CN107786564A - Based on attack detection method, system and the electronic equipment for threatening information - Google Patents

Based on attack detection method, system and the electronic equipment for threatening information Download PDF

Info

Publication number
CN107786564A
CN107786564A CN201711067639.1A CN201711067639A CN107786564A CN 107786564 A CN107786564 A CN 107786564A CN 201711067639 A CN201711067639 A CN 201711067639A CN 107786564 A CN107786564 A CN 107786564A
Authority
CN
China
Prior art keywords
information
target
map data
data engine
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711067639.1A
Other languages
Chinese (zh)
Other versions
CN107786564B (en
Inventor
董铃捷
范渊
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201711067639.1A priority Critical patent/CN107786564B/en
Publication of CN107786564A publication Critical patent/CN107786564A/en
Application granted granted Critical
Publication of CN107786564B publication Critical patent/CN107786564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

Included the invention provides a kind of based on the attack detection method, system and the electronic equipment that threaten information, this method:Obtain and threaten information bank;To threatening multiple threat informations in information bank to handle, multiple associated diagrams are obtained;The target association figure corresponding with target this map data engine is determined in multiple associated diagrams, and this map data engine sends target association figure to target, so that this map data engine of target detects new attack threat according to target association figure.In the method for the present invention, threat information in the diagram data engine in high in the clouds is real-time update, it is also more comprehensive to correspond to obtained associated diagram, this map data engine corresponding target association figure can be sent to target so that for this map data engine of target when detecting new attack threat according to target association figure, detection efficiency is high, accuracy is good, existing detection method is alleviated when detecting new threat attack, detection time length, the technical problem of detection accuracy difference.

Description

Based on attack detection method, system and the electronic equipment for threatening information
Technical field
The present invention relates to the technical field of network security, more particularly, to a kind of based on the attack detecting side for threatening information Method, system and electronic equipment.
Background technology
With the rapid development of Internet, the every aspect of life be unable to do without Internet technology.However, network attack companion With the development of internet, a potential huge problem is increasingly becoming, therefore network security is increasingly valued by people. At present, the instrument of network attack, such as fire wall, net shield, network bodyguard, security guard etc. are resisted in the presence of many kinds on the market, They can protect network security to a certain extent.
But network attack defence instrument common at present is mainly to intercept rule passively detection malice according to default Script and invalid data access, accumulation over time, and the default quantity for intercepting rule, complexity can be increasing, and new The consumed inquiry comparison time of attack can increasingly be grown, and the default rule that intercepts needs timing to update, and exist certain stagnant Property afterwards, cause that new attack can not be found in real time in many cases.If not solving these problems, many situations are may result in Under, discovery can not be detected and threaten attack, or to threatening the response attacked very slow, so as to form potential safety hazard.
To sum up, when detecting new threat attack there is detection time length, detection accuracy in existing attack detection method The technical problem of difference.
The content of the invention
In view of this, it is an object of the invention to provide a kind of based on the attack detection method, system and the electricity that threaten information Sub- equipment, to alleviate existing attack detection method when detecting new threat attack, detection time is grown, and the accuracy of detection is poor Technical problem.
In a first aspect, the embodiments of the invention provide a kind of based on the attack detection method for threatening information, methods described bag Include:
Obtain and threaten information bank, it is described to threaten information bank to include the multiple threat informations got in real time, it is described Information is threatened to be used to characterize attack threat of the attacker to being attacked by attacker;
Multiple threat informations in the threat information bank are handled, obtain multiple associated diagrams, the association Scheme for representing the attacker and the incidence relation by between attacker;
Determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to the target This map data engine sends the target association figure, so that described this map data engine of target is according to the target association figure Detect new attack to threaten, described this map data engine of target is one in multiple map data engines.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the first of first aspect, wherein, Determine that the target association figure corresponding with target this map data engine includes in the multiple associated diagram:
Obtain the customized demand of described this map data engine of target;
The target association figure is sent to described this map data engine of target based on the customized demand, so that the mesh Sample map data engine detects the new attack according to the target association figure and threatened, wherein, the target association figure is Meet the partial association figure of the customized demand in the multiple associated diagram.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of second of first aspect, wherein, it is right Multiple threat informations in the threat information bank are handled, and obtaining multiple associated diagrams includes:
The threat information is scanned, obtains the element information of the threat information, wherein, the element information Including:Source information, event information, target information;
Associated diagram between the source information and the target information is built according to the event information;
Preserve the associated diagram.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the third of first aspect, wherein, obtain Take and threaten information bank to include:
Obtain the new threat information that the multiple map data engine is sent;
Threaten information bank to be updated history based on the new threat information, obtain the threat information bank.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 4th of first aspect kind, wherein, After described this map data engine of target detects new attack threat according to the target association figure, methods described also includes:
The information that the new attack that synchronous described this map data engine of target is collected in the threat information bank threatens Information, wherein, after described this map data engine of target detects that the new attack threatens, store the new attack and threaten Information.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 5th of first aspect kind, wherein, institute State and threaten information to comprise at least:IP address information, domain-name information, zombie host information, operation system information, application program Information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-government's information, fishing letter Breath, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, Brute Force information.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 6th of first aspect kind, wherein, institute State in customized demand and comprise at least:IP gathers, set of domains.
Second aspect, the embodiment of the present invention additionally provide a kind of based on the attack detection system for threatening information, the system Including:
Acquisition module, information bank is threatened for obtaining, it is described to threaten information bank to include the multiple threats got in real time Information, it is described to threaten information to be used to characterize attack threat of the attacker to being attacked by attacker;
Processing module, for handling multiple threat informations in the threat information bank, obtain multiple passes Connection figure, the associated diagram are used to represent the attacker and the incidence relation by between attacker;
