics information bank;As getting rid of the interference that result is caused by generic features general information;
By white sample characteristics information bank, the whole dynamic static nature of malicious code sample is filtered, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
The dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
According to Preset Time, periodically perform above-mentioned steps, supplement white sample characteristics information bank and black sample characteristics information bank;The collection threatening information is a dynamic, periodic process, need to set up the architecture that duration data stream processes, and periodically processes data scrubbing and data convert, to ensure business continuance.
Regularly export white sample characteristics information bank and black sample characteristics information bank, carry out accuracy rate and validation verification, and the wrong report feature of detection is updated.
In described method, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.Dynamic static nature can include the network information, such as http, url etc.;Fileinfo, such as the file path etc. created, discharge, revise;The features such as static information, mutex, registration table.
In described method, the dynamic static nature of the known white sample of described acquisition particularly as follows: crawled by website, sample throw in analyze, the system program of common operating system (such as windows, linux) and popular software, extract dynamic static nature.
In described method, also include: generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
In described method, if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, as up generation flow data operation than descending consumption flow data job run faster, will cause that handling process is blocked, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts, it is allowed to flow process is restarted or stops but without influence on the processing speed of data.
In described method, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
A kind of network security threats Information Handling System, including:
Feature acquisition module, for obtaining the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;
White sample characteristics information bank sets up module, for obtaining the dynamic static nature of known white sample, sets up white sample characteristics information bank;
Characteristic filter module, for the whole dynamic static nature of malicious code sample being filtered by white sample characteristics information bank, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
Black sample characteristics information bank sets up module, for the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
Feature complementary module, for according to Preset Time, periodically performing above-mentioned steps, supplements white sample characteristics information bank and black sample characteristics information bank;
Authentication module, for regularly exporting white sample characteristics information bank and black sample characteristics information bank, carries out accuracy rate and validation verification, and the wrong report feature of detection is updated.
In described system, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.
In described system, the dynamic static nature of the known white sample of described acquisition particularly as follows: crawled by website, sample throw in analyze, the system program of common operating system and popular software, extract dynamic static nature.
In described system, also including: logger module, for generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
In described system, if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts.
In described system, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
The present invention's it is critical that rely on multiple trusted sources to ensure the credibility of all magnanimity informations on Data Source, authoritative and ageing.By differentiating, knowledge base is screened, streaming is put in storage, regular outbound detects, the study route of wrong report information updating, continues to build up iteration, is progressively converted into threat information, improve constantly its accuracy, lowers rate of false alarm, the black characteristic information storehouse of output high coverage rate.Multiple output storehouse form, the various detection demand of flexible adaptation, it is achieved high recall rate, the sample analysis of low rate of false alarm and detection, the differentiation for sample analysis in the future and black and white sample provides certain data support, reach auxiliary family and sample characteristics analysis identification, promote general Detection capability
The present invention proposes a kind of network security threats information processing method and system, including: obtain the whole dynamic static nature of known malicious code sample;Obtain the dynamic static nature of known white sample, set up white sample characteristics information bank;It is filtered the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank to the whole dynamic static nature of malicious code sample by white sample characteristics information bank;Periodically perform above-mentioned steps, supplement white sample characteristics information bank and black sample characteristics information bank;And regularly export white sample characteristics information bank and black sample characteristics information bank, carry out accuracy rate and validation verification, and the wrong report feature of detection is updated.The present invention also proposes corresponding system.It is obtained in that the information of trusted sources by the present invention, and is converted into threat information, improve constantly accuracy, reduce rate of false alarm, the characteristic information storehouse of output high coverage rate, auxiliary family and sample characteristics analysis identification, promote general Detection capability.
Accompanying drawing explanation
In order to be illustrated more clearly that the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of network security threats information processing embodiment of the method flow chart;
Fig. 2 is a kind of network security threats Information Handling System example structure schematic diagram.
Detailed description of the invention
In order to make those skilled in the art be more fully understood that the technical scheme in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, and below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The present invention proposes a kind of network security threats information processing method and system, by the process threatening information, improving the high accuracy threatening information and ageing.
A kind of network security threats information processing method, as it is shown in figure 1, include:
S101: obtain the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;In acquisition process, it is necessary to ensure the high value of data, it is to avoid subsequent analysis is brought confusion and poor efficiency, namely needs sample analysis service provider and online sandbox are effectively screened;
S102: obtain the dynamic static nature of known white sample, sets up white sample characteristics information bank;As getting rid of the interference that result is caused by generic features general information;
S103: the whole dynamic static nature of malicious code sample is filtered by white sample characteristics information bank, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
S104: the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
S105: according to Preset Time, periodically performs above-mentioned steps, supplements white sample characteristics information bank and black sample characteristics information bank;The collection threatening information is a dynamic, periodic process, need to set up the architecture that duration data stream processes, and periodically processes data scrubbing and data convert, to ensure business continuance.
S106: regularly export white sample characteristics information bank and black sample characteristics information bank, carry out accuracy rate and validation verification, and the wrong report feature of detection is updated.
In described method, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.Dynamic static nature can include the network information, such as http, url etc.;Fileinfo, such as the file path etc. created, discharge, revise;The features such as static information, mutex, registration table.
In described method, the dynamic static nature of the known white sample of described acquisition particularly as follows: crawled by website, sample throw in analyze, the system program of common operating system (such as windows, linux) and popular software, extract dynamic static nature.
In described method, also include: generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
In described method, if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, as up generation flow data operation than descending consumption flow data job run faster, will cause that handling process is blocked, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts, it is allowed to flow process is restarted or stops but without influence on the processing speed of data.
In described method, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
A kind of network security threats Information Handling System, as in figure 2 it is shown, include:
Feature acquisition module 201, for obtaining the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;
White sample characteristics information bank sets up module 202, for obtaining the dynamic static nature of known white sample, sets up white sample characteristics information bank;
Characteristic filter module 203, for the whole dynamic static nature of malicious code sample being filtered by white sample characteristics information bank, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
Black sample characteristics information bank sets up module 204, for the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
Feature complementary module 205, for according to Preset Time, periodically performing above-mentioned steps, supplements white sample characteristics information bank and black sample characteristics information bank;
Authentication module 206, for regularly exporting white sample characteristics information bank and black sample characteristics information bank, carries out accuracy rate and validation verification, and the wrong report feature of detection is updated.
In described system, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.
In described system, the dynamic static nature of the known white sample of described acquisition particularly as follows: crawled by website, sample throw in analyze, the system program of common operating system and popular software, extract dynamic static nature.
In described system, also including: logger module 207, for generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
In described system, if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts.
In described system, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
The present invention's it is critical that rely on multiple trusted sources to ensure the credibility of all magnanimity informations on Data Source, authoritative and ageing.By differentiating, knowledge base is screened, streaming is put in storage, regular outbound detects, the study route of wrong report information updating, continues to build up iteration, is progressively converted into threat information, improve constantly its accuracy, lowers rate of false alarm, the black sample characteristics information bank of output high coverage rate.Multiple output storehouse form, the various detection demand of flexible adaptation, it is achieved high recall rate, the sample analysis of low rate of false alarm and detection, the differentiation for sample analysis in the future and black and white sample provides certain data support, reach auxiliary family and sample characteristics analysis identification, promote general Detection capability
The present invention proposes a kind of network security threats information processing method and system, including: obtain the whole dynamic static nature of known malicious code sample;Obtain the dynamic static nature of known white sample, set up white sample characteristics information bank;It is filtered the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank to the whole dynamic static nature of malicious code sample by white sample characteristics information bank;Periodically perform above-mentioned steps, supplement white sample characteristics information bank and black sample characteristics information bank;And regularly export white sample characteristics information bank and black sample characteristics information bank, carry out accuracy rate and validation verification, and the wrong report feature of detection is updated.The present invention also proposes corresponding system.It is obtained in that the information of trusted sources by the present invention, and is converted into threat information, improve constantly accuracy, reduce rate of false alarm, the characteristic information storehouse of output high coverage rate, auxiliary family and sample characteristics analysis identification, promote general Detection capability.
Each embodiment in this specification all adopts the mode gone forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments.Especially for system embodiment, owing to it is substantially similar to embodiment of the method, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention has many deformation and is varied without departing from the spirit of the present invention, it is desirable to appended claim includes these deformation and is varied without departing from the spirit of the present invention.
Claims (12)
1. a network security threats information processing method, it is characterised in that including:
Obtain the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;
Obtain the dynamic static nature of known white sample, set up white sample characteristics information bank;
By white sample characteristics information bank, the whole dynamic static nature of malicious code sample is filtered, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
The dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
According to Preset Time, periodically perform above-mentioned steps, supplement white sample characteristics information bank and black sample characteristics information bank;
Regularly export white sample characteristics information bank and black sample characteristics information bank, carry out accuracy rate and validation verification, and the wrong report feature of detection is updated.
2. the method for claim 1, it is characterized in that, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.
3. the method for claim 1, it is characterised in that the dynamic static nature of the known white sample of described acquisition particularly as follows: crawled by website, sample throw in analyze, the system program of common operating system and popular software, extract dynamic static nature.
4. the method for claim 1, it is characterised in that also include: generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
5. method as claimed in claim 4, it is characterised in that if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts.
6. the method as described in claim 1 or 5, it is characterized in that, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
7. a network security threats Information Handling System, it is characterised in that including:
Feature acquisition module, for obtaining the whole dynamic static nature of known malicious code sample;Described dynamic static nature is obtained by sample analysis service provider and online sandbox;
White sample characteristics information bank sets up module, for obtaining the dynamic static nature of known white sample, sets up white sample characteristics information bank;
Characteristic filter module, for the whole dynamic static nature of malicious code sample being filtered by white sample characteristics information bank, judge whether whole sound state features of malicious code sample are present in white sample characteristics information bank, if it is remove the dynamic static nature of described malicious code sample;Otherwise retain;
Black sample characteristics information bank sets up module, for the dynamic static nature retaining the malicious code sample obtained after filtration is formed black sample characteristics information bank;
Feature complementary module, for according to Preset Time, periodically performing above-mentioned steps, supplements white sample characteristics information bank and black sample characteristics information bank;
Authentication module, for regularly exporting white sample characteristics information bank and black sample characteristics information bank, carries out accuracy rate and validation verification, and the wrong report feature of detection is updated.
8. system as claimed in claim 7, it is characterized in that, the whole dynamic static nature of described acquisition known malicious code sample is particularly as follows: by the MD5 list of known malicious code sample or nominal key search, the character report crawling sample, extract dynamic static nature.
9. system as claimed in claim 7, it is characterised in that the dynamic static nature of the known white sample of described acquisition particularly as follows: crawl by website, sample throw in analyze, the system program of common operating system and popular software, extract and move static nature.
10. system as claimed in claim 7, it is characterized in that, also including: logger module, for generating log recording in setting up white sample characteristics information bank and black sample characteristics information bank process, described log recording comprises sample MD5, current procedures, timestamp and feature.
11. system as claimed in claim 10, it is characterised in that if occurring blocking or terminating in setting up white sample characteristics information bank and black sample characteristics information bank process, then according to the timestamp of log recording from occurring that the step blocked or terminate restarts.
12. the system as described in claim 7 or 10, it is characterized in that, described regular output white sample characteristics information bank and black sample characteristics information bank are particularly as follows: according to the order of magnitude of feature in each characteristic information storehouse, select the way of output: if the order of magnitude is higher than preset value, then adopt BloomFilter with ten thousand/ serious forgiveness compression storehouse, generate binary system BloomFilter form high coverage rate characteristic information storehouse outbound;If the order of magnitude is less than preset value, then with the Form generation characteristic information storehouse outbound of HASH and virus name.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510725335.4A CN105743877A (en) | 2015-11-02 | 2015-11-02 | Network security threat information processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510725335.4A CN105743877A (en) | 2015-11-02 | 2015-11-02 | Network security threat information processing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105743877A true CN105743877A (en) | 2016-07-06 |
Family
ID=56296006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510725335.4A Pending CN105743877A (en) | 2015-11-02 | 2015-11-02 | Network security threat information processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105743877A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548069A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of Feature Extraction System and method based on sort algorithm |
| WO2018095099A1 (en) * | 2016-11-24 | 2018-05-31 | 北京奇虎科技有限公司 | Method and device for processing suspicious samples |
| CN109688091A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | The method for evaluating quality and device of the threat information of multi-source |
| CN109981627A (en) * | 2019-03-18 | 2019-07-05 | 武汉思普崚技术有限公司 | The update method and system of Cyberthreat information |
| CN110213094A (en) * | 2019-05-29 | 2019-09-06 | 哈尔滨安天科技集团股份有限公司 | It is a kind of to threaten the method for building up of active topology figure, device and storage equipment |
| CN110460594A (en) * | 2019-07-31 | 2019-11-15 | 平安科技(深圳)有限公司 | Threaten information data acquiring and processing method, device and storage medium |
| CN113762294A (en) * | 2020-06-03 | 2021-12-07 | 深信服科技股份有限公司 | Feature vector dimension compression method, device, equipment and medium |
| CN114006778A (en) * | 2022-01-05 | 2022-02-01 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN114978616A (en) * | 2022-05-06 | 2022-08-30 | 支付宝(杭州)信息技术有限公司 | Method and device for constructing risk assessment system and method and device for risk assessment |
| CN115225413A (en) * | 2022-09-20 | 2022-10-21 | 北京微步在线科技有限公司 | Method and device for extracting defect index, electronic equipment and storage medium |
| CN113762294B (en) * | 2020-06-03 | 2024-04-12 | 深信服科技股份有限公司 | Feature vector dimension compression method, device, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090049549A1 (en) * | 2007-07-10 | 2009-02-19 | Taejoon Park | Apparatus and method for detection of malicious program using program behavior |
| CN103761476A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Characteristic extraction method and device |
| CN103971052A (en) * | 2013-01-28 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Magnetic disk boot virus identification method and device |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
-
2015
- 2015-11-02 CN CN201510725335.4A patent/CN105743877A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090049549A1 (en) * | 2007-07-10 | 2009-02-19 | Taejoon Park | Apparatus and method for detection of malicious program using program behavior |
| CN103971052A (en) * | 2013-01-28 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Magnetic disk boot virus identification method and device |
| CN103761476A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Characteristic extraction method and device |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 赵恒立: "恶意代码检测与分类技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548069A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of Feature Extraction System and method based on sort algorithm |
| CN106548069B (en) * | 2016-07-18 | 2020-04-24 | 北京安天网络安全技术有限公司 | Feature extraction system and method based on sorting algorithm |
| WO2018095099A1 (en) * | 2016-11-24 | 2018-05-31 | 北京奇虎科技有限公司 | Method and device for processing suspicious samples |
| CN109688091A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | The method for evaluating quality and device of the threat information of multi-source |
| CN109688091B (en) * | 2018-04-25 | 2021-10-08 | 北京微步在线科技有限公司 | Multi-source threat intelligence quality evaluation method and device |
| CN109981627B (en) * | 2019-03-18 | 2021-02-26 | 武汉思普崚技术有限公司 | Method and system for updating network threat information |
| CN109981627A (en) * | 2019-03-18 | 2019-07-05 | 武汉思普崚技术有限公司 | The update method and system of Cyberthreat information |
| CN110213094A (en) * | 2019-05-29 | 2019-09-06 | 哈尔滨安天科技集团股份有限公司 | It is a kind of to threaten the method for building up of active topology figure, device and storage equipment |
| CN110213094B (en) * | 2019-05-29 | 2021-11-16 | 安天科技集团股份有限公司 | Method and device for establishing threat activity topological graph and storage equipment |
| CN110460594A (en) * | 2019-07-31 | 2019-11-15 | 平安科技(深圳)有限公司 | Threaten information data acquiring and processing method, device and storage medium |
| CN110460594B (en) * | 2019-07-31 | 2022-02-25 | 平安科技(深圳)有限公司 | Threat information data acquisition processing method, device and storage medium |
| CN113762294A (en) * | 2020-06-03 | 2021-12-07 | 深信服科技股份有限公司 | Feature vector dimension compression method, device, equipment and medium |
| CN113762294B (en) * | 2020-06-03 | 2024-04-12 | 深信服科技股份有限公司 | Feature vector dimension compression method, device, equipment and medium |
| CN114006778A (en) * | 2022-01-05 | 2022-02-01 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN114006778B (en) * | 2022-01-05 | 2022-03-25 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN114978616A (en) * | 2022-05-06 | 2022-08-30 | 支付宝(杭州)信息技术有限公司 | Method and device for constructing risk assessment system and method and device for risk assessment |
| CN114978616B (en) * | 2022-05-06 | 2024-01-09 | 支付宝(杭州)信息技术有限公司 | Construction method and device of risk assessment system, and risk assessment method and device |
| CN115225413A (en) * | 2022-09-20 | 2022-10-21 | 北京微步在线科技有限公司 | Method and device for extracting defect index, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105743877A (en) | Network security threat information processing method and system | |
| Sapienza et al. | Early warnings of cyber threats in online discussions | |
| US10102372B2 (en) | Behavior profiling for malware detection | |
| US9712554B2 (en) | Event correlation across heterogeneous operations | |
| CA2926579C (en) | Event correlation across heterogeneous operations | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| US10397267B2 (en) | Threat intelligence system and method | |
| CN107241296B (en) | Webshell detection method and device | |
| CN108063759B (en) | Web vulnerability scanning method | |
| CN108881263B (en) | Network attack result detection method and system | |
| Kaur et al. | Automatic attack signature generation systems: A review | |
| CN104954384B (en) | A kind of url mimicry methods of protection Web applications safety | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| WO2018143097A1 (en) | Determination device, determination method, and determination program | |
| Han et al. | WHAP: Web-hacking profiling using case-based reasoning | |
| Hyun et al. | Security operation implementation through big data analysis by using open source ELK stack | |
| KR20140077405A (en) | Method and apparatus for detecting cyber target attack | |
| Kumar et al. | Detection of malware using deep learning techniques | |
| CN115174154A (en) | Advanced threat event processing method and device, terminal equipment and storage medium | |
| Pournouri et al. | Cyber attacks analysis using decision tree technique for improving cyber situational awareness | |
| Tongkachok et al. | The Empirical Analysis of Machine Learning Approaches for Enhancing the Cyber security for better Quality | |
| Wu et al. | Meta-analysis of network information security and Web data mining techniques | |
| US20230135755A1 (en) | Layer 7 network attack detection using machine learning feature contribution | |
| Chaudhary et al. | Role of Machine Learning Applications in Enhancing Cyber Security Effectiveness: An Empirical Study | |
| Shukla et al. | A detection approach for IoT traffic-based DDoS attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160706 |