CN108600212A - Threat information credibility method of discrimination and device based on the credible feature of various dimensions - Google Patents
Threat information credibility method of discrimination and device based on the credible feature of various dimensions Download PDFInfo
- Publication number
- CN108600212A CN108600212A CN201810353320.3A CN201810353320A CN108600212A CN 108600212 A CN108600212 A CN 108600212A CN 201810353320 A CN201810353320 A CN 201810353320A CN 108600212 A CN108600212 A CN 108600212A
- Authority
- CN
- China
- Prior art keywords
- information
- threat
- detected
- credible
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the present invention provides a kind of threat information credibility method of discrimination and device based on the credible feature of various dimensions, including:Obtain threat information to be detected;According to the classification to be detected for threatening information, obtains corresponding verification and threaten information set;According to content verification consistency recognizer, the similarity value to be detected for threatening information and verification to threaten between information is calculated;The size for comparing similarity value and preset threshold value, the threat information to be detected that similarity value is more than to threshold value are determined as preliminary believable threat information;The credible feature of various dimensions of preliminary believable threat information is extracted, and builds the credible feature vector of various dimensions;By in the credible feature vector input depth belief network DBN discrimination models of various dimensions, output indicates the credible differentiation result of preliminary believable threat information.The embodiment of the present invention twice judges threat information to be detected by using content verification consistency algorithm and DBN discrimination models, improves and judges the accuracy rate to be detected for threatening information.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of threat information based on the credible feature of various dimensions
Credible method of discrimination and device.
Background technology
It is a kind of knowledge information for describing to threaten based on evidence to threaten information, including threaten relevant contextual information,
Method mechanism used in threatening threatens index of correlation attack influences and reply action is suggested etc..Threatening the effect of information is
Occur for reduction and has predicted that nonevent attack provides all clues, the motivation of understanding attacker as much as possible, tactics side
All various aspects such as method, tool, resource and action process, and establish effective security defensive system.Due to threatening information to have
It contains much information, the characteristics such as repetitive rate is high and source is wide, in practical application, threatens information during acquisition, tissue and use,
There may be the disinformations for misleading or obscuring, and thus need a kind of method that can be differentiated and threaten information confidence level.
The method of discrimination of known threat information credibility is to establish blacklist library, and the threat information in the blacklist library is all
For insincere threat information, by the way that threat information to be detected is compared with insincere threat information in the blacklist library, from
And judge whether the threat information to be detected is credible.It is subjective due to the method for discrimination, and stored in blacklist library
Insincere threat information it is not comprehensive, there is the case where erroneous judgement, fail to judge, reduce judge it is to be detected threaten information accuracy rate.
Invention content
The embodiment of the present invention is designed to provide a kind of threat information credibility differentiation based on the credible feature of various dimensions
Method and device judges the accuracy rate to be detected for threatening information to improve.Specific technical solution is as follows:
In a first aspect, an embodiment of the present invention provides a kind of, the threat information credibility based on the credible feature of various dimensions differentiates
Method, the method includes:
Obtain threat information to be detected, wherein the content of the threat information to be detected includes information source, information publication
Time and information threaten description information;
According to the classification to be detected for threatening information, obtains corresponding verification and threaten information set, wherein is described to test
It includes that multiple believable verifications threaten information that card, which threatens information set,;
According to content verification consistency recognizer, calculate the threats information to be detected and verification threat information it
Between similarity value;
The similarity value is more than the to be detected of the threshold value by the size for comparing the similarity value and preset threshold value
Information is threatened to be determined as preliminary believable threat information;
The credible feature of various dimensions of the preliminary believable threat information is extracted, and builds the credible feature vector of various dimensions;
By in the credible feature vector input depth belief network DBN discrimination models of the various dimensions, output indicates described first
Walk the credible differentiation result of believable threat information.
Optionally, described according to content verification consistency recognizer, it calculates the threat information to be detected and is tested with described
Card threatens the step of similarity value between information, including:
The similarity value to be detected for threatening information and the verification to threaten between information is calculated using following formula:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc;
Wherein, S is the similarity value to be detected for threatening information and the verification to threaten between information, StimeIt is described
It is to be detected that information and the verification is threatened to threaten the similarity value of information issuing time between information, SsourceIt is described to be detected
Information and the verification is threatened to threaten the similarity value of information source between information, SdescFor the threat information to be detected and institute
State the similarity value that verification threatens threat description information between information, θ1、θ2To be set according to the classification to be detected for threatening information
Fixed weight.
Optionally, the method further includes:
Using threatening information sample set to be trained the DBN discrimination models, new DBN discrimination models are obtained, wherein institute
It includes multiple credible known threat information to state and threaten information sample set.
Optionally, described using threatening information sample set to be trained the DBN discrimination models, it obtains new DBN and differentiates
The step of model, including:
The threat information sample set, which is divided into training, threatens information sample set and test to threaten information sample set;
It extracts the training and threatens the credible feature set of various dimensions of information sample set, and build the credible feature vector of various dimensions
Space;
Training is iterated to the DBN discrimination models using the various dimensions credible characteristic vector space, until described
DBN discrimination models are restrained, and new DBN discrimination models are obtained;
The accuracy rate of the information set test assessment new DBN discrimination models is threatened using the test.
Optionally, the credible feature of the various dimensions includes the credible feature of time dimension, content dimension is credible feature and field
Feature that knowledge dimension is credible.
Second aspect, an embodiment of the present invention provides a kind of, and the threat information credibility based on the credible feature of various dimensions differentiates
Device, described device include:
First acquisition module, for obtaining threat information to be detected, wherein it is described it is to be detected threaten information content include
Information source, information issuing time and information threaten description information;
Second acquisition module, for according to the classification to be detected for threatening information, obtaining corresponding verification and threatening
Information set, wherein it includes that multiple believable verifications threaten information that the verification, which threatens information set,;
Computing module, for according to content verification consistency recognizer, calculate the threat information to be detected with it is described
Verification threatens the similarity value between information;
Determining module is used for the size of the similarity value and preset threshold value, and the similarity value is more than institute
The threat information to be detected for stating threshold value is determined as preliminary believable threat information;
Extraction module, the credible feature of various dimensions for extracting the preliminary believable threat information, and building various dimensions can
Believe feature vector;
Output module, it is defeated for inputting the various dimensions credible feature vector in depth belief network DBN discrimination models
Go out to indicate the credible differentiation result of the preliminary believable threat information.
Optionally, the computing module, be specifically used for using following formula calculate the threat information to be detected with it is described
Verification threatens the similarity value between information:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc;
Wherein, S is the similarity value to be detected for threatening information and the verification to threaten between information, StimeIt is described
It is to be detected that information and the verification is threatened to threaten the similarity value of information issuing time between information, SsourceIt is described to be detected
Information and the verification is threatened to threaten the similarity value of information source between information, SdescFor the threat information to be detected and institute
State the similarity value that verification threatens threat description information between information, θ1、θ2To be set according to the classification to be detected for threatening information
Fixed weight.
Optionally, described device further includes:
Training module, for using threatening information sample set to be trained the DBN discrimination models, obtaining new DBN and sentencing
Other model, wherein the threat information sample set includes multiple credible known threat information.
Optionally, the training module, including:
Submodule is divided, threatens information sample set and test to threaten for the threat information sample set to be divided into training
Information sample set;
Extracting sub-module threatens the credible feature set of various dimensions of information sample set for extracting the training, and builds more
Dimension is credible characteristic vector space;
Training submodule, for being changed to the DBN discrimination models using the credible characteristic vector space of the various dimensions
Generation training obtains new DBN discrimination models until DBN discrimination models convergence;
Submodule is assessed, for threatening information set test to assess the accurate of the new DBN discrimination models using the test
Rate.
Optionally, the credible feature of the various dimensions includes the credible feature of time dimension, content dimension is credible feature and field
Feature that knowledge dimension is credible.
Threat information credibility method of discrimination and device provided in an embodiment of the present invention based on the credible feature of various dimensions, can
With by content verification consistency recognizer come the preliminary identification credibility to be detected for threatening information, and from threat feelings to be detected
Preliminary screening goes out believable threat information in report, then according to the credible feature of various dimensions extracted from believable threat information, utilizes
The new DBN discrimination models of structure further judge the credibility of believable threat information.Compared with prior art, the embodiment of the present invention
The feature of believable threat information is extracted from multiple dimensions, and right twice using content verification consistency algorithm and DBN discrimination models
Threat information to be detected is judged, is improved and is judged the accuracy rate to be detected for threatening information.Certainly, implement any of the present invention
Product or method do not necessarily require achieving all the advantages described above at the same time.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is a kind of threat information credibility method of discrimination based on the credible feature of various dimensions provided in an embodiment of the present invention
Flow chart;
Fig. 2 is a kind of threat information credibility discriminating gear based on the credible feature of various dimensions provided in an embodiment of the present invention
Structural schematic diagram;
Fig. 3 is a kind of electronic equipment structural schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a kind of threat information credibility method of discrimination based on the credible feature of various dimensions is such as schemed
Shown in 1, this method includes:
S101 obtains threat information to be detected.
In practical applications, server end can utilize the information characteristic for threatening information, be waited for from the acquisition of multiple information sources
Detection threatens information.For example, can be to be detected to obtain from threat intelligence sharing switching plane, information supplier and each website
Threaten information.Wherein, threatening the information characteristic of information to refer to threatening, the containing much information of information, repetitive rate are high, source is wide, performance
The characteristics such as diversification and sharing.
Wherein, the content for the threat information to be detected that server end obtains includes information source, information issuing time and feelings
Report threatens description information.Threaten these three element representations of description information different with information source, information issuing time and information
Threat information to be detected, information source refers to the source to be detected for threatening information, that is to say and to be detected information is threatened to go out
Place or communication channel, information issuing time refer to that the time of threat information publication to be detected, information threaten description information to refer to
Be to it is to be detected threaten information threat description.The information threatens description information to be described using bag of words, mesh
Be by it is to be detected threaten information threat description information be expressed as characteristic vector, can make in this way it is to be detected threaten information prestige
It is more intuitive, accurate to coerce description information, and convenient for carrying out united analysis to different threat information to be detected.
It is understood that bag of words refer to expressing a text using one group of unordered word.Neglect
The text, is only regarded as the set of several vocabulary by the elements such as the grammer and word order of text, the appearance of each word in the text
All it is independent, by the way that an index is arranged for each word, finally indicates the text in vector form.
S102 obtains corresponding verification and threatens information set according to the classification to be detected for threatening information.
In embodiments of the present invention, there are one verifications corresponding thereto to threaten information for each threat information to be detected
Collection can be according to the classification to be detected for threatening information, from the sample database of the same category after obtaining threat information to be detected
It obtains and threatens information set for verifying the verification to be detected for threatening information.Wherein, the verification threaten information set include it is multiple can
The verification of letter threatens information, and it includes information source, information issuing time and information that these believable verifications, which threaten the content of information,
Description information is threatened, and is stored in advance in server end.
For example, when there are hostile network protocol IPs, and information, viral Hash to be threatened to threaten information, malice for threat information to be detected
Domain name threatens information, malicious site that four classes such as information is threatened to threaten information, then respective stored has verification to threaten in server end
Information sample database, it includes that multiple believable verifications threaten information which, which threatens information sample database,.Such as phase in server end
It should be stored with:IP verifications threaten information, Hash verification to threaten information, domain name verification that information, website verification is threatened to threaten information etc.
The verification of four classes threatens information sample database.Server end can be according to the classification of the threat information to be detected of acquisition, from generic
The acquisition verification verification to be detected for threatening information threatens information set in the sample database of verification threat information.
S103 is calculated according to content verification consistency recognizer between threat information to be detected and verification threat information
Similarity value.
Exemplary, when the threat information to be detected that server end obtains is vt, corresponding verification threatens information set V=
{ v1, v2, v3 ... ..., vi ... ..., vm }, since the content of threat information to be detected includes information source, information issuing time
Threaten description information with information, corresponding verification threaten the content of information also include information source, information issuing time and
Information threatens description information, then following formula may be used and calculate threat information to be detected and verify similar between threatening information
Angle value:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc。
Wherein, S is the similarity value between threat information to be detected and verification threat information, Stim.For threat feelings to be detected
Report and verification threaten the similarity value of information issuing time between information, SsourceFeelings are threatened for threat information to be detected and verification
The similarity value of information source, S between reportdescDescription information is threatened between threatening information for threat information to be detected and verification
Similarity value, θ1、θ2For according to the weight of the category setting of threat information to be detected.For example, when threat information to be detected is IP prestige
When coercing information, θ1It can be set as 0.23, θ2It can be set as 0.28.
Specifically, to be detected threaten information and verification to threaten the similarity value S of information issuing time between informationtimeIt can be with
It is calculated using following formula:
Wherein, t (vt) is the information issuing time to be detected for threatening information, and t (vi) is the information hair that verification threatens information
The cloth time.
Specifically, to be detected threaten information and verification to threaten the similarity value S of information source between informationsourceIt can adopt
It is calculated with following formula:Ssource=| Au (vt)-Au (vi) |, wherein Au (vt) indicates the information source to be detected for threatening information
Technorati authority, Au (vi) indicates that verification threatens the technorati authority of the information source of information, the value of the technorati authority of information source to exist
6 kinds of situations below:(1) when information source is unknown, technorati authority value is 0;(2) when information source belongs to independent source station, power
The value of prestige degree is 0.2, and independent source station can be the websites such as blog, forum or personal website;(3) when information source belongs to net
It stands, and 0≤r≤106When, the value of technorati authority is the Alexa rankings that 0.4, r indicates information source, and Alexa rankings refer to net
The world rankings stood, website visiting amount is as its main evaluation index;(4) when information source belongs to website, and 106≤r≤
104When, the value of technorati authority is 0.6;(5) when information source belongs to website, and r > 104When, the value of technorati authority is 0.8;(6)
When information source belongs to well-known tissue or mechanism, the value of technorati authority is 1, and the well-known tissue or mechanism can be that micro-stepping is online
Or the mechanisms such as Google.The value of technorati authority can be stored in server end by the embodiment of the present invention in table form,
Convenient for the value of inquiry technorati authority in calculating process.
Specifically, to be detected threaten the similarity value S for threatening description information between information and verification threat informationdescIt can be with
It is calculated using following formula:
Wherein, Xt indicates to be detected and threatens the threat description information of information, and describes in the form of vectors;Xi expressions are tested
Card threatens the threat description information of information, equally describes in the form of vectors.In the formula, molecule XtXi is two vectors
Dot-product, denominator | Xt | × | Xi | be the product of two vector field homoemorphisms, then result SdescThe two vectors of as Xt and Xi
Between cosine value, when cosine value closer to 1 when, indicate that the angle between the two vectors closer to 0 degree, that is to say Xt and Xi
The two vectors are more similar.
S104 compares the size of similarity value and preset threshold value, and similarity value is more than to the threat feelings to be detected of threshold value
Report is determined as preliminary believable threat information.
In practical applications, by it is to be detected threat information and each verification threaten information between similarity value respectively with
Preset threshold value is compared, and is more than preset threshold value if there is similarity value, is then determined as the threat information to be detected
Preliminary believable threat information.Wherein, preset threshold value can be configured according to the classification to be detected for threatening information, and the present invention is real
Example is applied not limit it.For example, when threat information to be detected is that IP threatens information, 0.64 can be set a threshold to,
It is higher that the preliminary credible accuracy rate of threat information to be detected is verified at this time.
S105, extracts the credible feature of various dimensions of preliminary believable threat information, and builds the credible feature vector of various dimensions.
In the embodiment of the present invention, feature that various dimensions are credible may include the credible feature of time dimension, content dimension is credible spy
The credible feature of domain knowledge dimension of seeking peace.
Exemplary, feature that time dimension is credible may include the newest issuing time, for the first time of the preliminary believable threat information
The key features such as time of occurrence, latest update time interval, history renewal frequency and defence rank.Wherein, history renewal frequency
Refer to the preliminary believable threat information in the cumulative ratio between update times of newer time interval every time in two years.
The extraction of domain knowledge dimensional characteristics is by being parsed to preliminary believable threat information, and statistics obtains first with this
It walks the associated communication malice sample of believable threat information, threaten IP, domain name, uniform resource position mark URL, domain knowledge character
Number and inquiry of the domain name agreement whois message lengths, using this 6 information as domain knowledge dimensional characteristics.
Feature that content dimension is credible may include the technorati authority of the information source of preliminary believable threat information, verification threat feelings
Report number, fiducial probability, verification attitude.Wherein, verification threatens information number to refer to and the preliminary believable threat information pair
The verification answered threatens the number of all verification threat information in information set.
Fiducial probability refers to the verification for being more than preset threshold value with the similarity value between the preliminary believable threat information
Threaten the ratio between the number of information and the number of all verification threat information;For example, with the preliminary believable threat information it
Between similarity value be more than the verification of preset threshold value to threaten the number of information be i, verification threatens all verifications in information set
It is m to threaten the number of information, then fiducial probability is i/m.
There are credible for the attitude of verification with insincere two kinds of attitudes, the similarity between the preliminary believable threat information
Verification of the value more than preset threshold value threatens the number of information to be more than or equal to verification and threatens verification remaining in information set
When threatening information, the attitude of verification is credible, is indicated with number 1;Similarity value between the preliminary believable threat information
When verification more than preset threshold value threatens the number of information to threaten verification remaining in information set to threaten information less than verification,
The attitude of verification is insincere, is indicated with number 0.
In practical applications, server end can extract the credible spy of time dimension of each preliminary believable threat information
Sign, content dimension is credible feature and the credible feature of domain knowledge dimension, and respectively can to the credible feature of time dimension, content dimension
Believe that feature and the credible feature of domain knowledge dimension carry out feature pretreatment, obtains the credible feature vector of time dimension, content dimension
Credible feature vector and the credible feature vector of domain knowledge dimension.Wherein, feature pretreatment refers to binary system processing or number
According to processing modes such as normalizeds
S106, by the credible feature vector input depth belief network DBN discrimination models of various dimensions, output indicates tentatively may be used
Letter threatens the credible differentiation result of information.
It is understood that DBN discrimination models are to be limited the nerve that Boltzmann machine RBM learns by training multilayer
Network structure, the model are progressively carried out from bottom to high level to input data by the way of simulating human brain multilayered structure
Feature extraction ultimately forms the more satisfactory feature of suitable pattern classification, to promote the accuracy rate of classification.It is i.e. that various dimensions are credible
After feature vector inputs in depth belief network DBN discrimination models, which can fast and accurately export expression just
Walk the credible differentiation result of believable threat information.
Threat information credibility method of discrimination provided in an embodiment of the present invention based on the credible feature of various dimensions, can pass through
Content verification consistency recognizer carrys out the preliminary identification credibility to be detected for threatening information, and from threat information to be detected just
Step filters out believable threat information, then according to the credible feature of various dimensions extracted from believable threat information, utilizes structure
New DBN discrimination models further judge the credibility of believable threat information.Compared with prior art, the embodiment of the present invention is from multiple
Dimension extracts the feature of believable threat information, and using content verification consistency algorithm and DBN discrimination models twice to be detected
It threatens information to be judged, improves and judge the accuracy rate to be detected for threatening information.
As a kind of embodiment of the embodiment of the present invention, this method further includes:DBN is differentiated using information sample set is threatened
Model is trained, and obtains new DBN discrimination models, wherein it includes multiple credible known threat feelings to threaten information sample set
Report.
In practical applications, DBN discrimination models indicate that the credible of preliminary believable threat information differentiates knot in each output
After fruit, the credibility of sorted preliminary believable threat information can be all marked, and stored into threat information sample set,
Then according to the preset period, DBN discrimination models is trained using updated threat information sample set, obtain new DBN
Discrimination model.
Information sample set and test is threatened to threaten information sample specifically, information sample set will first be threatened to be divided into training
Collection, training threaten information sample set for training DBN discrimination models, test to threaten information sample set for being obtained after testing training
DBN discrimination models accuracy rate.The credible feature set of various dimensions of information sample set is threatened by extracting training, and passes through feature
Pretreatment obtains the credible characteristic vector space of various dimensions;Then utilize the credible characteristic vector space of various dimensions to DBN discrimination models
It is iterated training, until the convergence of DBN discrimination models, obtains new DBN discrimination models.Wherein, the training process of DBN discrimination models
Including pre-training and trim process, specific implementation method is as follows:
Pre-training process being trained to the RBM in each layer from bottom to top by the way of successively training, first will be more
Dimension is credible input vector of the characteristic vector space as the visible layer of first layer RBM, trains the weight parameter of first layer RBM
And biasing, then using the output vector of the hidden layer of first layer RBM as the input vector of the visible layer of second layer RBM, train
The weight parameter of second layer RBM and biasing, and so on, weight parameter and biasing until training last layer of RBM, then
Using the output vector of the hidden layer of last layer of RBM as the input vector of last layer of backpropagation BP network;Trim process
It is to be trained to BP networks using supervised learning mode, by the output vector of BP networks and the visible layer of first layer RBM
The successively backpropagation of the error of input vector is finely adjusted the weight and biasing that train, until DBN discrimination models restrain,
Then it using the output vector of BP networks as the input vector of top softmax graders, is carried out using softmax graders
Supervised classification obtains new DBN discrimination models.The accuracy rate of new DBN discrimination models is finally assessed using test threat information set.
Wherein, judge that there are two kinds of achievable modes for the convergence of DBN discrimination models:A kind of achievable mode is when BP networks
When output vector and the error of the input vector of the visible layer of first layer RBM are less than or equal to preset error amount, then DBN sentences
Other model convergence, completes training;The achievable mode of another kind is when trained number reaches preset number, then DBN differentiates
Model is restrained, and training is completed.
Threat information credibility method of discrimination provided in an embodiment of the present invention based on the credible feature of various dimensions, can pass through
Content verification consistency recognizer carrys out the preliminary identification credibility to be detected for threatening information, and from threat information to be detected just
Step filters out believable threat information, then according to the credible feature of various dimensions extracted from believable threat information, utilizes structure
New DBN discrimination models further judge the credibility of believable threat information.Compared with prior art, the embodiment of the present invention is from multiple
Dimension extracts the feature of believable threat information, and using content verification consistency algorithm and DBN discrimination models twice to be detected
It threatens information to be judged, improves and judge the accuracy rate to be detected for threatening information.
An embodiment of the present invention provides a kind of threat information credibility discriminating gear based on the credible feature of various dimensions is such as schemed
Shown in 2, which includes:
First acquisition module 201, for obtaining threat information to be detected, wherein it is to be detected threaten information content include
Information source, information issuing time and information threaten description information.
Second acquisition module 202, for according to the classification to be detected for threatening information, obtaining corresponding verification and threatening feelings
Report collection, wherein it includes that multiple believable verifications threaten information that verification, which threatens information set,.
Computing module 203, for according to content verification consistency recognizer, calculating threat information to be detected and verification prestige
Coerce the similarity value between information.
Similarity value is more than waiting for for threshold value by determining module 204, the size for comparing similarity value and preset threshold value
Detection threatens information to be determined as preliminary believable threat information.
Extraction module 205, the credible feature of various dimensions for extracting preliminary believable threat information, and it is credible to build various dimensions
Feature vector.
Output module 206, it is defeated for inputting various dimensions credible feature vector in depth belief network DBN discrimination models
Go out to indicate the credible differentiation result of preliminary believable threat information.
Threat information credibility discriminating gear provided in an embodiment of the present invention based on the credible feature of various dimensions, can pass through
Content verification consistency recognizer carrys out the preliminary identification credibility to be detected for threatening information, and from threat information to be detected just
Step filters out believable threat information, then according to the credible feature of various dimensions extracted from believable threat information, utilizes structure
New DBN discrimination models further judge the credibility of believable threat information.Compared with prior art, the embodiment of the present invention is from multiple
Dimension extracts the feature of believable threat information, and using content verification consistency algorithm and DBN discrimination models twice to be detected
It threatens information to be judged, improves and judge the accuracy rate to be detected for threatening information.
As a kind of embodiment of the embodiment of the present invention, above-mentioned computing module 203 is specifically used for using following formula meter
Calculate the similarity value between threat information to be detected and verification threat information:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc;
Wherein, S is the similarity value between threat information to be detected and verification threat information, StimeFor threat feelings to be detected
Report and verification threaten the similarity value of information issuing time between information, SsourceFeelings are threatened for threat information to be detected and verification
The similarity value of information source, S between reportdescDescription information is threatened between threatening information for threat information to be detected and verification
Similarity value, θ1、θ2For according to the weight of the category setting of threat information to be detected.
As a kind of embodiment of the embodiment of the present invention, which further includes:Training module, for using threat information
Sample set is trained DBN discrimination models, obtains new DBN discrimination models, wherein it includes multiple credible to threaten information sample set
Property known threaten information.
As a kind of embodiment of the embodiment of the present invention, above-mentioned training module, including:
Submodule is divided, threatens information sample set and test to threaten information for information sample set will to be threatened to be divided into training
Sample set;
Extracting sub-module threatens the credible feature set of various dimensions of information sample set for extracting training, and builds various dimensions
Credible characteristic vector space;
Training submodule, for being iterated training to DBN discrimination models using the credible characteristic vector space of various dimensions, directly
It is restrained to the DBN discrimination models, obtains new DBN discrimination models;
Submodule is assessed, the accuracy rate for assessing new DBN discrimination models using test threat information set test.
As a kind of embodiment of the embodiment of the present invention, feature that various dimensions are credible includes the credible feature of time dimension, interior
Hold the credible feature of dimension and the credible feature of domain knowledge dimension.
Threat information credibility discriminating gear provided in an embodiment of the present invention based on the credible feature of various dimensions, can pass through
Content verification consistency recognizer carrys out the preliminary identification credibility to be detected for threatening information, and from threat information to be detected just
Step filters out believable threat information, then according to the credible feature of various dimensions extracted from believable threat information, utilizes structure
New DBN discrimination models further judge the credibility of believable threat information.Compared with prior art, the embodiment of the present invention is from multiple
Dimension extracts the feature of believable threat information, and using content verification consistency algorithm and DBN discrimination models twice to be detected
It threatens information to be judged, improves and judge the accuracy rate to be detected for threatening information.
The embodiment of the present invention additionally provides a kind of electronic equipment, as shown in figure 3, including processor 301, communication interface 302,
Memory 303 and communication bus 304, wherein processor 301, communication interface 302, memory 303 are complete by communication bus 304
At mutual communication,
Memory 303, for storing computer program;
Processor 301 when for executing the program stored on memory 303, realizes following steps:
Obtain threat information to be detected, wherein the content of threat information to be detected includes information source, information issuing time
Description information is threatened with information.
According to the classification to be detected for threatening information, obtains corresponding verification and threaten information set, wherein verification threatens feelings
Report collection threatens information comprising multiple believable verifications.
According to content verification consistency recognizer, calculate between threat information to be detected and verification threat information
Similarity value.
The size for comparing similarity value and preset threshold value, the threat information to be detected that similarity value is more than to threshold value determine
For preliminary believable threat information.
The credible feature of various dimensions of preliminary believable threat information is extracted, and builds the credible feature vector of various dimensions.
By in the credible feature vector input depth belief network DBN discrimination models of various dimensions, output indicates preliminary credible prestige
Coerce the credible differentiation result of information.
It, can be by content verification consistency recognizer come preliminary identification threat information to be detected in the embodiment of the present invention
Credibility, and preliminary screening goes out believable threat information from threat information to be detected, then according to from believable threat information
The credible feature of various dimensions of extraction, the credibility of believable threat information is further judged using the new DBN discrimination models of structure.With
The prior art is compared, and the embodiment of the present invention extracts the feature of believable threat information from multiple dimensions, and consistent using content verification
Property algorithm and DBN discrimination models threat information to be detected is judged twice, improve judge it is to be detected threaten information standard
True rate.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), can also include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
Method provided in an embodiment of the present invention can be applied to electronic equipment.Specifically, the electronic equipment can be:It is desk-top
Computer, portable computer, intelligent mobile terminal, server etc..It is not limited thereto, any electricity that the present invention may be implemented
Sub- equipment, all belongs to the scope of protection of the present invention.
For device/electronic equipment embodiment, since it is substantially similar to the method embodiment, so the comparison of description
Simply, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment
Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality
For applying example, since it is substantially similar to the method embodiment, so description is fairly simple, related place is referring to embodiment of the method
Part explanation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of threat information credibility method of discrimination based on the credible feature of various dimensions, is applied to server end, feature exists
In, the method includes:
Obtain threat information to be detected, wherein the content of the threat information to be detected includes information source, information issuing time
Description information is threatened with information;
According to the classification to be detected for threatening information, obtains corresponding verification and threaten information set, wherein the verification prestige
It includes that multiple believable verifications threaten information to coerce information set;
According to content verification consistency recognizer, calculate between the threat information to be detected and verification threat information
Similarity value;
The similarity value is more than the threat to be detected of the threshold value by the size for comparing the similarity value and preset threshold value
Information is determined as preliminary believable threat information;
The credible feature of various dimensions of the preliminary believable threat information is extracted, and builds the credible feature vector of various dimensions;
By in the credible feature vector input depth belief network DBN discrimination models of the various dimensions, output indicates described and tentatively may be used
Letter threatens the credible differentiation result of information.
2. according to the method described in claim 1, it is characterized in that, described according to content verification consistency recognizer, calculating
Described the step of threatening information and the verification to threaten the similarity value between information to be detected, including:
The similarity value to be detected for threatening information and the verification to threaten between information is calculated using following formula:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc;
Wherein, S is the similarity value to be detected for threatening information and the verification to threaten between information, StimeIt is described to be checked
It surveys and information and the verification is threatened to threaten the similarity value of information issuing time between information, SsourceFor the threat to be detected
Information and the verification threaten the similarity value of information source between information, SdescIt is tested with described for the threat information to be detected
Card threatens the similarity value of threat description information between information, θ1、θ2For according to the category setting of the threat information to be detected
Weight.
3. according to the method described in claim 1, it is characterized in that, the method further includes:
Using threatening information sample set to be trained the DBN discrimination models, new DBN discrimination models are obtained, wherein the prestige
It includes multiple credible known threat information to coerce information sample set.
4. according to the method described in claim 3, it is characterized in that, described differentiate the DBN using threat information sample set
Model is trained, the step of obtaining new DBN discrimination models, including:
The threat information sample set, which is divided into training, threatens information sample set and test to threaten information sample set;
It extracts the training and threatens the credible feature set of various dimensions of information sample set, and it is empty to build the credible feature vector of various dimensions
Between;
Training is iterated to the DBN discrimination models using the various dimensions credible characteristic vector space, until the DBN sentences
Other model convergence, obtains new DBN discrimination models;
The accuracy rate of the information set test assessment new DBN discrimination models is threatened using the test.
5. according to the method described in claim 1, it is characterized in that, the credible feature of the various dimensions includes the credible spy of time dimension
Sign, content dimension is credible feature and the credible feature of domain knowledge dimension.
6. a kind of threat information credibility discriminating gear based on the credible feature of various dimensions, application server end, which is characterized in that
Described device includes:
First acquisition module, for obtaining threat information to be detected, wherein the content of the threat information to be detected includes information
Source, information issuing time and information threaten description information;
Second acquisition module, for according to the classification to be detected for threatening information, obtaining corresponding verification and threatening information
Collection, wherein it includes that multiple believable verifications threaten information that the verification, which threatens information set,;
Computing module, for according to content verification consistency recognizer, calculating the threat information to be detected and the verification
Threaten the similarity value between information;
Determining module is used for the size of the similarity value and preset threshold value, and the similarity value is more than the threshold
The threat information to be detected of value is determined as preliminary believable threat information;
Extraction module, the credible feature of various dimensions for extracting the preliminary believable threat information, and build the credible spy of various dimensions
Sign vector;
Output module, for by the credible feature vector input depth belief network DBN discrimination models of the various dimensions, exporting table
Show the credible differentiation result of the preliminary believable threat information.
7. device according to claim 6, which is characterized in that the computing module is specifically used for using following formula meter
Calculate the similarity value to be detected for threatening information and the verification to threaten between information:
S=θ1*Stime+θ2*Ssource+(1-θ1-θ2)*Sdesc;
Wherein, S is the similarity value to be detected for threatening information and the verification to threaten between information, StimeIt is described to be checked
It surveys and information and the verification is threatened to threaten the similarity value of information issuing time between information, SsourceFor the threat to be detected
Information and the verification threaten the similarity value of information source between information, SdescIt is tested with described for the threat information to be detected
Card threatens the similarity value of threat description information between information, θ1、θ2For according to the category setting of the threat information to be detected
Weight.
8. device according to claim 6, which is characterized in that described device further includes:
Training module, for using threatening information sample set to be trained the DBN discrimination models, obtaining new DBN and differentiating mould
Type, wherein the threat information sample set includes multiple credible known threat information.
9. device according to claim 8, which is characterized in that the training module, including:
Submodule is divided, threatens information sample set and test to threaten information for the threat information sample set to be divided into training
Sample set;
Extracting sub-module threatens the credible feature set of various dimensions of information sample set for extracting the training, and builds various dimensions
Credible characteristic vector space;
Training submodule, for being iterated instruction to the DBN discrimination models using the credible characteristic vector space of the various dimensions
Practice, until DBN discrimination models convergence, obtains new DBN discrimination models;
Submodule is assessed, the accuracy rate for assessing the new DBN discrimination models using the test threat information set test.
10. device according to claim 6, which is characterized in that the credible feature of various dimensions includes that time dimension is credible
Feature that feature, content dimension are credible and the credible feature of domain knowledge dimension.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810353320.3A CN108600212A (en) | 2018-04-19 | 2018-04-19 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810353320.3A CN108600212A (en) | 2018-04-19 | 2018-04-19 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108600212A true CN108600212A (en) | 2018-09-28 |
Family
ID=63613916
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810353320.3A Pending CN108600212A (en) | 2018-04-19 | 2018-04-19 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108600212A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639744A (en) * | 2019-02-27 | 2019-04-16 | 深信服科技股份有限公司 | A kind of detection method and relevant device in the tunnel DNS |
| CN110581802A (en) * | 2019-08-27 | 2019-12-17 | 北京邮电大学 | fully-autonomous intelligent routing method and device based on deep belief network |
| CN111030986A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Attack organization traceability analysis method and device and storage medium |
| CN111160749A (en) * | 2019-12-23 | 2020-05-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for evaluating information quality and fusing information |
| CN111212049A (en) * | 2019-12-27 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for analyzing reputation of threat intelligence IOC |
| CN111800439A (en) * | 2020-09-08 | 2020-10-20 | 江苏苏宁银行股份有限公司 | Application method and system of threat information in bank |
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111859391A (en) * | 2020-07-09 | 2020-10-30 | 河南信大网御科技有限公司 | Trusted execution body, mimicry escape rapid identification method and mimicry defense architecture |
| CN112671744A (en) * | 2020-12-17 | 2021-04-16 | 杭州安恒信息技术股份有限公司 | Threat information processing method, device, equipment and storage medium |
| CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
| CN113591134A (en) * | 2021-09-28 | 2021-11-02 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN113810395A (en) * | 2021-09-06 | 2021-12-17 | 安天科技集团股份有限公司 | Threat information detection method and device and electronic equipment |
| CN114157440A (en) * | 2020-08-18 | 2022-03-08 | 中国电信股份有限公司 | Automated network defense method, apparatus, and computer-readable storage medium |
| CN114463538A (en) * | 2022-04-11 | 2022-05-10 | 北京中瑞方兴科技有限公司 | Method and system for detecting credibility of published content of variable information board |
| CN114679307A (en) * | 2022-03-18 | 2022-06-28 | 深圳市纽创信安科技开发有限公司 | TLS encryption threat detection method and system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160164866A1 (en) * | 2014-12-09 | 2016-06-09 | Duo Security, Inc. | System and method for applying digital fingerprints in multi-factor authentication |
-
2018
- 2018-04-19 CN CN201810353320.3A patent/CN108600212A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160164866A1 (en) * | 2014-12-09 | 2016-06-09 | Duo Security, Inc. | System and method for applying digital fingerprints in multi-factor authentication |
Non-Patent Citations (1)
| Title |
|---|
| LEI LI等: ""MTIV:A Trustworthiness Determination Approach for Threat Intelligence"", 《SECURITY, PRIVACY, AND ANONYMITY IN COMPUTATION, COMMUNICATION, AND STORAGE. SPACCS 2017》 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639744A (en) * | 2019-02-27 | 2019-04-16 | 深信服科技股份有限公司 | A kind of detection method and relevant device in the tunnel DNS |
| CN110581802A (en) * | 2019-08-27 | 2019-12-17 | 北京邮电大学 | fully-autonomous intelligent routing method and device based on deep belief network |
| CN111030986A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Attack organization traceability analysis method and device and storage medium |
| CN111160749A (en) * | 2019-12-23 | 2020-05-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for evaluating information quality and fusing information |
| CN111160749B (en) * | 2019-12-23 | 2023-07-21 | 绿盟科技集团股份有限公司 | Information quality assessment and information fusion method and device |
| CN111212049B (en) * | 2019-12-27 | 2022-04-12 | 杭州安恒信息技术股份有限公司 | Method for analyzing reputation of threat intelligence IOC |
| CN111212049A (en) * | 2019-12-27 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for analyzing reputation of threat intelligence IOC |
| CN111800404B (en) * | 2020-06-29 | 2023-03-24 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111859391A (en) * | 2020-07-09 | 2020-10-30 | 河南信大网御科技有限公司 | Trusted execution body, mimicry escape rapid identification method and mimicry defense architecture |
| CN111859391B (en) * | 2020-07-09 | 2023-08-04 | 河南信大网御科技有限公司 | Trusted executor, mimicry escape rapid identification method and mimicry defense architecture |
| CN114157440B (en) * | 2020-08-18 | 2024-01-26 | 中国电信股份有限公司 | Automatic network defense method, equipment and computer readable storage medium |
| CN114157440A (en) * | 2020-08-18 | 2022-03-08 | 中国电信股份有限公司 | Automated network defense method, apparatus, and computer-readable storage medium |
| CN111800439A (en) * | 2020-09-08 | 2020-10-20 | 江苏苏宁银行股份有限公司 | Application method and system of threat information in bank |
| CN111800439B (en) * | 2020-09-08 | 2020-12-22 | 江苏苏宁银行股份有限公司 | Application method and system of threat information in bank |
| CN112671744A (en) * | 2020-12-17 | 2021-04-16 | 杭州安恒信息技术股份有限公司 | Threat information processing method, device, equipment and storage medium |
| CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
| CN113472788B (en) * | 2021-06-30 | 2023-09-08 | 深信服科技股份有限公司 | Threat perception method, threat perception system, threat perception equipment and computer-readable storage medium |
| CN113810395A (en) * | 2021-09-06 | 2021-12-17 | 安天科技集团股份有限公司 | Threat information detection method and device and electronic equipment |
| CN113591134B (en) * | 2021-09-28 | 2021-12-14 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| WO2023051235A1 (en) * | 2021-09-28 | 2023-04-06 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN113591134A (en) * | 2021-09-28 | 2021-11-02 | 广东机电职业技术学院 | Threat intelligence big data sharing method and system |
| CN114679307A (en) * | 2022-03-18 | 2022-06-28 | 深圳市纽创信安科技开发有限公司 | TLS encryption threat detection method and system |
| CN114463538A (en) * | 2022-04-11 | 2022-05-10 | 北京中瑞方兴科技有限公司 | Method and system for detecting credibility of published content of variable information board |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600212A (en) | Threat information credibility method of discrimination and device based on the credible feature of various dimensions | |
| CN108416198B (en) | Device and method for establishing human-machine recognition model and computer readable storage medium | |
| CN112860841B (en) | Text emotion analysis method, device, equipment and storage medium | |
| CN109034365A (en) | The training method and device of deep learning model | |
| CN104077396A (en) | Method and device for detecting phishing website | |
| CN105303179A (en) | Fingerprint identification method and fingerprint identification device | |
| CN111818198B (en) | Domain name detection method, domain name detection device, equipment and medium | |
| CN110135157A (en) | Malware homology analysis method, system, electronic equipment and storage medium | |
| CN107579821B (en) | Method for generating password dictionary and computer-readable storage medium | |
| Lin et al. | Short-term forecasting of traffic volume: evaluating models based on multiple data sets and data diagnosis measures | |
| CN111181922A (en) | Fishing link detection method and system | |
| CN109145544A (en) | A kind of human-computer behavior detection system and method | |
| CN109271762A (en) | User authen method and device based on sliding block identifying code | |
| Tan et al. | LSTM-based anomaly detection for non-linear dynamical system | |
| Nian et al. | A deep learning‐based attack on text CAPTCHAs by using object detection techniques | |
| CN112085091A (en) | Artificial intelligence-based short text matching method, device, equipment and storage medium | |
| CN114048480A (en) | Vulnerability detection method, device, equipment and storage medium | |
| CN109194627A (en) | Cheat detection method, device, equipment and medium | |
| CN103853701A (en) | Neural-network-based self-learning semantic detection method and system | |
| Ray et al. | Prediction and Analysis of Sentiments of Reddit Users towards the Climate Change Crisis | |
| Fanani et al. | Two Stages Outlier Removal as Pre-processing Digitizer Data on Fine Motor Skills (FMS) Classification Using Covariance Estimator and Isolation Forest. | |
| Mandelík et al. | Application of neural network in order to recognise individuality of course of vehicle and pedestrian body contacts during accidents | |
| Nogales et al. | Real-time hand gesture recognition using knn-dtw and leap motion controller | |
| CN108875374A (en) | Malice PDF detection method and device based on document node type | |
| Lorsung et al. | PICL: Physics Informed Contrastive Learning for Partial Differential Equations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180928 |