Sending module, for determining the target association corresponding with target this map data engine in multiple associated diagrams Figure, and the target association figure is sent to described this map data engine of target, so that this map data engine of target root Threatened according to target association figure detection new attack, described this map data engine of target is in multiple map data engines One.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of the first of second aspect, wherein, institute Stating sending module includes:
First acquisition unit, for obtaining the customized demand of described this map data engine of target;
Transmitting element, for sending the target association to described this map data engine of target based on the customized demand Figure, threatened so that described this map data engine of target detects the new attack according to the target association figure, wherein, it is described Target association figure is the partial association figure for meeting the customized demand in the multiple associated diagram.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor, the storage The computer program that can be run on the processor is stored with device, is realized described in the computing device during computer program The step of method described in above-mentioned first aspect.
The embodiment of the present invention brings following beneficial effect:The embodiments of the invention provide a kind of attacking based on threat information Detection method, system and electronic equipment are hit, this method includes:Obtain and threaten information bank, threaten information bank to include real-time acquisition The multiple threat informations arrived, information is threatened to be used to characterize attack threat of the attacker to being attacked by attacker; To threatening multiple threat informations in information bank to handle, multiple associated diagrams are obtained, associated diagram is used to represent attacker And by the incidence relation between attacker;The target pass corresponding with target this map data engine is determined in multiple associated diagrams Connection figure, and this map data engine sends target association figure to target, so that this map data engine of target is according to target association Figure detection new attack threatens, and this map data engine of target is one in multiple map data engines.
Existing attack detection method is mainly passively to detect malicious script and illegal number according to the default rule that intercepts According to access, accumulation over time, the default quantity for intercepting rule, complexity can be increasing, and what new attack was consumed Inquiry comparison time can increasingly be grown, and the default rule that intercepts needs timing to update, and certain hysteresis quality be present, causes a lot In the case of can not find new attack in real time.Compared with existing attack detection method, attacking based on threat information of the invention Hit in detection method, the diagram data engine in high in the clouds first obtains multiple threat informations in real time, then, to multiple threat information letters Breath is handled, and obtains multiple associated diagrams, and then, determine that this map data engine is corresponding with target in multiple associated diagrams Target association figure, and target association figure is sent to this map data engine of target, so that target this map data engine basis Target association figure detection new attack threatens.In the attack detection method based on threat information of the present invention, the diagram data in high in the clouds Threat information in engine is real-time update, corresponding obtained associated diagram also more comprehensively, further, it is possible to target sheet Map data engine sends corresponding target association figure so that this map data engine of target is examined according to target association figure When surveying new attack threat, detection efficiency is high, and accuracy is good, alleviates existing attack detection method and is attacked in the new threat of detection When hitting, detection time length, the technical problem of the accuracy difference of detection.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart based on the attack detection method for threatening information provided in an embodiment of the present invention;
Fig. 2 is the method flow diagram provided in an embodiment of the present invention for obtaining and threatening information bank;
Fig. 3 is provided in an embodiment of the present invention to threatening multiple threat informations in information bank to handle, and is obtained The method flow diagram of multiple associated diagrams;
Fig. 4 is a kind of structured flowchart based on the attack detection system for threatening information that inventive embodiments provide;
Fig. 5 is a kind of electronic equipment that inventive embodiments provide.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
For ease of understanding the present embodiment, first to a kind of based on threatening information disclosed in the embodiment of the present invention Attack detection method describes in detail.
Embodiment one:
A kind of attack detection method based on threat information, with reference to figure 1, this method includes:
S102, threat information bank is obtained, threaten information bank to include the multiple threat informations got in real time, threatened Information is used to characterize attack threat of the attacker to being attacked by attacker;
In embodiments of the present invention, the executive agent of this method is the diagram data engine in high in the clouds.The diagram data engine in high in the clouds Multiple threat informations are obtained in real time, and the plurality of threat information is sent in real time by multiple map data engines. Multiple map data engines are installed on multiple user terminals, and the user terminal can be local general subscriber terminal, Can be third-party terminal, such as the particular terminal of some companies, so, the diagram data engine in high in the clouds can not only obtain this The threat information of ground ordinary terminal, third-party threat information and data message can also be obtained, that is to say, that cloud Data source in the diagram data engine at end is extensive.
S104, multiple threat informations in threat information bank are handled, obtain multiple associated diagrams, associated diagram is used In expression attacker and by the incidence relation between attacker;
After multiple threat informations are got, the diagram data engine in high in the clouds is threatened at informations multiple Reason, obtains multiple associated diagrams.Hereinafter the process of processing is specifically described again, will not be repeated here.
S106, determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to mesh Sample map data engine sends target association figure, so that this map data engine of target detects new attack according to target association figure Threat is hit, this map data engine of target is one in multiple map data engines.
After multiple associated diagrams are obtained, in multiple associated diagrams, (the plurality of associated diagram includes newly-generated multiple associated diagrams, also Including the multiple associated diagrams originally generated) in determine the target association figure corresponding with target this map data engine, and by mesh Mark associated diagram is sent to this map data engine of target, and so, target diagram data engine is after target association figure is received, with regard to energy It is enough that new attack threat is detected according to target association figure.
Existing attack detection method is mainly passively to detect malicious script and illegal number according to the default rule that intercepts According to access, accumulation over time, the default quantity for intercepting rule, complexity can be increasing, and what new attack was consumed Inquiry comparison time can increasingly be grown, and the default rule that intercepts needs timing to update, and certain hysteresis quality be present, causes a lot In the case of can not find new attack in real time.Compared with existing attack detection method, attacking based on threat information of the invention Hit in detection method, the diagram data engine in high in the clouds first obtains multiple threat informations in real time, then, to multiple threat information letters Breath is handled, and obtains multiple associated diagrams, and then, determine that this map data engine is corresponding with target in multiple associated diagrams Target association figure, and target association figure is sent to this map data engine of target, so that target this map data engine basis Target association figure detection new attack threatens.In the attack detection method based on threat information of the present invention, the diagram data in high in the clouds Threat information in engine is real-time update, corresponding obtained associated diagram also more comprehensively, further, it is possible to target sheet Map data engine sends corresponding target association figure so that this map data engine of target is examined according to target association figure When surveying new attack threat, detection efficiency is high, and accuracy is good, alleviates existing attack detection method and is attacked in the new threat of detection When hitting, detection time length, the technical problem of the accuracy difference of detection.
The above has carried out whole description to the process of attack detecting, and the particular content being directed to is carried out below It is described in detail.
It is a variety of that acquisition threatens the mode of information bank to have, and in one alternatively embodiment, with reference to figure 2, obtains and threatens feelings Report storehouse comprises the following steps:
S201, obtain the new threat information that multiple map data engines are sent;
Specifically, after this map data engine detects that new attack threatens, can be sent to the diagram data engine in high in the clouds New threat information, the diagram data engine in high in the clouds obtain the new threat information letter that multiple map data engines are sent Breath.
S202, based on new threat information to history threaten information bank be updated, obtain threaten information bank.
After new threat information is obtained, information bank is threatened to be updated history, it becomes possible to obtain threatening information Storehouse.
The diagram data engine in high in the clouds needs after the new threat information that multiple map data engines are sent is got The plurality of threat information is handled, in one alternatively embodiment, with reference to figure 3, to threatening in information bank Multiple threat informations handled, obtaining multiple associated diagrams includes:
S301, scanning threaten information, obtain threatening the element information of information, wherein, element information includes:Source Information, event information, target information;
Specifically, the diagram data engine scanning in high in the clouds threatens information, obtain threatening the element information of information, its In, element information includes:Source information, event information and target information.
S302, the associated diagram between source information and target information built according to event information;
After element information is obtained, the associated diagram between source information and target information is built according to event information.Namely Node --- side --- node associated data is formed, corresponding is source information --- event information --- target information.
S303, preserve associated diagram.
After associated diagram is obtained, associated diagram is preserved, i.e., is stored associated diagram into diagram data storage engines.
Determined in multiple associated diagrams the target association figure corresponding with target this map data engine mode have it is a variety of, In one alternatively embodiment, the target association corresponding with target this map data engine is determined in multiple associated diagrams Figure includes:
(1) customized demand of this map data engine of target, is obtained;
(2), based on customized demand, to target, this map data engine sends target association figure, so that this map datum of target Engine detects new attack according to target association figure and threatened, wherein, target association figure is to meet customized demand in multiple associated diagrams Partial association figure.
For example target this map data engine will detect a black page, and can not be complete according to its own existing database Into this detection, the demand for detecting black page will be sent to the diagram data engine in high in the clouds, the diagram data engine in high in the clouds will will close Target this map datum is sent in the associated diagram (such as data on black page, rule, that is, target association figure) of black page Engine, this map data engine of target just can detect black page according to target association figure.
In addition, the diagram data engine in high in the clouds is possible to can also have attack threat, so, the diagram data engine in high in the clouds also can Detect new attack to threaten, that is to say, that the diagram data engine in high in the clouds also has the function of attack detecting.
Alternatively, after this map data engine of target detects new attack threat according to target association figure, this method Also include:
The information that the new attack that synchronous this map data engine of target is collected in information bank is threatened threatens, its In, after this map data engine of target detects that new attack threatens, the information of storage new attack threat.
Specifically, after this map data engine of target detects new attack according to target association figure and threatened, the target The information that this map data engine storage new attack threatens, and the information that can also threaten new attack is synchronous In threat information bank into the diagram data engine in high in the clouds,
Alternatively, information is threatened to comprise at least:IP address information, domain-name information, zombie host information, operating system Information, application information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-political affairs Mansion information, fishing information, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, cruelly Power cracks information.
Alternatively, comprised at least in customized demand:IP gathers, set of domains.
It is exemplified below:
The threat information got in the diagram data engine in high in the clouds is:IP (119.23.14.8) is by malicious file (MD5:Aa3585e377e2452d0630295adb51ebec) attack, IP (239.123.14.28) is by malicious file (MD5: Aa3585e377e2452d0630295adb51ebec) attack;The diagram data engine in high in the clouds to the threat information at Reason, that is, scan above-mentioned threat information, obtain node (IP:119.23.14.8), side (event:Attacked), node (MD5: ) and node (IP aa3585e377e2452d0630295adb51ebec:239.123.14.28), side (event:Attacked), section Point (MD5:aa3585e377e2452d0630295adb51ebec);Above-mentioned element information is built into source information by event information Associated diagram between target information, associated diagram is obtained, and associated diagram is stored into diagram data storage engines, such as Neo4j Chart database;And the IP sections of target this map data engine association are 119.23.14.0/24, therefore, this network segment has been customized Information data is threatened, the diagram data engine in high in the clouds obtains all association diagram data (i.e. target associations of this IP section by inquiring about Figure), and issue target this map data engine;When target this map data engine detects IP (119.23.14.8) bag, just IP (119.23.14.27) is being accessed, and is detecting malicious file (MD5: Aa3585e377e2452d0630295adb51ebec), it just can quickly find that new attack threatens according to target association figure;New The information that attack threatens will be stored into this map data engine, and be synchronized in the diagram data engine in high in the clouds.
The attack detection method based on threat information of the present invention has advantages below:
1st, the diagram data engine in high in the clouds is constructed, the engine is an intelligentized Relational Data Engine, and it can pass through The data of separate sources are collected, scanning threatens the threat information in information bank, is built according to the relation between event information Associated diagram simultaneously stores;
2nd, the diagram data engine in high in the clouds is modular, maintains easily and develops, and each module can be disposed independently;
3rd, the diagram data engine in high in the clouds provides the function of customizing, and it can be according to different demands, to this map datum Engine sends the associated diagram content customized;
4th, this map data engine has data collection function, the information that the new attack being collected into can be threatened Storage, and the information that synchronous new attack threatens arrives the diagram data engine in high in the clouds, while determining newly can be updated to high in the clouds Demand processed.
Existing tool technique is to be threatened by default rule to detect intercept attack mostly, and this mode requires full dose Data and complicated preset rules, passage and data increase, can make it that the response time is elongated, under attack detecting effect over time Drop.And the diagram data engine in the high in the clouds constructed by this method can the acquisition mass data based on different pieces of information source, build thing Graph of a relation between part information, this map data engine customize number by the demand of customization to the diagram data engine requests in high in the clouds According to, detection can be promptly made for attack threat, and can be by new data syn-chronization to high in the clouds so that high in the clouds diagram data Engine is more powerful.In brief, the maximum difference of this method and prior art is, as data increase, the thing established Part associated diagram can be more careful, so that attack detecting ability can be stronger, speed can be faster.
Embodiment two:
The embodiment of the present invention additionally provides a kind of attack detection system based on threat information, with reference to figure 4, the system bag Include:
Acquisition module 20, information bank is threatened for obtaining, threatens information bank to include the multiple threat feelings got in real time Notify breath, threaten information to be used to characterizing attacker and threaten the attack attacked by attacker;
Processing module 21, for threatening multiple threat informations in information bank to handle, obtaining multiple associations Figure, associated diagram are used to represent attacker and by the incidence relation between attacker;
Sending module 22, for determining the target association corresponding with target this map data engine in multiple associated diagrams Figure, and this map data engine sends target association figure to target, so that this map data engine of target is according to target association figure Detect new attack to threaten, this map data engine of target is one in multiple map data engines.
In the attack detection system based on threat information of the present invention, the diagram data engine in high in the clouds first obtains multiple prestige in real time Information is coerced, then, multiple threat informations is handled, obtain multiple associated diagrams, and then, in multiple associated diagrams It is determined that the target association figure corresponding with target this map data engine, and target association figure is sent to this map datum of target Engine, threatened so that this map data engine of target detects new attack according to target association figure.The present invention based on threaten feelings In the attack detection system of report, the threat information in the diagram data engine in high in the clouds is real-time update, corresponding obtained pass Connection figure is also more comprehensive, further, it is possible to which this map data engine sends corresponding target association figure to target so that target For this map data engine when detecting new attack threat according to target association figure, detection efficiency is high, and accuracy is good, alleviates existing Some attack detection methods are when detecting new threat attack, detection time length, the technical problem of the accuracy difference of detection.
Alternatively, sending module includes:
First acquisition unit, for obtaining the customized demand of this map data engine of target;
Transmitting element, for sending target association figure to target this map data engine based on customized demand, so that target This map data engine detects new attack according to target association figure and threatened, wherein, target association figure is full in multiple associated diagrams The partial association figure of sufficient customized demand.
Alternatively, processing module includes:
Scanning element, information is threatened for scanning, obtain threatening the element information of information, wherein, key element letter Breath includes:Source information, event information, target information;
Construction unit, for building the associated diagram between source information and target information according to event information;
Storage unit, for preserving associated diagram.
Alternatively, acquisition module includes:
Second acquisition unit, the new threat information sent for obtaining multiple map data engines;
Updating block, for threatening information bank to be updated history based on new threat information, obtain threatening feelings Report storehouse.
Alternatively, the system also includes:
Synchronization module, threatened for the new attack that synchronous this map data engine of target is collected in information bank is threatened Information, wherein, after this map data engine of target detects that new attack threatens, the information that storage new attack threatens is believed Breath.
Alternatively, information is threatened to comprise at least:IP address information, domain-name information, zombie host information, operating system Information, application information, information on services, port information, black page information, dark chain information, back door information, wooden horse information, anti-political affairs Mansion information, fishing information, gambling information, malicious file sample information, WEB attack sample informations, IDC information, IP segment informations, cruelly Power cracks information.
Alternatively, comprised at least in customized demand:IP gathers, set of domains.
The system that the embodiment of the present invention is provided, its realization principle and caused technique effect and preceding method embodiment phase Together, to briefly describe, system embodiment part does not refer to part, refers to corresponding contents in preceding method embodiment.
Embodiment three:
The embodiments of the invention provide a kind of electronic equipment, and with reference to figure 5, the electronic equipment includes:Processor 30, memory 31, bus 32 and communication interface 33, processor 30, communication interface 33 and memory 31 are connected by bus 32;Processor 30 is used In performing the executable module that is stored in memory 31, such as computer program.Computing device is extreme and realizes such as during program The step of method described in embodiment of the method.
Wherein, memory 31 may include high-speed random access memory (RAM, RandomAccessMemory), also may be used Non-labile memory (non-volatilememory), for example, at least a magnetic disk storage can also be included.By at least One communication interface 33 (can be wired or wireless) realizes the communication between the system network element and at least one other network element Connection, can use internet, wide area network, LAN, Metropolitan Area Network (MAN) etc..
Bus 32 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data Line, controlling bus etc..For ease of representing, only represented in Fig. 5 with a four-headed arrow, it is not intended that an only bus or one The bus of type.
Wherein, memory 31 is used for storage program, and processor 30 is after execute instruction is received, configuration processor, foregoing The method performed by device that the stream process that inventive embodiments any embodiment discloses defines can apply in processor 30, or Person is realized by processor 30.
Processor 30 is probably a kind of IC chip, has the disposal ability of signal.In implementation process, above-mentioned side Each step of method can be completed by the integrated logic circuit of the hardware in processor 30 or the instruction of software form.Above-mentioned Processor 30 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), application specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable Logical device, discrete gate or transistor logic, discrete hardware components.It can realize or perform in the embodiment of the present invention Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be appointed What conventional processor etc..The step of method with reference to disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing Device performs completion, or performs completion with the hardware in decoding processor and software module combination.Software module can be located at Machine memory, flash memory, read-only storage, programmable read only memory or electrically erasable programmable memory, register etc. are originally In the ripe storage medium in field.The storage medium is located at memory 31, and processor 30 reads the information in memory 31, with reference to Its hardware completes the step of above method.
The computer of the attack detection method based on threat information, system and electronic equipment that the embodiment of the present invention is provided Program product, including the computer-readable recording medium of program code is stored, the instruction that described program code includes can be used for The method described in previous methods embodiment is performed, specific implementation can be found in embodiment of the method, will not be repeated here.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description With the specific work process of device, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this Concrete meaning in invention.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-OnlyMemory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ", The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation, With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ", " the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (10)

  1. It is 1. a kind of based on the attack detection method for threatening information, it is characterised in that methods described includes:
    Obtain and threaten information bank, it is described to threaten information bank to include the multiple threat informations got in real time, the threat Information is used to characterize attack threat of the attacker to being attacked by attacker;
    Multiple threat informations in the threat information bank are handled, obtain multiple associated diagrams, the associated diagram is used In the expression attacker and the incidence relation by between attacker;
    Determine the target association figure corresponding with target this map data engine in multiple associated diagrams, and to target local Diagram data engine sends the target association figure, so that described this map data engine of target detects according to the target association figure New attack threatens, and described this map data engine of target is one in multiple map data engines.
  2. 2. according to the method for claim 1, it is characterised in that determined and target this map number in the multiple associated diagram Include according to the corresponding target association figure of engine:
    Obtain the customized demand of described this map data engine of target;
    The target association figure is sent to described this map data engine of target based on the customized demand, so that the target sheet Map data engine detects the new attack according to the target association figure and threatened, wherein, the target association figure is described Meet the partial association figure of the customized demand in multiple associated diagrams.
  3. 3. according to the method for claim 1, it is characterised in that to multiple threat informations in the threat information bank Handled, obtaining multiple associated diagrams includes:
    The threat information is scanned, obtains the element information of the threat information, wherein, the element information bag Include:Source information, event information, target information;
    Associated diagram between the source information and the target information is built according to the event information;
    Preserve the associated diagram.
  4. 4. according to the method for claim 1, it is characterised in that obtain and threaten information bank to include:
    Obtain the new threat information that the multiple map data engine is sent;
    Threaten information bank to be updated history based on the new threat information, obtain the threat information bank.
  5. 5. according to the method for claim 1, it is characterised in that in described this map data engine of target according to the target After associated diagram detection new attack threatens, methods described also includes:
    The information that the new attack that synchronous described this map data engine of target is collected in the threat information bank threatens, Wherein, after described this map data engine of target detects that the new attack threatens, the feelings that the new attack threatens are stored Notify breath.
  6. 6. according to the method for claim 1, it is characterised in that the threat information comprises at least:IP address information, Domain-name information, zombie host information, operation system information, application information, information on services, port information, black page information, secretly Chain information, back door information, wooden horse information, anti-government's information, fishing information, gambling information, malicious file sample information, WEB are attacked Hit sample information, IDC information, IP segment informations, Brute Force information.
  7. 7. according to the method for claim 2, it is characterised in that comprised at least in the customized demand:IP gathers, domain name collection Close.
  8. It is 8. a kind of based on the attack detection system for threatening information, it is characterised in that the system includes:
    Acquisition module, information bank is threatened for obtaining, it is described to threaten information bank to include the multiple threat information got in real time Information, it is described to threaten information to be used to characterize attack threat of the attacker to being attacked by attacker;
    Processing module, for handling multiple threat informations in the threat information bank, multiple associated diagrams are obtained, The associated diagram is used to represent the attacker and the incidence relation by between attacker;
    Sending module, for determining the target association figure corresponding with target this map data engine in multiple associated diagrams, and The target association figure is sent to described this map data engine of target, so that described this map data engine of target is according to Target association figure detection new attack threatens, and described this map data engine of target is one in multiple map data engines It is individual.
  9. 9. system according to claim 8, it is characterised in that the sending module includes:
    First acquisition unit, for obtaining the customized demand of described this map data engine of target;
    Transmitting element, for sending the target association figure to described this map data engine of target based on the customized demand, Threatened so that described this map data engine of target detects the new attack according to the target association figure, wherein, the mesh Mark associated diagram is the partial association figure for meeting the customized demand in the multiple associated diagram.
  10. 10. a kind of electronic equipment, including memory, processor, it is stored with and can runs on the processor on the memory Computer program, it is characterised in that realized described in the computing device during computer program in the claims 1 to 7 The step of method described in any one.
CN201711067639.1A 2017-11-02 2017-11-02 Attack detection method and system based on threat intelligence and electronic equipment Active CN107786564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711067639.1A CN107786564B (en) 2017-11-02 2017-11-02 Attack detection method and system based on threat intelligence and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711067639.1A CN107786564B (en) 2017-11-02 2017-11-02 Attack detection method and system based on threat intelligence and electronic equipment

Publications (2)

Publication Number Publication Date
CN107786564A true CN107786564A (en) 2018-03-09
CN107786564B CN107786564B (en) 2020-03-17

Family

ID=61432619

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711067639.1A Active CN107786564B (en) 2017-11-02 2017-11-02 Attack detection method and system based on threat intelligence and electronic equipment

Country Status (1)

Country Link
CN (1) CN107786564B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109740344A (en) * 2018-11-28 2019-05-10 北京奇安信科技有限公司 Threaten information method for establishing model, device, electronic equipment and storage medium
CN110012030A (en) * 2019-04-23 2019-07-12 北京微步在线科技有限公司 A kind of method and device of association detection hacker
CN110659493A (en) * 2019-09-25 2020-01-07 哈尔滨安天科技集团股份有限公司 Method and device for generating threat alarm mode, electronic equipment and storage medium
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN110912889A (en) * 2019-11-22 2020-03-24 上海交通大学 Network attack detection system and method based on intelligent threat intelligence
CN110929187A (en) * 2018-09-18 2020-03-27 北京数安鑫云信息技术有限公司 Method and device for visually displaying threat events, storage device and computer equipment
CN112104656A (en) * 2020-09-16 2020-12-18 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN112751883A (en) * 2021-01-19 2021-05-04 光通天下网络科技股份有限公司 IP threat score judgment method, device, equipment and medium
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium
CN115426198A (en) * 2022-11-01 2022-12-02 杭州安恒信息技术股份有限公司 Information processing method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719842A (en) * 2009-11-20 2010-06-02 中国科学院软件研究所 Cloud computing environment-based distributed network security pre-warning method
KR20100063352A (en) * 2008-12-03 2010-06-11 한국인터넷진흥원 Sip-based enterprise security management system
CN106131054A (en) * 2016-08-17 2016-11-16 国家计算机网络与信息安全管理中心 Network intrusions collaborative detection method based on secure cloud
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100063352A (en) * 2008-12-03 2010-06-11 한국인터넷진흥원 Sip-based enterprise security management system
CN101719842A (en) * 2009-11-20 2010-06-02 中国科学院软件研究所 Cloud computing environment-based distributed network security pre-warning method
CN106131054A (en) * 2016-08-17 2016-11-16 国家计算机网络与信息安全管理中心 Network intrusions collaborative detection method based on secure cloud
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈兴属 等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929187A (en) * 2018-09-18 2020-03-27 北京数安鑫云信息技术有限公司 Method and device for visually displaying threat events, storage device and computer equipment
CN109740344A (en) * 2018-11-28 2019-05-10 北京奇安信科技有限公司 Threaten information method for establishing model, device, electronic equipment and storage medium
CN109740344B (en) * 2018-11-28 2024-04-19 奇安信科技集团股份有限公司 Threat information model building method and device, electronic equipment and storage medium
CN110012030A (en) * 2019-04-23 2019-07-12 北京微步在线科技有限公司 A kind of method and device of association detection hacker
CN110659493A (en) * 2019-09-25 2020-01-07 哈尔滨安天科技集团股份有限公司 Method and device for generating threat alarm mode, electronic equipment and storage medium
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN110912889B (en) * 2019-11-22 2021-08-20 上海交通大学 Network attack detection system and method based on intelligent threat intelligence
CN110912889A (en) * 2019-11-22 2020-03-24 上海交通大学 Network attack detection system and method based on intelligent threat intelligence
CN112104656A (en) * 2020-09-16 2020-12-18 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN112104656B (en) * 2020-09-16 2022-07-12 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium
CN112751883B (en) * 2021-01-19 2023-11-24 杨建鑫 IP threat score judgment method, device, equipment and medium
CN112751883A (en) * 2021-01-19 2021-05-04 光通天下网络科技股份有限公司 IP threat score judgment method, device, equipment and medium
CN115426198A (en) * 2022-11-01 2022-12-02 杭州安恒信息技术股份有限公司 Information processing method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN107786564B (en) 2020-03-17

Similar Documents

Publication Publication Date Title
CN107786564A (en) Based on attack detection method, system and the electronic equipment for threatening information
US9462009B1 (en) Detecting risky domains
CN108183900B (en) Method, server, system, terminal device and storage medium for detecting mining script
Liu et al. A novel approach for detecting browser-based silent miner
KR101689299B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN103634306B (en) The safety detection method and safety detection server of network data
CN109922075A (en) Network security knowledge map construction method and apparatus, computer equipment
CN102801697B (en) Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
CN105119909B (en) A kind of counterfeit website detection method and system based on page visual similarity
US20200104488A1 (en) Detecting frame injection through web page analysis
CN110650117B (en) Cross-site attack protection method, device, equipment and storage medium
CN106657025A (en) Network attack behavior detection method and device
CN105407077B (en) System and method for detecting the network activity of concern
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
WO2018066221A1 (en) Classification device, classification method, and classification program
CN107770125A (en) A kind of network security emergency response method and emergency response platform
CN104143008A (en) Method and device for detecting phishing webpage based on picture matching
CN106599688A (en) Application category-based Android malicious software detection method
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN107332804A (en) The detection method and device of webpage leak
CN104640105A (en) Method and system for mobile phone virus analyzing and threat associating
CN110278212A (en) Link detection method and device
CN109218294A (en) Anti-scanning method, device and server based on machine learning bayesian algorithm
CN107566401A (en) The means of defence and device of virtualized environment
Geng et al. RRPhish: Anti-phishing via mining brand resources request

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 188 Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province

Applicant after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310000 No. 68 in the 15 storey building

Applicant before: Dbappsecurity Co.,ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant