CN107786564A - Based on attack detection method, system and the electronic equipment for threatening information - Google Patents
Based on attack detection method, system and the electronic equipment for threatening information Download PDFInfo
- Publication number
- CN107786564A CN107786564A CN201711067639.1A CN201711067639A CN107786564A CN 107786564 A CN107786564 A CN 107786564A CN 201711067639 A CN201711067639 A CN 201711067639A CN 107786564 A CN107786564 A CN 107786564A
- Authority
- CN
- China
- Prior art keywords
- information
- target
- map data
- data engine
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Technology Law (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Burglar Alarm Systems (AREA)
Abstract
Included the invention provides a kind of based on the attack detection method, system and the electronic equipment that threaten information, this method:Obtain and threaten information bank;To threatening multiple threat informations in information bank to handle, multiple associated diagrams are obtained;The target association figure corresponding with target this map data engine is determined in multiple associated diagrams, and this map data engine sends target association figure to target, so that this map data engine of target detects new attack threat according to target association figure.In the method for the present invention, threat information in the diagram data engine in high in the clouds is real-time update, it is also more comprehensive to correspond to obtained associated diagram, this map data engine corresponding target association figure can be sent to target so that for this map data engine of target when detecting new attack threat according to target association figure, detection efficiency is high, accuracy is good, existing detection method is alleviated when detecting new threat attack, detection time length, the technical problem of detection accuracy difference.
Description
Technical field
The present invention relates to the technical field of network security, more particularly, to a kind of based on the attack detecting side for threatening information
Method, system and electronic equipment.
Background technology
With the rapid development of Internet, the every aspect of life be unable to do without Internet technology.However, network attack companion
With the development of internet, a potential huge problem is increasingly becoming, therefore network security is increasingly valued by people.
At present, the instrument of network attack, such as fire wall, net shield, network bodyguard, security guard etc. are resisted in the presence of many kinds on the market,
They can protect network security to a certain extent.
But network attack defence instrument common at present is mainly to intercept rule passively detection malice according to default
Script and invalid data access, accumulation over time, and the default quantity for intercepting rule, complexity can be increasing, and new
The consumed inquiry comparison time of attack can increasingly be grown, and the default rule that intercepts needs timing to update, and exist certain stagnant
Property afterwards, cause that new attack can not be found in real time in many cases.If not solving these problems, many situations are may result in
Under, discovery can not be detected and threaten attack, or to threatening the response attacked very slow, so as to form potential safety hazard.
To sum up, when detecting new threat attack there is detection time length, detection accuracy in existing attack detection method
The technical problem of difference.
The content of the invention
In view of this, it is an object of the invention to provide a kind of based on the attack detection method, system and the electricity that threaten information
Sub- equipment, to alleviate existing attack detection method when detecting new threat attack, detection time is grown, and the accuracy of detection is poor
Technical problem.
In a first aspect, the embodiments of the invention provide a kind of based on the attack detection method for threatening information, methods described bag
Include:
Obtain and threaten information bank, it is described to threaten information bank to include the multiple threat informations got in real time, it is described
Information is threatened to be used to characterize attack threat of the attacker to being attacked by attacker;
Multiple threat informations in the threat information bank are handled, obtain multiple associated diagrams, the association
Scheme for representing the attacker and the incidence relation by between attacker;
Determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to the target
This map data engine sends the target association figure, so that described this map data engine of target is according to the target association figure
Detect new attack to threaten, described this map data engine of target is one in multiple map data engines.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the first of first aspect, wherein,
Determine that the target association figure corresponding with target this map data engine includes in the multiple associated diagram:
Obtain the customized demand of described this map data engine of target;
The target association figure is sent to described this map data engine of target based on the customized demand, so that the mesh
Sample map data engine detects the new attack according to the target association figure and threatened, wherein, the target association figure is
Meet the partial association figure of the customized demand in the multiple associated diagram.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of second of first aspect, wherein, it is right
Multiple threat informations in the threat information bank are handled, and obtaining multiple associated diagrams includes:
The threat information is scanned, obtains the element information of the threat information, wherein, the element information
Including:Source information, event information, target information;
Associated diagram between the source information and the target information is built according to the event information;
Preserve the associated diagram.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the third of first aspect, wherein, obtain
Take and threaten information bank to include:
Obtain the new threat information that the multiple map data engine is sent;
Threaten information bank to be updated history based on the new threat information, obtain the threat information bank.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 4th of first aspect kind, wherein,
After described this map data engine of target detects new attack threat according to the target association figure, methods described also includes:
The information that the new attack that synchronous described this map data engine of target is collected in the threat information bank threatens
Information, wherein, after described this map data engine of target detects that the new attack threatens, store the new attack and threaten
Information.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 5th of first aspect kind, wherein, institute
State and threaten information to comprise at least:IP address information, domain-name information, zombie host information, operation system information, application program
Information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-government's information, fishing letter
Breath, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, Brute Force information.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 6th of first aspect kind, wherein, institute
State in customized demand and comprise at least:IP gathers, set of domains.
Second aspect, the embodiment of the present invention additionally provide a kind of based on the attack detection system for threatening information, the system
Including:
Acquisition module, information bank is threatened for obtaining, it is described to threaten information bank to include the multiple threats got in real time
Information, it is described to threaten information to be used to characterize attack threat of the attacker to being attacked by attacker;
Processing module, for handling multiple threat informations in the threat information bank, obtain multiple passes
Connection figure, the associated diagram are used to represent the attacker and the incidence relation by between attacker;
Sending module, for determining the target association corresponding with target this map data engine in multiple associated diagrams
Figure, and the target association figure is sent to described this map data engine of target, so that this map data engine of target root
Threatened according to target association figure detection new attack, described this map data engine of target is in multiple map data engines
One.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of the first of second aspect, wherein, institute
Stating sending module includes:
First acquisition unit, for obtaining the customized demand of described this map data engine of target;
Transmitting element, for sending the target association to described this map data engine of target based on the customized demand
Figure, threatened so that described this map data engine of target detects the new attack according to the target association figure, wherein, it is described
Target association figure is the partial association figure for meeting the customized demand in the multiple associated diagram.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor, the storage
The computer program that can be run on the processor is stored with device, is realized described in the computing device during computer program
The step of method described in above-mentioned first aspect.
The embodiment of the present invention brings following beneficial effect:The embodiments of the invention provide a kind of attacking based on threat information
Detection method, system and electronic equipment are hit, this method includes:Obtain and threaten information bank, threaten information bank to include real-time acquisition
The multiple threat informations arrived, information is threatened to be used to characterize attack threat of the attacker to being attacked by attacker;
To threatening multiple threat informations in information bank to handle, multiple associated diagrams are obtained, associated diagram is used to represent attacker
And by the incidence relation between attacker;The target pass corresponding with target this map data engine is determined in multiple associated diagrams
Connection figure, and this map data engine sends target association figure to target, so that this map data engine of target is according to target association
Figure detection new attack threatens, and this map data engine of target is one in multiple map data engines.
Existing attack detection method is mainly passively to detect malicious script and illegal number according to the default rule that intercepts
According to access, accumulation over time, the default quantity for intercepting rule, complexity can be increasing, and what new attack was consumed
Inquiry comparison time can increasingly be grown, and the default rule that intercepts needs timing to update, and certain hysteresis quality be present, causes a lot
In the case of can not find new attack in real time.Compared with existing attack detection method, attacking based on threat information of the invention
Hit in detection method, the diagram data engine in high in the clouds first obtains multiple threat informations in real time, then, to multiple threat information letters
Breath is handled, and obtains multiple associated diagrams, and then, determine that this map data engine is corresponding with target in multiple associated diagrams
Target association figure, and target association figure is sent to this map data engine of target, so that target this map data engine basis
Target association figure detection new attack threatens.In the attack detection method based on threat information of the present invention, the diagram data in high in the clouds
Threat information in engine is real-time update, corresponding obtained associated diagram also more comprehensively, further, it is possible to target sheet
Map data engine sends corresponding target association figure so that this map data engine of target is examined according to target association figure
When surveying new attack threat, detection efficiency is high, and accuracy is good, alleviates existing attack detection method and is attacked in the new threat of detection
When hitting, detection time length, the technical problem of the accuracy difference of detection.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate
Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art
The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart based on the attack detection method for threatening information provided in an embodiment of the present invention;
Fig. 2 is the method flow diagram provided in an embodiment of the present invention for obtaining and threatening information bank;
Fig. 3 is provided in an embodiment of the present invention to threatening multiple threat informations in information bank to handle, and is obtained
The method flow diagram of multiple associated diagrams;
Fig. 4 is a kind of structured flowchart based on the attack detection system for threatening information that inventive embodiments provide;
Fig. 5 is a kind of electronic equipment that inventive embodiments provide.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention
Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
For ease of understanding the present embodiment, first to a kind of based on threatening information disclosed in the embodiment of the present invention
Attack detection method describes in detail.
Embodiment one:
A kind of attack detection method based on threat information, with reference to figure 1, this method includes:
S102, threat information bank is obtained, threaten information bank to include the multiple threat informations got in real time, threatened
Information is used to characterize attack threat of the attacker to being attacked by attacker;
In embodiments of the present invention, the executive agent of this method is the diagram data engine in high in the clouds.The diagram data engine in high in the clouds
Multiple threat informations are obtained in real time, and the plurality of threat information is sent in real time by multiple map data engines.
Multiple map data engines are installed on multiple user terminals, and the user terminal can be local general subscriber terminal,
Can be third-party terminal, such as the particular terminal of some companies, so, the diagram data engine in high in the clouds can not only obtain this
The threat information of ground ordinary terminal, third-party threat information and data message can also be obtained, that is to say, that cloud
Data source in the diagram data engine at end is extensive.
S104, multiple threat informations in threat information bank are handled, obtain multiple associated diagrams, associated diagram is used
In expression attacker and by the incidence relation between attacker;
After multiple threat informations are got, the diagram data engine in high in the clouds is threatened at informations multiple
Reason, obtains multiple associated diagrams.Hereinafter the process of processing is specifically described again, will not be repeated here.
S106, determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to mesh
Sample map data engine sends target association figure, so that this map data engine of target detects new attack according to target association figure
Threat is hit, this map data engine of target is one in multiple map data engines.
After multiple associated diagrams are obtained, in multiple associated diagrams, (the plurality of associated diagram includes newly-generated multiple associated diagrams, also
Including the multiple associated diagrams originally generated) in determine the target association figure corresponding with target this map data engine, and by mesh
Mark associated diagram is sent to this map data engine of target, and so, target diagram data engine is after target association figure is received, with regard to energy
It is enough that new attack threat is detected according to target association figure.
Existing attack detection method is mainly passively to detect malicious script and illegal number according to the default rule that intercepts
According to access, accumulation over time, the default quantity for intercepting rule, complexity can be increasing, and what new attack was consumed
Inquiry comparison time can increasingly be grown, and the default rule that intercepts needs timing to update, and certain hysteresis quality be present, causes a lot
In the case of can not find new attack in real time.Compared with existing attack detection method, attacking based on threat information of the invention
Hit in detection method, the diagram data engine in high in the clouds first obtains multiple threat informations in real time, then, to multiple threat information letters
Breath is handled, and obtains multiple associated diagrams, and then, determine that this map data engine is corresponding with target in multiple associated diagrams
Target association figure, and target association figure is sent to this map data engine of target, so that target this map data engine basis
Target association figure detection new attack threatens.In the attack detection method based on threat information of the present invention, the diagram data in high in the clouds
Threat information in engine is real-time update, corresponding obtained associated diagram also more comprehensively, further, it is possible to target sheet
Map data engine sends corresponding target association figure so that this map data engine of target is examined according to target association figure
When surveying new attack threat, detection efficiency is high, and accuracy is good, alleviates existing attack detection method and is attacked in the new threat of detection
When hitting, detection time length, the technical problem of the accuracy difference of detection.
The above has carried out whole description to the process of attack detecting, and the particular content being directed to is carried out below
It is described in detail.
It is a variety of that acquisition threatens the mode of information bank to have, and in one alternatively embodiment, with reference to figure 2, obtains and threatens feelings
Report storehouse comprises the following steps:
S201, obtain the new threat information that multiple map data engines are sent;
Specifically, after this map data engine detects that new attack threatens, can be sent to the diagram data engine in high in the clouds
New threat information, the diagram data engine in high in the clouds obtain the new threat information letter that multiple map data engines are sent
Breath.
S202, based on new threat information to history threaten information bank be updated, obtain threaten information bank.
After new threat information is obtained, information bank is threatened to be updated history, it becomes possible to obtain threatening information
Storehouse.
The diagram data engine in high in the clouds needs after the new threat information that multiple map data engines are sent is got
The plurality of threat information is handled, in one alternatively embodiment, with reference to figure 3, to threatening in information bank
Multiple threat informations handled, obtaining multiple associated diagrams includes:
S301, scanning threaten information, obtain threatening the element information of information, wherein, element information includes:Source
Information, event information, target information;
Specifically, the diagram data engine scanning in high in the clouds threatens information, obtain threatening the element information of information, its
In, element information includes:Source information, event information and target information.
S302, the associated diagram between source information and target information built according to event information;
After element information is obtained, the associated diagram between source information and target information is built according to event information.Namely
Node --- side --- node associated data is formed, corresponding is source information --- event information --- target information.
S303, preserve associated diagram.
After associated diagram is obtained, associated diagram is preserved, i.e., is stored associated diagram into diagram data storage engines.
Determined in multiple associated diagrams the target association figure corresponding with target this map data engine mode have it is a variety of,
In one alternatively embodiment, the target association corresponding with target this map data engine is determined in multiple associated diagrams
Figure includes:
(1) customized demand of this map data engine of target, is obtained;
(2), based on customized demand, to target, this map data engine sends target association figure, so that this map datum of target
Engine detects new attack according to target association figure and threatened, wherein, target association figure is to meet customized demand in multiple associated diagrams
Partial association figure.
For example target this map data engine will detect a black page, and can not be complete according to its own existing database
Into this detection, the demand for detecting black page will be sent to the diagram data engine in high in the clouds, the diagram data engine in high in the clouds will will close
Target this map datum is sent in the associated diagram (such as data on black page, rule, that is, target association figure) of black page
Engine, this map data engine of target just can detect black page according to target association figure.
In addition, the diagram data engine in high in the clouds is possible to can also have attack threat, so, the diagram data engine in high in the clouds also can
Detect new attack to threaten, that is to say, that the diagram data engine in high in the clouds also has the function of attack detecting.
Alternatively, after this map data engine of target detects new attack threat according to target association figure, this method
Also include:
The information that the new attack that synchronous this map data engine of target is collected in information bank is threatened threatens, its
In, after this map data engine of target detects that new attack threatens, the information of storage new attack threat.
Specifically, after this map data engine of target detects new attack according to target association figure and threatened, the target
The information that this map data engine storage new attack threatens, and the information that can also threaten new attack is synchronous
In threat information bank into the diagram data engine in high in the clouds,
Alternatively, information is threatened to comprise at least:IP address information, domain-name information, zombie host information, operating system
Information, application information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-political affairs
Mansion information, fishing information, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, cruelly
Power cracks information.
Alternatively, comprised at least in customized demand:IP gathers, set of domains.
It is exemplified below:
The threat information got in the diagram data engine in high in the clouds is:IP (119.23.14.8) is by malicious file
(MD5:Aa3585e377e2452d0630295adb51ebec) attack, IP (239.123.14.28) is by malicious file (MD5:
Aa3585e377e2452d0630295adb51ebec) attack;The diagram data engine in high in the clouds to the threat information at
Reason, that is, scan above-mentioned threat information, obtain node (IP:119.23.14.8), side (event:Attacked), node (MD5:
) and node (IP aa3585e377e2452d0630295adb51ebec:239.123.14.28), side (event:Attacked), section
Point (MD5:aa3585e377e2452d0630295adb51ebec);Above-mentioned element information is built into source information by event information
Associated diagram between target information, associated diagram is obtained, and associated diagram is stored into diagram data storage engines, such as Neo4j
Chart database;And the IP sections of target this map data engine association are 119.23.14.0/24, therefore, this network segment has been customized
Information data is threatened, the diagram data engine in high in the clouds obtains all association diagram data (i.e. target associations of this IP section by inquiring about
Figure), and issue target this map data engine;When target this map data engine detects IP (119.23.14.8) bag, just
IP (119.23.14.27) is being accessed, and is detecting malicious file (MD5:
Aa3585e377e2452d0630295adb51ebec), it just can quickly find that new attack threatens according to target association figure;New
The information that attack threatens will be stored into this map data engine, and be synchronized in the diagram data engine in high in the clouds.
The attack detection method based on threat information of the present invention has advantages below:
1st, the diagram data engine in high in the clouds is constructed, the engine is an intelligentized Relational Data Engine, and it can pass through
The data of separate sources are collected, scanning threatens the threat information in information bank, is built according to the relation between event information
Associated diagram simultaneously stores;
2nd, the diagram data engine in high in the clouds is modular, maintains easily and develops, and each module can be disposed independently;
3rd, the diagram data engine in high in the clouds provides the function of customizing, and it can be according to different demands, to this map datum
Engine sends the associated diagram content customized;
4th, this map data engine has data collection function, the information that the new attack being collected into can be threatened
Storage, and the information that synchronous new attack threatens arrives the diagram data engine in high in the clouds, while determining newly can be updated to high in the clouds
Demand processed.
Existing tool technique is to be threatened by default rule to detect intercept attack mostly, and this mode requires full dose
Data and complicated preset rules, passage and data increase, can make it that the response time is elongated, under attack detecting effect over time
Drop.And the diagram data engine in the high in the clouds constructed by this method can the acquisition mass data based on different pieces of information source, build thing
Graph of a relation between part information, this map data engine customize number by the demand of customization to the diagram data engine requests in high in the clouds
According to, detection can be promptly made for attack threat, and can be by new data syn-chronization to high in the clouds so that high in the clouds diagram data
Engine is more powerful.In brief, the maximum difference of this method and prior art is, as data increase, the thing established
Part associated diagram can be more careful, so that attack detecting ability can be stronger, speed can be faster.
Embodiment two:
The embodiment of the present invention additionally provides a kind of attack detection system based on threat information, with reference to figure 4, the system bag
Include:
Acquisition module 20, information bank is threatened for obtaining, threatens information bank to include the multiple threat feelings got in real time
Notify breath, threaten information to be used to characterizing attacker and threaten the attack attacked by attacker;
Processing module 21, for threatening multiple threat informations in information bank to handle, obtaining multiple associations
Figure, associated diagram are used to represent attacker and by the incidence relation between attacker;
Sending module 22, for determining the target association corresponding with target this map data engine in multiple associated diagrams
Figure, and this map data engine sends target association figure to target, so that this map data engine of target is according to target association figure
Detect new attack to threaten, this map data engine of target is one in multiple map data engines.
In the attack detection system based on threat information of the present invention, the diagram data engine in high in the clouds first obtains multiple prestige in real time
Information is coerced, then, multiple threat informations is handled, obtain multiple associated diagrams, and then, in multiple associated diagrams
It is determined that the target association figure corresponding with target this map data engine, and target association figure is sent to this map datum of target
Engine, threatened so that this map data engine of target detects new attack according to target association figure.The present invention based on threaten feelings
In the attack detection system of report, the threat information in the diagram data engine in high in the clouds is real-time update, corresponding obtained pass
Connection figure is also more comprehensive, further, it is possible to which this map data engine sends corresponding target association figure to target so that target
For this map data engine when detecting new attack threat according to target association figure, detection efficiency is high, and accuracy is good, alleviates existing
Some attack detection methods are when detecting new threat attack, detection time length, the technical problem of the accuracy difference of detection.
Alternatively, sending module includes:
First acquisition unit, for obtaining the customized demand of this map data engine of target;
Transmitting element, for sending target association figure to target this map data engine based on customized demand, so that target
This map data engine detects new attack according to target association figure and threatened, wherein, target association figure is full in multiple associated diagrams
The partial association figure of sufficient customized demand.
Alternatively, processing module includes:
Scanning element, information is threatened for scanning, obtain threatening the element information of information, wherein, key element letter
Breath includes:Source information, event information, target information;
Construction unit, for building the associated diagram between source information and target information according to event information;
Storage unit, for preserving associated diagram.
Alternatively, acquisition module includes:
Second acquisition unit, the new threat information sent for obtaining multiple map data engines;
Updating block, for threatening information bank to be updated history based on new threat information, obtain threatening feelings
Report storehouse.
Alternatively, the system also includes:
Synchronization module, threatened for the new attack that synchronous this map data engine of target is collected in information bank is threatened
Information, wherein, after this map data engine of target detects that new attack threatens, the information that storage new attack threatens is believed
Breath.
Alternatively, information is threatened to comprise at least:IP address information, domain-name information, zombie host information, operating system
Information, application information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-political affairs
Mansion information, fishing information, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, cruelly
Power cracks information.
Alternatively, comprised at least in customized demand:IP gathers, set of domains.
The system that the embodiment of the present invention is provided, its realization principle and caused technique effect and preceding method embodiment phase
Together, to briefly describe, system embodiment part does not refer to part, refers to corresponding contents in preceding method embodiment.
Embodiment three:
The embodiments of the invention provide a kind of electronic equipment, and with reference to figure 5, the electronic equipment includes:Processor 30, memory
31, bus 32 and communication interface 33, processor 30, communication interface 33 and memory 31 are connected by bus 32;Processor 30 is used
In performing the executable module that is stored in memory 31, such as computer program.Computing device is extreme and realizes such as during program
The step of method described in embodiment of the method.
Wherein, memory 31 may include high-speed random access memory (RAM, RandomAccessMemory), also may be used
Non-labile memory (non-volatilememory), for example, at least a magnetic disk storage can also be included.By at least
One communication interface 33 (can be wired or wireless) realizes the communication between the system network element and at least one other network element
Connection, can use internet, wide area network, LAN, Metropolitan Area Network (MAN) etc..
Bus 32 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data
Line, controlling bus etc..For ease of representing, only represented in Fig. 5 with a four-headed arrow, it is not intended that an only bus or one
The bus of type.
Wherein, memory 31 is used for storage program, and processor 30 is after execute instruction is received, configuration processor, foregoing
The method performed by device that the stream process that inventive embodiments any embodiment discloses defines can apply in processor 30, or
Person is realized by processor 30.
Processor 30 is probably a kind of IC chip, has the disposal ability of signal.In implementation process, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 30 or the instruction of software form.Above-mentioned
Processor 30 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), application specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It can realize or perform in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be appointed
What conventional processor etc..The step of method with reference to disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device performs completion, or performs completion with the hardware in decoding processor and software module combination.Software module can be located at
Machine memory, flash memory, read-only storage, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the ripe storage medium in field.The storage medium is located at memory 31, and processor 30 reads the information in memory 31, with reference to
Its hardware completes the step of above method.
The computer of the attack detection method based on threat information, system and electronic equipment that the embodiment of the present invention is provided
Program product, including the computer-readable recording medium of program code is stored, the instruction that described program code includes can be used for
The method described in previous methods embodiment is performed, specific implementation can be found in embodiment of the method, will not be repeated here.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description
With the specific work process of device, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can
To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi
The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this
Concrete meaning in invention.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-OnlyMemory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ",
The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to
Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention
Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art
The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light
Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make
The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention
Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (10)
- It is 1. a kind of based on the attack detection method for threatening information, it is characterised in that methods described includes:Obtain and threaten information bank, it is described to threaten information bank to include the multiple threat informations got in real time, the threat Information is used to characterize attack threat of the attacker to being attacked by attacker;Multiple threat informations in the threat information bank are handled, obtain multiple associated diagrams, the associated diagram is used In the expression attacker and the incidence relation by between attacker;Determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to target local Diagram data engine sends the target association figure, so that described this map data engine of target detects according to the target association figure New attack threatens, and described this map data engine of target is one in multiple map data engines.
- 2. according to the method for claim 1, it is characterised in that determined and target this map number in the multiple associated diagram Include according to the corresponding target association figure of engine:Obtain the customized demand of described this map data engine of target;The target association figure is sent to described this map data engine of target based on the customized demand, so that the target sheet Map data engine detects the new attack according to the target association figure and threatened, wherein, the target association figure is described Meet the partial association figure of the customized demand in multiple associated diagrams.
- 3. according to the method for claim 1, it is characterised in that to multiple threat informations in the threat information bank Handled, obtaining multiple associated diagrams includes:The threat information is scanned, obtains the element information of the threat information, wherein, the element information bag Include:Source information, event information, target information;Associated diagram between the source information and the target information is built according to the event information;Preserve the associated diagram.
- 4. according to the method for claim 1, it is characterised in that obtain and threaten information bank to include:Obtain the new threat information that the multiple map data engine is sent;Threaten information bank to be updated history based on the new threat information, obtain the threat information bank.
- 5. according to the method for claim 1, it is characterised in that in described this map data engine of target according to the target After associated diagram detection new attack threatens, methods described also includes:The information that the new attack that synchronous described this map data engine of target is collected in the threat information bank threatens, Wherein, after described this map data engine of target detects that the new attack threatens, the feelings that the new attack threatens are stored Notify breath.
- 6. according to the method for claim 1, it is characterised in that the threat information comprises at least:IP address information, Domain-name information, zombie host information, operation system information, application information, information on services, port information, black page information, secretly Chain information, back door information, wooden horse information, anti-government's information, fishing information, gambling information, malicious file sample information, WEB are attacked Hit sample information, IDC information, IP segment informations, Brute Force information.
- 7. according to the method for claim 2, it is characterised in that comprised at least in the customized demand:IP gathers, domain name collection Close.
- It is 8. a kind of based on the attack detection system for threatening information, it is characterised in that the system includes:Acquisition module, information bank is threatened for obtaining, it is described to threaten information bank to include the multiple threat information got in real time Information, it is described to threaten information to be used to characterize attack threat of the attacker to being attacked by attacker;Processing module, for handling multiple threat informations in the threat information bank, multiple associated diagrams are obtained, The associated diagram is used to represent the attacker and the incidence relation by between attacker;Sending module, for determining the target association figure corresponding with target this map data engine in multiple associated diagrams, and The target association figure is sent to described this map data engine of target, so that described this map data engine of target is according to Target association figure detection new attack threatens, and described this map data engine of target is one in multiple map data engines It is individual.
- 9. system according to claim 8, it is characterised in that the sending module includes:First acquisition unit, for obtaining the customized demand of described this map data engine of target;Transmitting element, for sending the target association figure to described this map data engine of target based on the customized demand, Threatened so that described this map data engine of target detects the new attack according to the target association figure, wherein, the mesh Mark associated diagram is the partial association figure for meeting the customized demand in the multiple associated diagram.
- 10. a kind of electronic equipment, including memory, processor, it is stored with and can runs on the processor on the memory Computer program, it is characterised in that realized described in the computing device during computer program in the claims 1 to 7 The step of method described in any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711067639.1A CN107786564B (en) | 2017-11-02 | 2017-11-02 | Attack detection method and system based on threat intelligence and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711067639.1A CN107786564B (en) | 2017-11-02 | 2017-11-02 | Attack detection method and system based on threat intelligence and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107786564A true CN107786564A (en) | 2018-03-09 |
CN107786564B CN107786564B (en) | 2020-03-17 |
Family
ID=61432619
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711067639.1A Active CN107786564B (en) | 2017-11-02 | 2017-11-02 | Attack detection method and system based on threat intelligence and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107786564B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109740344A (en) * | 2018-11-28 | 2019-05-10 | 北京奇安信科技有限公司 | Threaten information method for establishing model, device, electronic equipment and storage medium |
CN110012030A (en) * | 2019-04-23 | 2019-07-12 | 北京微步在线科技有限公司 | A kind of method and device of association detection hacker |
CN110659493A (en) * | 2019-09-25 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Method and device for generating threat alarm mode, electronic equipment and storage medium |
CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Network threat identification method and identification system based on threat information |
CN110912889A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
CN110929187A (en) * | 2018-09-18 | 2020-03-27 | 北京数安鑫云信息技术有限公司 | Method and device for visually displaying threat events, storage device and computer equipment |
CN112104656A (en) * | 2020-09-16 | 2020-12-18 | 杭州安恒信息安全技术有限公司 | Network threat data acquisition method, device, equipment and medium |
CN112751883A (en) * | 2021-01-19 | 2021-05-04 | 光通天下网络科技股份有限公司 | IP threat score judgment method, device, equipment and medium |
CN114531253A (en) * | 2020-10-30 | 2022-05-24 | 深信服科技股份有限公司 | Threat information generation method, equipment, system and storage medium |
CN115426198A (en) * | 2022-11-01 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Information processing method, device, equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
KR20100063352A (en) * | 2008-12-03 | 2010-06-11 | 한국인터넷진흥원 | Sip-based enterprise security management system |
CN106131054A (en) * | 2016-08-17 | 2016-11-16 | 国家计算机网络与信息安全管理中心 | Network intrusions collaborative detection method based on secure cloud |
CN106878262A (en) * | 2016-12-19 | 2017-06-20 | 新华三技术有限公司 | Message detecting method and device, the method and device for setting up high in the clouds threat information bank |
-
2017
- 2017-11-02 CN CN201711067639.1A patent/CN107786564B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100063352A (en) * | 2008-12-03 | 2010-06-11 | 한국인터넷진흥원 | Sip-based enterprise security management system |
CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
CN106131054A (en) * | 2016-08-17 | 2016-11-16 | 国家计算机网络与信息安全管理中心 | Network intrusions collaborative detection method based on secure cloud |
CN106878262A (en) * | 2016-12-19 | 2017-06-20 | 新华三技术有限公司 | Message detecting method and device, the method and device for setting up high in the clouds threat information bank |
Non-Patent Citations (1)
Title |
---|
陈兴属 等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110929187A (en) * | 2018-09-18 | 2020-03-27 | 北京数安鑫云信息技术有限公司 | Method and device for visually displaying threat events, storage device and computer equipment |
CN109740344A (en) * | 2018-11-28 | 2019-05-10 | 北京奇安信科技有限公司 | Threaten information method for establishing model, device, electronic equipment and storage medium |
CN109740344B (en) * | 2018-11-28 | 2024-04-19 | 奇安信科技集团股份有限公司 | Threat information model building method and device, electronic equipment and storage medium |
CN110012030A (en) * | 2019-04-23 | 2019-07-12 | 北京微步在线科技有限公司 | A kind of method and device of association detection hacker |
CN110659493A (en) * | 2019-09-25 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Method and device for generating threat alarm mode, electronic equipment and storage medium |
CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Network threat identification method and identification system based on threat information |
CN110912889B (en) * | 2019-11-22 | 2021-08-20 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
CN110912889A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Network attack detection system and method based on intelligent threat intelligence |
CN112104656A (en) * | 2020-09-16 | 2020-12-18 | 杭州安恒信息安全技术有限公司 | Network threat data acquisition method, device, equipment and medium |
CN112104656B (en) * | 2020-09-16 | 2022-07-12 | 杭州安恒信息安全技术有限公司 | Network threat data acquisition method, device, equipment and medium |
CN114531253A (en) * | 2020-10-30 | 2022-05-24 | 深信服科技股份有限公司 | Threat information generation method, equipment, system and storage medium |
CN112751883B (en) * | 2021-01-19 | 2023-11-24 | 杨建鑫 | IP threat score judgment method, device, equipment and medium |
CN112751883A (en) * | 2021-01-19 | 2021-05-04 | 光通天下网络科技股份有限公司 | IP threat score judgment method, device, equipment and medium |
CN115426198A (en) * | 2022-11-01 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Information processing method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107786564B (en) | 2020-03-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107786564A (en) | Based on attack detection method, system and the electronic equipment for threatening information | |
US9462009B1 (en) | Detecting risky domains | |
CN108183900B (en) | Method, server, system, terminal device and storage medium for detecting mining script | |
Liu et al. | A novel approach for detecting browser-based silent miner | |
KR101689299B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
CN103634306B (en) | The safety detection method and safety detection server of network data | |
CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
CN102801697B (en) | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) | |
CN105119909B (en) | A kind of counterfeit website detection method and system based on page visual similarity | |
US20200104488A1 (en) | Detecting frame injection through web page analysis | |
CN110650117B (en) | Cross-site attack protection method, device, equipment and storage medium | |
CN106657025A (en) | Network attack behavior detection method and device | |
CN105407077B (en) | System and method for detecting the network activity of concern | |
CN103500307A (en) | Mobile internet malignant application software detection method based on behavior model | |
WO2018066221A1 (en) | Classification device, classification method, and classification program | |
CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
CN104143008A (en) | Method and device for detecting phishing webpage based on picture matching | |
CN106599688A (en) | Application category-based Android malicious software detection method | |
CN104202291A (en) | Anti-phishing method based on multi-factor comprehensive assessment method | |
CN107332804A (en) | The detection method and device of webpage leak | |
CN104640105A (en) | Method and system for mobile phone virus analyzing and threat associating | |
CN110278212A (en) | Link detection method and device | |
CN109218294A (en) | Anti-scanning method, device and server based on machine learning bayesian algorithm | |
CN107566401A (en) | The means of defence and device of virtualized environment | |
Geng et al. | RRPhish: Anti-phishing via mining brand resources request |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 188 Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 15 storey building Applicant before: Dbappsecurity Co.,ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |