CN108243189B - Network threat management method and device, computer equipment and storage medium - Google Patents

Network threat management method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN108243189B
CN108243189B CN201810014444.9A CN201810014444A CN108243189B CN 108243189 B CN108243189 B CN 108243189B CN 201810014444 A CN201810014444 A CN 201810014444A CN 108243189 B CN108243189 B CN 108243189B
Authority
CN
China
Prior art keywords
threat
data
source information
network
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810014444.9A
Other languages
Chinese (zh)
Other versions
CN108243189A (en
Inventor
易仁杰
匡光彩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201810014444.9A priority Critical patent/CN108243189B/en
Priority to PCT/CN2018/077133 priority patent/WO2019134224A1/en
Publication of CN108243189A publication Critical patent/CN108243189A/en
Application granted granted Critical
Publication of CN108243189B publication Critical patent/CN108243189B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the application discloses a network threat management method, a network threat management device, computer equipment and a storage medium. The method comprises the following steps: the threat data received in a preset time period and the corresponding threat source information are counted in a threat record database; acquiring at least one threat data corresponding to threat source information in a threat record database; calculating a score corresponding to each threat data according to a preset calculation rule; calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing such as IP (Internet protocol) sealing and killing on the threat source information according to the total score, thereby actively blocking the network threat from the source of the network threat, improving the effectiveness of network security protection and improving the security of the network.

Description

Network threat management method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network threat management method, an apparatus, a computer device, and a storage medium.
Background
With the development of network technology, the threat faced by the network is increasing. Generally, the threats faced by the network mainly include trojans, denial of service, viruses, phishing websites and the like. These threats bring great potential safety hazards to the property of network users and private information and the like. In order to improve the security of the network, a common network user may install various security software, such as 360-degree antivirus software, in a terminal, such as a mobile phone, a computer, and the like, for defense. A network user of the cloud platform can deploy Anti-Distributed Denial of Service (Anti-DDoS), traffic cleaning Service, a cloud security system and the like on the cloud platform for defense. However, the above network security processing methods are passive defense methods, and cannot actively prevent the network threat behavior from the root, and the security of the network cannot be well guaranteed.
Disclosure of Invention
The application provides a network threat management method, a network threat management device, computer equipment and a storage medium, which can improve the security of a network.
In a first aspect, the present application provides a cyber-threat management method, applied to a cyber-threat management system, where the cyber-threat management system includes a monitoring subsystem, a data processing subsystem and a network management subsystem, and includes:
counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to a data processing subsystem by a monitoring subsystem when a network access behavior is monitored to be threatening;
acquiring at least one piece of threat data corresponding to the threat source information in the threat record database;
calculating a score corresponding to each threat data according to a preset calculation rule;
calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and
and sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing on the threat source information according to the total score.
In a second aspect, the present application provides a cyber-threat management apparatus, which is applied to a cyber-threat management system, where the cyber-threat management system includes a monitoring subsystem, a data processing subsystem and a network management subsystem, and includes:
the threat counting unit is used for counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to the data processing subsystem by the monitoring subsystem when the monitoring subsystem monitors that a network access behavior has a threat;
a threat data obtaining unit, configured to obtain at least one piece of threat data corresponding to the threat source information in the threat record database;
the first calculation unit is used for calculating a score corresponding to each threat data according to a preset calculation rule;
the second calculation unit is used for calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and
and the sending unit is used for sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing on the threat source information according to the total score.
In a third aspect, the present application further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the network threat management method provided in any one of the present applications when executing the computer program.
In a fourth aspect, the present application further provides a storage medium, wherein the storage medium stores a computer program, the computer program comprises program instructions, which when executed by a processor, cause the processor to execute any one of the cyber-threat management methods provided herein.
The application provides a network threat management method, a network threat management device, computer equipment and a storage medium. The method includes the steps of counting threat data and threat source information in a preset time period, calculating a score of each threat data corresponding to the threat source information, calculating a total score of the threat source information according to the score corresponding to each threat data, and sending the threat source information and the total score to a network management subsystem, so that the network management subsystem can carry out preset processing such as IP (Internet protocol) sealing and killing on the threat source information according to the total score, network threats are actively blocked from the sources of the network threats, the effectiveness of network security protection is improved, and the security of a network is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic block diagram of a cyber-threat management system provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a cyber-threat management method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a particular embodiment of the cyber-threat management method shown in FIG. 2;
FIG. 4 is a flowchart illustrating a detailed process of the cyber-threat management method shown in FIG. 3;
FIG. 5 is a flowchart illustrating a detailed process of the cyber-threat management method shown in FIG. 2;
FIG. 6 is a schematic block diagram of a cyber-threat management apparatus according to an embodiment of the present application;
FIG. 7 is another schematic block diagram of a cyber-threat management apparatus according to an embodiment of the present application;
fig. 8 is a schematic block diagram of a computer device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1, fig. 1 is a schematic block diagram of a cyber-threat management system according to an embodiment of the present application. The cyber-threat management system 100 includes a monitoring subsystem 10, a data processing subsystem 20, and a network management subsystem 30.
The monitoring subsystem 10 includes a cloud security system and a client security system. The cloud security system may generally be deployed in a cloud platform. The cloud platform may include a platform that provides cloud services such as cloud computing. For example, the cloud security system may be deployed on platforms such as "arri cloud", "tenuous cloud", "new wave cloud", and so on. The client security system is typically deployed in a terminal. The terminal can be a mobile phone, a desktop computer, a laptop computer, a tablet computer, a Personal Digital Assistant (PDA) and other devices. The client security system may be, for example, various types of security software such as "360 antivirus software", "Baidu antivirus software", "caskis", and the like.
The data processing subsystem 20 is deployed in a stand-alone server. The network management subsystem 30 may be deployed on a network operator platform. For example, the network management subsystem 30 is deployed in a "telecommunication network operation platform" or the like.
It should be noted that in other embodiments, the data processing subsystem 20 may not be deployed in a separate server. For example, the data processing subsystem 20 and the network management subsystem 30 are both deployed on a network operator platform, and are not limited herein.
In this embodiment, the monitoring subsystem 10 is used to monitor whether there is a threat to the network access behavior. If the network access behavior is monitored to have a threat, the threat data and the corresponding threat source information are sent to the data processing subsystem 20.
The data processing subsystem 20 counts the threat data received in a preset time period and the corresponding threat source information in a threat record database; acquiring at least one piece of threat data corresponding to the threat source information in the threat record database; calculating a score corresponding to each threat data according to a preset calculation rule; calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and sending the threat source information and the corresponding total score to the network management subsystem 30.
The network management subsystem 30 performs preset processing such as IP blocking, warning and the like on the threat source information according to the total score, so that the network threat behavior can be actively blocked from the source of the network threat, the effectiveness of network security protection is improved, and the security of the network is improved.
The steps of the cyber-threat management method will be described in detail below in the context of the data processing subsystem 20.
Referring to fig. 2, fig. 2 is a schematic flowchart of a network threat management method according to an embodiment of the present application. The cyber-threat management method is applied to the cyber-threat management system shown in fig. 1. In particular, in the data processing subsystem 20.
As shown in FIG. 2, the cyber-threat management method includes steps S10 to S50.
S10, counting threat data received in a preset time period and corresponding threat source information in a threat record database, wherein the threat data and the corresponding threat source information are data reported to the data processing subsystem by the monitoring subsystem when the monitoring subsystem monitors that a network access behavior has a threat.
In this embodiment, the data processing subsystem 20 receives threat data and corresponding threat source information in real time within a preset time period, and counts the threat data and the corresponding threat source information in a threat record database. The threat record database is used for recording threat source information, threat data and the corresponding relation between the threat source information and the threat data. In the threat record database, each piece of threat source information may correspond to a plurality of different threat data, and the same threat data may also correspond to different threat source information.
In one embodiment, the threat source information may include an internet protocol address corresponding to the network access behavior. When the threat data is data reported by the client security system, for example, the client uploads some data containing viruses to the network, the threat source information may be the internet protocol address of the client. For another example, in the case that the client is accessing a phishing website, etc., the threat source information may be an internet protocol address of the phishing website, etc. When the threat data is data reported by the cloud security system, the threat source information may be an internet protocol address of an APP server in the cloud platform. Of course, the threat source information may also include other information, and is not particularly limited herein.
Specifically, in an embodiment, as shown in fig. 3, fig. 3 is a schematic specific flowchart of the cyber-threat management method shown in fig. 2. The step S10 may include steps S11 to S13.
And S11, receiving the threat data and the corresponding threat source information in a preset time period.
The data processing subsystem 20 receives the threat data and the corresponding threat source information sent by the monitoring subsystem 10 in real time within a preset time period. The preset time period may be one day, six hours, and the like, and may be set according to a requirement, which is not limited specifically herein.
And S12, obtaining the threat parameters corresponding to the threat data.
After receiving the threat data, processing the threat data to acquire threat parameters corresponding to the threat data. Specifically, in an embodiment, as shown in fig. 4, fig. 4 is a schematic specific flowchart of the cyber-threat management method shown in fig. 3. This step S12 may include steps S121 to S122.
And S121, obtaining the threat type corresponding to the threat data.
In this embodiment, the threat parameter may include a threat type. The threat type may include a Distributed Denial of Service (DDOS) attack type, a trojan injection type, a virus software type, a phishing website type, and the like, which is not limited herein.
In an embodiment, when the monitoring subsystem 10 monitors that a network access behavior has a threat, if the monitoring subsystem 10 cannot determine a threat type corresponding to the threat, threat data reported by the monitoring subsystem 10 will carry a threat characteristic corresponding to the threat. After receiving the threat data, the data processing subsystem 20 will obtain the threat type corresponding to the threat characteristic based on the threat characteristic database. The threat characteristic database stores a large number of preset threat types and preset threat characteristics corresponding to each preset threat type in advance.
The data processing subsystem 20 performs feature matching in a threat feature database based on threat features carried in the threat data. If the preset threat characteristic identical or similar to the threat characteristic is matched in the threat characteristic database by the data processing subsystem 20, the preset threat type corresponding to the preset threat characteristic is obtained as the threat type corresponding to the threat characteristic, that is, the threat type corresponding to the threat data. If the data processing subsystem 20 does not match the preset threat characteristic in the threat characteristic database, which is the same as or similar to the threat characteristic, it indicates that the threat corresponding to the threat characteristic may not be the threat authorized by the data processing subsystem 20, and at this time, the data processing subsystem 20 may ignore the threat data, that is, the threat data is invalid threat data, so that the threat data and the corresponding threat source information are not recorded in the threat record database.
For example, the threat data may be ignored by the data processing subsystem 20 if the threat associated with the threat signature is a relatively old set of threats that have little impact on the network, or if the threat associated with the threat signature is a false threat, etc.
In an embodiment, when the monitoring subsystem 10 monitors that a network access behavior has a threat, if the monitoring subsystem 10 can determine a threat type corresponding to the threat, the threat type is carried in threat data reported by the monitoring subsystem 10. At this time, the data processing subsystem 20 may obtain the threat types carried in the threat data.
Further, in an embodiment, after the data processing subsystem 20 obtains the threat types carried in the threat data, the method further includes: and judging whether the threat type is an effective threat type or not according to the threat characteristic database. Specifically, whether a preset threat type matched with the threat type exists in the threat characteristic database is judged. If a preset threat type matching the threat type exists in the threat characteristic database, it is indicated that the threat type carried in the threat data is a type approved by the data processing subsystem 20, that is, the threat type is an effective threat type, and at this time, the data processing subsystem 20 may execute step S122. Conversely, if the preset threat type matching the threat type does not exist in the threat characteristic database, it indicates that the threat type carried in the threat data is not the type approved by the data processing subsystem 20, and at this time, the data processing subsystem 20 ignores the threat data and the corresponding threat source information, thereby preventing invalid threat types such as old set threats from occupying the resources of the data processing subsystem 20.
And S122, acquiring a threat degree corresponding to the threat type based on a preset relation table, wherein the preset relation table is used for storing the corresponding relation between the threat type and the threat degree, and the threat degree is used for representing the severity of a threat result corresponding to the threat type.
In one embodiment, the threat parameter further comprises a threat level. The threat level is a parameter related to the threat type. The threat level may characterize the severity of the threat outcome corresponding to the threat type. For example, the threat types are DDOS attack type and phishing website type. Because the DDOS attack type may cause the server to be paralyzed, and cannot provide normal services to thousands of clients, the consequences caused by the threat of the DDOS attack type are serious, that is, the threat degree corresponding to the DDOS attack type is serious. For the phishing website type, more users who actually visit a website partially generate relatively light results compared with the DDOS attack type, namely the threat degree corresponding to the phishing website type is light.
In one embodiment, the threat level may include a plurality of levels. The higher the ranking, the more serious the threat outcome corresponding to the threat type. For example, when the threat level includes three levels, the threat level corresponding to the DDOS attack type may be set to the highest level, i.e., three levels, and the threat level corresponding to the phishing website type may be set to the lowest level, i.e., one level.
It is understood that, in the preset relationship table, the correspondence between the threat type and the threat degree may be preset by a developer or the like according to the actual situation. For example, when a developer considers that the threat results corresponding to the phishing website type and the DDOS attack type are both serious, the phishing website type and the DDOS attack type may be set to three levels. Of course, the corresponding relationship between the threat type and the threat degree may also be obtained by learning the big data in a machine learning manner, which is not limited herein.
In one embodiment, the threat parameters may include other parameters in addition to threat type and threat severity. For example, the threat parameters may also include threat range and number of threats, and the like. When the threat parameters include the threat range and the threat number, the step S12 further includes: and counting the threat times and the threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information.
In the threat record database, the threat data received in the preset time period and the corresponding threat source information are recorded, so that the threat times and the threat range corresponding to the threat data can be counted in the threat record database.
Specifically, for the threat range, the number of threat source information corresponding to the threat data may be looked up in the threat record database, and then the corresponding threat range is defined according to the number. For example, assume that the threat data currently received by the data processing subsystem 20 is a. In the threat record database, statistics is carried out to establish corresponding relations between the threat data a and 10 different threat source information. Assume the partitioning rule is: the threat range of less than or equal to 5 threat source information is a primary range, the threat range of 5 to 20 threat source information is a secondary range, and the threat range of more than or equal to 20 threat source information is a tertiary range. The threat range of threat data a currently received by data processing subsystem 20 is now bounded to a secondary range.
Specifically, for the number of threats, the number of threats is for threat source information corresponding to currently received threat data. For example, assume that the threat data received by the current data processing subsystem 20 is a and the corresponding threat source information is a. If the number of occurrences of the threat data a corresponding to the threat source information a found in the threat record database is 2, it indicates that the threat source information a has reported twice threat data a before, and then the number of threats corresponding to the threat data a obtained based on the threat record database is 3.
S13, the threat data, the threat parameters corresponding to the threat data and the threat source information are counted in a threat record database.
After the threat parameters corresponding to the threat data are obtained, the threat data, the threat parameters corresponding to the threat data and the corresponding threat source information are counted in a threat record database. Wherein the threat parameter may be understood as an attribute of the threat data.
In an embodiment, the data processing subsystem 20 may perform steps S12 to S13 every time it receives a threat data and corresponding threat source information, that is, receive and process the threat data and corresponding threat source information in real time, which may improve the processing efficiency of the data processing subsystem 20.
After the data processing subsystem 20 counts all threat data and corresponding threat source information received within the preset time period in the threat record database, the data processing subsystem 20 performs steps S20 to S50 on each threat source information and corresponding threat data in the threat record database.
S20, obtaining at least one threat data corresponding to the threat source information in the threat record database.
In an embodiment, since each threat data in the threat record database corresponds to a threat parameter, and the threat parameter is equivalent to an attribute of the threat data, when obtaining the threat data corresponding to the threat source information, the data processing subsystem 20 also obtains the threat parameter corresponding to each threat data.
For example, assuming that the threat source information a in the threat record database corresponds to 4 threat data, the data processing subsystem 20 obtains the 4 threat data corresponding to the threat source information a and the threat parameter corresponding to each threat data, and performs step S30.
And S30, calculating the corresponding score of each threat data according to a preset calculation rule.
Specifically, in an embodiment, as shown in fig. 5, fig. 5 is a schematic specific flowchart of the cyber-threat management method shown in fig. 2. The step S30 includes steps S31 to S32.
And S31, calculating the threat level corresponding to each threat data.
In this embodiment, the data processing subsystem 20 stores a relational expression between the threat parameter and the threat level in advance. The relational expression between the threat parameter and the threat level can be obtained in advance through a big data learning method.
For example, there are 1000 sample data, each sample data has four parameters of a, b, c, and d, where a represents the number of threats, b represents the number corresponding to the threat type, c represents the threat level, and d represents the threat range. Through a linear regression statistical analysis method, a linear regression expression can be obtained by learning 1000 parts of sample data, and the linear regression expression is a relational expression between threat parameters and threat levels. The relational expression may be updated periodically according to the constant updating of the sample data. It should be noted that the relational expression between the threat parameter and the threat level may be obtained by learning by using other methods, which are not specifically limited herein.
When the data processing subsystem 20 calculates the threat level corresponding to each threat data, the threat level corresponding to the threat data may be calculated according to the threat parameter corresponding to the threat data. Specifically, the threat parameter corresponding to each threat data is brought into a pre-stored relational expression between the threat parameter and the threat level, so that the threat level corresponding to each threat data is calculated. For example, the threat source information a corresponds to 4 threat data, and after step S31, 4 threat levels corresponding to the 4 threat data, respectively, can be obtained.
And S32, obtaining a score corresponding to the threat data according to the threat level.
After the threat level corresponding to each threat data is obtained, the score corresponding to each threat level can be obtained according to the preset corresponding relation between the threat level and the score, so that the score corresponding to each threat data can be obtained.
For example, the threat levels are divided into three levels, Level1, Level2, and Level 3. The higher the threat level, the more serious the consequences of the threat. In the preset corresponding relation, the score scores corresponding to the three threat levels are-10, -20, -30 respectively. When the threat Level corresponding to the threat data is Level1, the score corresponding to the threat data is-10. Or, in the preset corresponding relation, the score scores corresponding to the three threat levels are respectively 10, 20 and 30. When the threat Level corresponding to the threat data is Level1, the score corresponding to the threat data is 10.
It is to be understood that, in the preset corresponding relationship, the corresponding relationship between the threat level and the score is not limited to the above corresponding relationship, and may be other corresponding relationships, which are not specifically limited herein.
And S40, calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data.
For example, if there are 4 different threat data corresponding to the threat source information a, after step S30, 4 corresponding score scores are obtained, and then the total score corresponding to the threat source information a is calculated according to the 4 score scores.
Specifically, when the score is a negative score, for example, the 4 score scores are-10 score, -20 and-30 score, respectively. The total score corresponding to the threat source information a may be obtained by adding 4 score scores one by one on the basis of 100, for example: 100+ (-10) + (-10) + (-20) + (-30) ═ 30, that is, the threat source information a corresponds to a total score of 30. In this calculation manner, the lower the total score is, the more serious the threat of the threat source information a to the network is, and the serious treatment such as IP blocking needs to be performed.
Specifically, when the score is a positive score, for example, the 4 score scores are 10 points, 10, 20 points, and 30 points, respectively. The total score corresponding to the threat source information a is the sum of 4 score scores, such as: the score of 10+10+20+30 is 70, that is, the total score corresponding to the threat source information a is 70. In this calculation manner, the higher the total score is, the more serious the threat of the threat source information a to the network is, and the serious treatment such as IP sealing needs to be performed.
S50, sending the threat source information and the corresponding total score to the network management subsystem, so that the network management subsystem can preset the threat source information according to the total score.
In an embodiment, after the data processing subsystem 20 calculates the total score corresponding to each threat source information in the threat record database according to steps S20 to S40, it sends each threat source information and the corresponding total score to the network management subsystem 30. The one-time sending mode can reduce the interaction times between the data processing subsystem 20 and the network management subsystem 30, so that the resources of the data processing subsystem 20 and the network management subsystem 30 are reasonably utilized.
In another embodiment, the data processing subsystem 20 sends the threat source information and the corresponding total score to the network management subsystem 30 after calculating each threat source information and the corresponding total score according to steps S20 to S40. Then the data processing subsystem 20 performs steps S20 to S50 on the next threat source information in the threat record database, and so on until the total score corresponding to each threat source information in the threat record database is sent to the network management subsystem 30.
The network management subsystem 30 may perform preset processing on the threat source information according to the received total score. The preset processing may include IP sealing, warning information prompting and virus killing software pushing, network security knowledge pushing, and the like.
Specifically, the network management subsystem 30 stores a corresponding relationship table between the total score and the preset process in advance, and the preset process corresponding to each total score, that is, the preset process corresponding to each threat source information, can be found according to the corresponding relationship table.
For example, when the score is a negative score, the correspondence table may be as shown in table 1.
TABLE 1
Total score Presetting process
The total fraction is less than or equal to 30 points IP sealing and killing
30 is less than or equal to 60 points Prompt for warning information
60 is less than or equal to 80 minutes Prompting warning information and pushing antivirus software
80 < total fraction < 100 points Push network security knowledge
For another example, when the score is a positive score, the corresponding relationship table may be as shown in table 2.
TABLE 2
Total score Presetting process
80 < total fraction < 100 points IP sealing and killing
60 is less than or equal to 80 minutes Prompt for warning information
30 is less than or equal to 60 points Prompting warning information and pushing antivirus software
The total fraction is less than or equal to 30 points Push network security knowledge
It should be noted that the preset processes and the corresponding relationship between the total score and the preset process shown in tables 1 and 2 are only for demonstration, and in the actual use process, the relevant settings may be changed according to the requirements, which is not limited herein.
For example, when the network management subsystem 30 finds out that the preset process corresponding to the threat information source a is IP blocking according to table 1, the network management subsystem 30 may perform IP blocking on the threat information source, so that the IP address cannot be connected to the network within a certain time or permanently, thereby blocking the network threat from the threat source, improving the effectiveness of network security protection, and further improving the security of the network.
For another example, when the network management subsystem 30 finds that the preset process corresponding to the threat information source a is the prompt warning information according to table 1 and pushes the antivirus software, it indicates that the user corresponding to the threat source information may be a threat to the network unintentionally, e.g., the software with the virus is uploaded to the network unintentionally, and so on, at this time, the network management subsystem 30 may send the prompt warning information to the user corresponding to the threat source information to warn the user that the user cannot send a certain software with the virus to the network again, and simultaneously, may push some antivirus software to the user, so that some users who unintentionally pose a threat to the network may install better antivirus software to perform secure internet access, thereby preventing illegal people from using the part of users to perform illegal behaviors such as virus propagation.
In one embodiment, after the data processing subsystem 20 completes the step S50, the data processing subsystem 20 deletes the data information in the threat records database for the next period of threat data statistics. Therefore, new threat data and corresponding threat source information acquired in the next period can be recorded, and excessive memory occupation of historical data in the threat record database is avoided.
In this embodiment, the network threat management method calculates threat data and threat source information in a preset time period, calculates a score of each threat data corresponding to each threat source information in a threat record database, calculates a total score of corresponding threat source information according to the score corresponding to each threat data, and then sends the threat source information and the total score to the network management subsystem 30, so that the network management subsystem 30 performs preset processing such as IP sealing and the like on the threat source information according to the total score, thereby actively blocking the network threat from the source of the network threat, improving the effectiveness of network security protection, and improving the security of the network.
The embodiment of the application also provides a network threat management device, and the network threat management device is used for executing any one of the network threat management methods. Specifically, referring to fig. 6, fig. 6 is a schematic block diagram of a cyber-threat management apparatus according to an embodiment of the present application. The cyber-threat management apparatus 300 may be applied to the cyber-threat management system 100, and particularly, to a server in which the data processing subsystem 20 of the cyber-threat management system 100 is located.
As shown in fig. 6, the cyber-threat management apparatus 300 includes a threat statistic unit 310, a threat data acquisition unit 320, a first calculation unit 330, a second calculation unit 340, and a transmission unit 350.
The threat counting unit 310 is configured to count threat data and corresponding threat source information received within a preset time period in a threat record database, where the threat data and the corresponding threat source information are data reported by the monitoring subsystem to the data processing subsystem when the monitoring subsystem monitors that a network access behavior is threatening.
In this embodiment, the threat statistics unit 310 receives threat data and corresponding threat source information in real time within a preset time period, and counts the threat data and the corresponding threat source information in a threat record database. The threat record database is used for recording threat source information, threat data and the corresponding relation between the threat source information and the threat data. In the threat record database, each piece of threat source information may correspond to a plurality of different threat data, and the same threat data may also correspond to different threat source information.
In one embodiment, the threat source information may include an internet protocol address corresponding to the network access behavior. Of course, the threat source information may also include other information, and is not particularly limited herein.
Specifically, in an embodiment, as shown in fig. 7, fig. 7 is another schematic block diagram of a cyber-threat management apparatus according to an embodiment of the present application. The threat statistics unit 310 comprises a receiving subunit 311, a parameter acquisition subunit 312 and a statistics subunit 313.
The receiving subunit 311 is configured to receive threat data and corresponding threat source information within a preset time period.
The receiving subunit 311 receives the threat data and the corresponding threat source information sent by the monitoring subsystem 10 in real time within a preset time period.
The receiving sub-unit 311 sends the received threat data and the corresponding threat source information to the parameter obtaining sub-unit 312.
A parameter obtaining subunit 312, configured to obtain a threat parameter corresponding to the threat data.
After receiving the threat data, the parameter obtaining subunit 312 processes the threat data to obtain threat parameters corresponding to the threat data. Specifically, the parameter obtaining subunit 312 is specifically configured to: obtaining a threat type corresponding to the threat data; and acquiring a threat degree corresponding to the threat type based on a preset relation table, wherein the preset relation table is used for storing the corresponding relation between the threat type and the threat degree, and the threat degree is used for representing the severity of a threat result corresponding to the threat type.
In an embodiment, when the threat data carries threat characteristics, the parameter obtaining subunit 312 is specifically configured to, when obtaining a threat type corresponding to the threat data: and acquiring a threat type corresponding to the threat characteristic based on a threat characteristic database. The threat characteristic database stores a large number of preset threat types and preset threat characteristics corresponding to each preset threat type in advance.
In an embodiment, when the threat data carries a threat type, the parameter obtaining subunit 312 is specifically configured to: and acquiring the threat type carried in the threat data.
Further, in an embodiment, the threat statistic unit 310 further includes a determining subunit, configured to determine whether the threat type is a valid threat type according to the threat characteristic database. When the judging subunit judges that the threat type is an effective threat type, the judging subunit sends a first control signal to the parameter obtaining subunit 312, so that the parameter obtaining subunit 312 obtains the threat degree corresponding to the threat type based on a preset relationship table.
In an embodiment, the threat types may include a Distributed denial of service (DDOS) attack type, a trojan injection type, a virus software type, a phishing website type, and the like, which are not limited herein. The threat level is a parameter related to the threat type. The threat level may characterize the severity of the threat outcome corresponding to the threat type. In the preset relationship table, the correspondence between the threat type and the threat degree may be preset by a developer or the like according to the actual situation. Of course, the corresponding relationship between the threat type and the threat degree may also be obtained by learning the big data in a machine learning manner, which is not limited herein.
In one embodiment, the threat parameters may include other parameters in addition to the threat types and threat degrees described above. For example, the threat parameters may also include threat range and number of threats, and the like. When the threat parameters include a threat range and a threat number, the parameter obtaining subunit 312 is further configured to: and counting the threat times and the threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information.
And the statistics subunit 313 is configured to perform statistics on the threat data, the threat parameters corresponding to the threat data, and the threat source information in a threat record database.
After the parameter obtaining subunit 312 obtains the threat parameters corresponding to the threat data, the statistics subunit 313 statistics the threat data, the threat parameters corresponding to the threat data, and the corresponding threat source information in the threat record database. The threat parameter may be understood as an attribute of the threat data.
In an embodiment, each time the receiving subunit 311 receives one piece of threat data and the corresponding threat source information, the parameter obtaining subunit 312 and the statistics subunit 313 perform corresponding processing on the threat data, and store the threat data, the threat parameters corresponding to the threat data, and the threat source information in the threat record database, thereby improving the processing efficiency of the cyber-threat management apparatus 300.
After the threat statistics unit 310 counts all threat data and corresponding threat source information received within a preset time period in the threat record database, the threat data acquisition unit 320, the first calculation unit 330, the second calculation unit 340, and the sending unit 350 process each threat source information and all corresponding threat data in the threat record database.
A threat data obtaining unit 320, configured to obtain at least one piece of threat data corresponding to the threat source information in the threat record database.
In an embodiment, each threat data in the threat record database corresponds to a threat parameter, and the threat parameter is equivalent to an attribute of the threat data, so when obtaining the threat data corresponding to the threat source information, the threat data obtaining unit 320 also obtains the threat parameter corresponding to each threat data.
For example, assuming that the threat source information a in the threat record database corresponds to 4 threat data, the threat data obtaining unit 320 obtains the 4 threat data corresponding to the threat source information a and the threat parameter corresponding to each threat data, and sends the threat source information a, the 4 threat data corresponding to the threat source information a, and the relevant threat parameter to the first computing unit 330.
The first calculating unit 330 is configured to calculate a score corresponding to each threat data according to a preset calculation rule.
Specifically, in an embodiment, the first calculating unit 330 is specifically configured to: calculating the threat level corresponding to each threat data; and obtaining a score corresponding to the threat data according to the threat level.
In this embodiment, the cyber-threat management apparatus 300 stores a relational expression between the threat parameter and the threat level in advance. The relational expression between the threat parameters and the threat levels can be obtained by a big data learning method. The first calculating unit 330 may specifically calculate a threat level corresponding to the threat data according to the threat parameter corresponding to the threat data. For example, the first calculating unit 330 calculates the threat level corresponding to the threat data according to the threat parameter corresponding to the threat data by a linear regression statistical analysis method. The first calculating unit 330 brings the threat parameter corresponding to each threat data into the pre-stored relational expression between the threat parameter and the threat level, that is, the threat level corresponding to each threat data can be calculated. Then, the first calculating unit 330 obtains the score corresponding to each threat level according to the preset corresponding relationship between the threat level and the score, so as to obtain the score corresponding to each threat data.
The second calculating unit 340 is configured to calculate a total score corresponding to the threat source information according to the score corresponding to all the threat data.
For example, if there are 4 different threat data corresponding to the threat source information a, the first calculating unit 330 calculates 4 corresponding score scores, and then the second calculating unit 340 calculates the total score corresponding to the threat source information a according to the 4 score scores.
A sending unit 350, configured to send the threat source information and the corresponding total score to the network management subsystem, so that the network management subsystem performs preset processing on the threat source information according to the total score.
In an embodiment, after the second calculating unit 340 calculates the total score corresponding to each threat source information in the threat record database, the sending unit 350 sends each threat source information and the corresponding total score to the network management subsystem 30.
In another embodiment, after the second calculating unit 340 calculates the total score corresponding to each piece of threat source information, the sending unit 350 sends the threat source information and the corresponding total score to the network management subsystem 30. Then the network threat relation device 300 performs corresponding processing on the next threat source information in the threat record database, and so on, until the total score corresponding to each threat source information in the threat record database is sent to the network management subsystem 30.
The network management subsystem 30 may perform preset processing on the threat source information according to the received total score. The preset processing may include IP sealing, warning information prompting and virus killing software pushing, network security knowledge pushing, and the like.
In one embodiment, as shown in fig. 7, the cyber-threat management apparatus 300 further includes a deletion unit 360. The deleting unit 360 is configured to delete the data information in the threat record database to perform statistics on the threat data of the next period. Therefore, the threat data and the corresponding threat source information acquired in the next period can be recorded, and the situation that the historical data in the threat record database occupies too much memory is avoided.
It is clear to those skilled in the art that, for the sake of simplicity of the description, the specific working processes of the network threat management apparatus 300 and each unit described above may refer to corresponding processes in the foregoing embodiments of the network threat management method, and are not described herein again.
In the cyber-threat management apparatus 300 in this embodiment, the threat statistics unit 310 is configured to perform statistics on threat data and threat source information within a preset time period, the first calculation unit 330 is configured to calculate a score of each threat data corresponding to the threat source information, the second calculation unit 340 is configured to calculate a total score of the corresponding threat source information according to the score corresponding to each threat data, and the sending unit 350 is configured to send the threat source information and the total score to the network management subsystem 30, so that the network management subsystem 30 performs preset processing such as IP blocking and killing on the threat source information according to the total score, thereby actively blocking cyber-threat from a cyber-threat source, improving effectiveness of cyber-security protection, and improving security of a network.
The cyber-threat management apparatus may be implemented in the form of a computer program that is executable on a computer device such as that shown in fig. 8.
Referring to fig. 8, fig. 8 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 400 may be a server. The server may have a data processing subsystem mounted thereon.
Referring to fig. 8, the computer device 400 includes a processor 420, a memory, which may include a non-volatile storage medium 430 and an internal memory 440, and a network interface 450 connected by a system bus 410.
The non-volatile storage medium 430 may store an operating system 4301 and computer programs 4302. The computer program 4302 includes program instructions that, when executed, cause the processor 420 to perform a cyber-threat management method.
The processor 420 is used to provide computing and control capabilities that support the operation of the overall computer device 400.
The memory 440 provides an environment for the operation of a computer program 4302 on a non-volatile storage medium 430, which computer program 4302, when executed by the processor 420, causes the processor 420 to perform a cyber-threat management method.
The network interface 450 is used to perform network communications, such as sending assigned tasks, etc. Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing device 400 to which the disclosed aspects apply, as a particular computing device 400 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 420 is configured to run the computer program 4302 stored in the memory to implement the following functions: counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to a data processing subsystem by a monitoring subsystem when a network access behavior is monitored to be threatening; acquiring at least one piece of threat data corresponding to the threat source information in the threat record database; calculating a score corresponding to each threat data according to a preset calculation rule; calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing on the threat source information according to the total score.
In an embodiment, when the processor 420 performs statistics on the threat data received within the preset time period and the corresponding threat source information in the threat record database, the following specific procedures are performed: receiving threat data and corresponding threat source information within a preset time period; obtaining threat parameters corresponding to the threat data; and counting the threat data, the threat parameters corresponding to the threat data and the threat source information in a threat record database.
In an embodiment, when the processor 420 executes to obtain the threat parameter corresponding to the threat data, the following specific procedures are executed: obtaining a threat type corresponding to the threat data; and acquiring a threat degree corresponding to the threat type based on a preset relation table, wherein the preset relation table is used for storing the corresponding relation between the threat type and the threat degree, and the threat degree is used for representing the severity of a threat result corresponding to the threat type.
In an embodiment, when the processor 420 executes to acquire the threat type corresponding to the threat data, the following specific procedures are executed: obtaining the threat type carried in the threat data; or if the threat data carries threat characteristics, acquiring a threat type corresponding to the threat characteristics based on a threat characteristic database.
In an embodiment, after the processor 420 executes the following procedure to acquire the threat types carried in the threat data: judging whether the threat type is an effective threat type or not according to the threat characteristic database; and if the threat type is an effective threat type, executing a step of acquiring the threat degree corresponding to the threat type based on a preset relation table.
In an embodiment, the processor 420, when executing the step of obtaining the threat parameter corresponding to the threat data, further executes the following procedures: and counting the threat times and the threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information.
In an embodiment, when the processor 420 calculates the score corresponding to each threat data according to a preset calculation rule, the following procedure is specifically executed: calculating the threat level corresponding to each threat data; and obtaining a score corresponding to the threat data according to the threat level.
It should be understood that, in the embodiment of the present Application, the Processor 420 may be a Central Processing Unit (CPU), and the Processor 420 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In another embodiment of the present application, a storage medium is provided. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program comprises program instructions. The program instructions, when executed by the processor, implement: counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to a data processing subsystem by a monitoring subsystem when a network access behavior is monitored to be threatening; acquiring at least one piece of threat data corresponding to the threat source information in the threat record database; calculating a score corresponding to each threat data according to a preset calculation rule; calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing on the threat source information according to the total score.
In an embodiment, when the program instruction is executed by the processor to count threat data received within a preset time period and corresponding threat source information in the threat record database, the following is specifically implemented: receiving threat data and corresponding threat source information within a preset time period; obtaining threat parameters corresponding to the threat data; and counting the threat data, the threat parameters corresponding to the threat data and the threat source information in a threat record database.
In an embodiment, when the program instruction is executed by the processor to obtain the threat parameter corresponding to the threat data, the following is specifically implemented: obtaining a threat type corresponding to the threat data; and acquiring a threat degree corresponding to the threat type based on a preset relation table, wherein the preset relation table is used for storing the corresponding relation between the threat type and the threat degree, and the threat degree is used for representing the severity of a threat result corresponding to the threat type.
In an embodiment, when the program instruction is executed by the processor to acquire the threat type corresponding to the threat data, the following is specifically implemented: obtaining the threat type carried in the threat data; or if the threat data carries threat characteristics, acquiring a threat type corresponding to the threat characteristics based on a threat characteristic database.
In an embodiment, after the program instructions are executed by the processor to obtain the threat types carried in the threat data, the method further includes: judging whether the threat type is an effective threat type or not according to the threat characteristic database; and if the threat type is an effective threat type, executing a step of acquiring the threat degree corresponding to the threat type based on a preset relation table.
In an embodiment, when the program instructions are executed by the processor to obtain the threat parameters corresponding to the threat data, the method further includes: and counting the threat times and the threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information.
In an embodiment, when the program instruction is executed by the processor to calculate the score corresponding to each threat data according to a preset calculation rule, the following is specifically implemented: calculating the threat level corresponding to each threat data; and obtaining a score corresponding to the threat data according to the threat level.
The storage medium may be various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present application may be substantially or partially implemented in the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application.
While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. A network threat management method is applied to a network threat management system, the network threat management system comprises a monitoring subsystem, a data processing subsystem and a network management subsystem, and is characterized by comprising the following steps:
counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to a data processing subsystem by a monitoring subsystem when a network access behavior is monitored to be threatening;
acquiring at least one piece of threat data corresponding to the threat source information in the threat record database;
calculating a score corresponding to each threat data according to a preset calculation rule;
calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and
sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem carries out preset processing on the threat source information according to the total score;
the statistics of the threat data received in the preset time period and the corresponding threat source information in a threat record database comprises the following steps:
receiving threat data and corresponding threat source information within a preset time period;
obtaining threat parameters corresponding to the threat data; and
counting the threat data, threat parameters corresponding to the threat data and the threat source information in a threat record database;
the obtaining of the threat parameter corresponding to the threat data includes: counting threat times and a threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information;
the threat source information is an internet protocol address corresponding to the network access behavior.
2. The cyber-threat management method according to claim 1, wherein the obtaining of the threat parameter corresponding to the threat data includes:
obtaining a threat type corresponding to the threat data; and
and acquiring a threat degree corresponding to the threat type based on a preset relation table, wherein the preset relation table is used for storing the corresponding relation between the threat type and the threat degree, and the threat degree is used for representing the severity of a threat result corresponding to the threat type.
3. The cyber-threat management method according to claim 2, wherein the obtaining of the threat type corresponding to the threat data includes:
obtaining the threat type carried in the threat data; or
And if the threat data carries threat characteristics, acquiring a threat type corresponding to the threat characteristics based on a threat characteristic database.
4. The cyber-threat management method according to claim 3, further comprising, after the obtaining of the threat types carried in the threat data:
judging whether the threat type is an effective threat type or not according to the threat characteristic database; and
and if the threat type is an effective threat type, executing the step of obtaining the threat degree corresponding to the threat type based on a preset relation table.
5. The cyber-threat management method according to claim 1, wherein the calculating a score corresponding to each threat data according to a preset calculation rule includes:
calculating the threat level corresponding to each threat data; and
and obtaining a score corresponding to the threat data according to the threat level.
6. A network threat management device is applied to a network threat management system, the network threat management system comprises a monitoring subsystem, a data processing subsystem and a network management subsystem, and the device is characterized by comprising:
the threat counting unit is used for counting threat data and corresponding threat source information received in a preset time period in a threat record database, wherein the threat data and the corresponding threat source information are data reported to the data processing subsystem by the monitoring subsystem when the monitoring subsystem monitors that a network access behavior has a threat;
a threat data obtaining unit, configured to obtain at least one piece of threat data corresponding to the threat source information in the threat record database;
the first calculation unit is used for calculating a score corresponding to each threat data according to a preset calculation rule;
the second calculation unit is used for calculating a total score corresponding to the threat source information according to the score corresponding to all the threat data; and
the sending unit is used for sending the threat source information and the corresponding total score to the network management subsystem so that the network management subsystem can preset the threat source information according to the total score;
the threat statistic unit includes:
the receiving subunit is used for receiving the threat data and the corresponding threat source information within a preset time period;
the parameter acquiring subunit is used for acquiring threat parameters corresponding to the threat data;
the statistic subunit is used for counting the threat data, the threat parameters corresponding to the threat data and the threat source information in a threat record database;
the obtaining of the threat parameter corresponding to the threat data includes: counting threat times and a threat range corresponding to the threat data based on the threat record database, wherein the threat range is used for representing the number of threat source information corresponding to the threat data in the threat record database, and the threat times is used for representing the occurrence times of the threat data corresponding to the threat source information;
the threat source information is an internet protocol address corresponding to the network access behavior.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the cyber-threat management method according to any one of claims 1 to 5 when executing the computer program.
8. A storage medium, characterized in that the storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the cyber-threat management method according to any one of claims 1 to 5.
CN201810014444.9A 2018-01-08 2018-01-08 Network threat management method and device, computer equipment and storage medium Active CN108243189B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810014444.9A CN108243189B (en) 2018-01-08 2018-01-08 Network threat management method and device, computer equipment and storage medium
PCT/CN2018/077133 WO2019134224A1 (en) 2018-01-08 2018-02-24 Network threat management method and device, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810014444.9A CN108243189B (en) 2018-01-08 2018-01-08 Network threat management method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN108243189A CN108243189A (en) 2018-07-03
CN108243189B true CN108243189B (en) 2020-08-18

Family

ID=62699438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810014444.9A Active CN108243189B (en) 2018-01-08 2018-01-08 Network threat management method and device, computer equipment and storage medium

Country Status (2)

Country Link
CN (1) CN108243189B (en)
WO (1) WO2019134224A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798425B (en) * 2018-08-01 2022-08-09 深信服科技股份有限公司 Method, system and related device for detecting hacker attack behavior
CN109309687A (en) * 2018-11-27 2019-02-05 杭州迪普科技股份有限公司 Network security defence method, device and the network equipment
CN111641611A (en) * 2020-05-20 2020-09-08 深信服科技股份有限公司 Data processing method, device and system and computer storage medium
CN111935064A (en) * 2020-05-28 2020-11-13 南京南瑞信息通信科技有限公司 Industrial control network threat automatic isolation method and system
CN111880942A (en) * 2020-08-03 2020-11-03 北京天融信网络安全技术有限公司 Network threat processing method and device
CN113139025A (en) * 2021-05-14 2021-07-20 恒安嘉新(北京)科技股份公司 Evaluation method, device, equipment and storage medium of threat information
CN113973012B (en) * 2021-10-18 2024-03-15 北京安天网络安全技术有限公司 Threat detection method and device, electronic equipment and readable storage medium
CN115208647A (en) * 2022-07-05 2022-10-18 南京领行科技股份有限公司 Attack behavior handling method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101751625A (en) * 2010-01-21 2010-06-23 武汉大学 Protection effectiveness evaluation system with single protection capacity
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
CN103093105A (en) * 2013-01-24 2013-05-08 北京融动科技有限公司 Evaluating system, information interactive system comprising evaluating system, and evaluating method
CN103701769A (en) * 2013-11-07 2014-04-02 江南大学 Method and system for detecting hazardous network source
CN104202291A (en) * 2014-07-11 2014-12-10 西安电子科技大学 Anti-phishing method based on multi-factor comprehensive assessment method
CN106170772A (en) * 2014-10-21 2016-11-30 铁网网络安全股份有限公司 Network safety system
CN106789351A (en) * 2017-01-24 2017-05-31 华南理工大学 A kind of online intrusion prevention method and system based on SDN

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054729A1 (en) * 2010-08-31 2012-03-01 Symantec Corporation Safely Updating Latent Applications to Reduce Attack Surface
CN104660558A (en) * 2013-11-22 2015-05-27 神州数码信息系统有限公司 Method of situation awareness technology for smart city oriented cross-city security service platform
CN104954342B (en) * 2014-03-31 2019-04-02 腾讯科技(深圳)有限公司 A kind of safety evaluation method and device
CN106713233B (en) * 2015-11-13 2020-04-14 国网智能电网研究院 Network security state judging and protecting method
US10367829B2 (en) * 2015-11-19 2019-07-30 Anomali Incorporated Protecting threat indicators from third party abuse

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101751625A (en) * 2010-01-21 2010-06-23 武汉大学 Protection effectiveness evaluation system with single protection capacity
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
CN103093105A (en) * 2013-01-24 2013-05-08 北京融动科技有限公司 Evaluating system, information interactive system comprising evaluating system, and evaluating method
CN103701769A (en) * 2013-11-07 2014-04-02 江南大学 Method and system for detecting hazardous network source
CN104202291A (en) * 2014-07-11 2014-12-10 西安电子科技大学 Anti-phishing method based on multi-factor comprehensive assessment method
CN106170772A (en) * 2014-10-21 2016-11-30 铁网网络安全股份有限公司 Network safety system
CN106789351A (en) * 2017-01-24 2017-05-31 华南理工大学 A kind of online intrusion prevention method and system based on SDN

Also Published As

Publication number Publication date
CN108243189A (en) 2018-07-03
WO2019134224A1 (en) 2019-07-11

Similar Documents

Publication Publication Date Title
CN108243189B (en) Network threat management method and device, computer equipment and storage medium
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
AU2019200445B2 (en) Methods and apparatus for dealing with malware
EP3654220A1 (en) Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring
RU2477929C2 (en) System and method for prevention safety incidents based on user danger rating
US20160241576A1 (en) Detection of anomalous network activity
US8239915B1 (en) Endpoint management using trust rating data
US9401924B2 (en) Monitoring operational activities in networks and detecting potential network intrusions and misuses
US8863284B1 (en) System and method for determining a security status of potentially malicious files
US10917793B2 (en) Verifying network subsystem integrity with blockchain
US8726391B1 (en) Scheduling malware signature updates in relation to threat awareness and environmental safety
JP2018530066A (en) Security incident detection due to unreliable security events
US20110225142A1 (en) Web site analysis system and method
US20210120022A1 (en) Network security blacklist derived from honeypot statistics
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
US20210281599A1 (en) Cyber Security System and Method Using Intelligent Agents
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
KR101965213B1 (en) System and method for controlling process execution using enterprise white list management
RU2481633C2 (en) System and method for automatic investigation of safety incidents
RU107615U1 (en) SYSTEM FOR REDUCING THE NUMBER OF FALSE FACES OF AN ANTI-VIRUS SYSTEM
RU108870U1 (en) SYSTEM FOR INCREASING THE NUMBER OF DETECTIONS OF MALICIOUS OBJECTS
US20240111904A1 (en) Secure hashing of large data files to verify file identity
KR102616603B1 (en) Supporting Method of Network Security and device using the same
CN116389147A (en) Method and device for blocking network attack, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant