CN108763031A - A kind of threat information detection method and device based on daily record - Google Patents
A kind of threat information detection method and device based on daily record Download PDFInfo
- Publication number
- CN108763031A CN108763031A CN201810306120.2A CN201810306120A CN108763031A CN 108763031 A CN108763031 A CN 108763031A CN 201810306120 A CN201810306120 A CN 201810306120A CN 108763031 A CN108763031 A CN 108763031A
- Authority
- CN
- China
- Prior art keywords
- file
- types
- ioc
- target
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The threat information detection method and device based on daily record that the embodiment of the invention discloses a kind of, method include:The journal file for obtaining different file types parses the journal file, matches different threat index IOC types, and the resolution file of the difference IOC types is added to detecting and alarm queue;Target resolution file is obtained from the detecting and alarm queue, and corresponding target query mode is determined according to the IOC types of the target resolution file;If inquiring to exist in the target resolution file according to the target query mode and threatening information, threat warning information is generated, such as comprising host or the malicious file of falling.It is parsed by the journal file to different file types, and target resolution file is inquired using the inquiry mode of corresponding detection of falling, high-volume data can be handled simultaneously, greatly improve the detection efficiency to the network security detection of mass data.
Description
Technical field
The present embodiments relate to technical field of network security, and in particular to a kind of threat information detection side based on daily record
Method and device.
Background technology
With the rapid development of computer technology and network application, network information data amount is increasing, mass data
Data safety becomes more and more important.Today's society network, mobile communication, network video and audio, e-commerce, sensor network
The data that the various applications such as network, scientific experiment generate tend to generate millions, hundred million grades even 1,000,000,000,10,000,000,000 grades of magnanimity
Data need to be detected these mass datas to ensure the safety of network, to ensure the safe operation of network.
The prior art mainly uses the conventional daily record detection mode to single type, copes with the smaller net of data volume
Network, but for mass data network, the efficiency of detection mode obviously cannot be satisfied requirement, so as to cause network operation speed
Be greatly lowered, while data safety detection coverage rate it is smaller.
During realizing the embodiment of the present invention, inventor has found network security of the existing method for mass data
The detection efficiency of detection is too low.
Invention content
Since existing method is there are the above problem, the embodiment of the present invention proposes a kind of threat information detection side based on daily record
Method and device.
In a first aspect, the embodiment of the present invention proposes a kind of threat information detection method based on daily record, including:
The journal file for obtaining different file types parses the journal file, matches different threat index IOC
Type obtains resolution file, and the resolution file is added to detecting and alarm queue;
Target resolution file is obtained from the detecting and alarm queue, the IOC types according to the target resolution file are true
The target query mode of fixed corresponding detection of falling;
If inquiring to exist in the target resolution file according to the target query mode and threatening information, threat is generated
Warning information.
Optionally, described that the journal file is parsed, the different resolution files for threatening index IOC types are obtained,
It specifically includes:
The journal file is parsed, by the IOC types of journal file described in major key mode, and detects the day
Malice domain name, IP or malicious file in will file obtain the resolution file of different IOC types.
Optionally, if described inquired in the target resolution file according to the target query mode has threat feelings
Report, then generate threat warning information, specifically include:
Batch query is carried out to the target resolution file according to the target query mode;
Information is threatened if inquiring and existing in the target resolution file, generates threat warning information.
Optionally, the journal file for obtaining different file types, parses the journal file, obtains difference
Threaten index IOC types resolution file, and by the resolution file of the difference IOC types be added to detecting and alarm queue it
Afterwards, further include:
If the data volume of the resolution file of the difference IOC types is more than threshold value, by the parsing of the difference IOC types
File is kept in database.
Optionally, if described inquired in the target resolution file according to the target query mode has threat feelings
It reports, then before generating threat warning information, further includes:
There is exception when if inquiring the target resolution file according to the target query mode, abnormal value will occur
Queue is preserved.
Optionally, the method further includes:
Corresponding display type is determined according to the type of the threat warning information, and will be described according to the display type
Threat warning information is sent to display and is shown, generates alarm log according to the threat warning information, and by the prestige
Side of body warning information and the alarm log are stored.
Second aspect, the embodiment of the present invention also propose a kind of threat information detection device based on daily record, including:
Document analysis module, the journal file for obtaining different file types parse the journal file,
With different threat index IOC types, resolution file is obtained, and the resolution file is added to detecting and alarm queue;
Corresponding enquiry module, for obtaining target resolution file from the detecting and alarm queue, according to the target solution
The IOC types of analysis file determine the target query mode of corresponding detection of falling;
Threat warning module, if there are prestige for being inquired in the target resolution file according to the target query mode
Information is coerced, then generates threat warning information.
Optionally, the document analysis module is specifically used for parsing the journal file, passes through major key mode institute
The IOC types of journal file are stated, and detect malice domain name, IP or malicious file in the journal file, obtain different IOC
The resolution file of type.
Optionally, the threat warning module is specifically used for:
Batch query is carried out to the target resolution file according to the target query mode;
Information is threatened if inquiring and existing in the target resolution file, generates threat warning information.
Optionally, described device further includes:
File temporary storage module will be described if the data volume of the resolution file for the difference IOC types is more than threshold value
The resolution file of different IOC types is kept in database.
Optionally, described device further includes:
Abnormal preserving module, if there are different when for inquiring the target resolution file according to the target query mode
Often, then abnormal value queue will occur to preserve.
Optionally, described device further includes:
Alarm display module, for determining corresponding display type according to the type of the threat warning information, and according to
The threat warning information is sent to display and shown by the display type, is generated and is accused according to the threat warning information
Alert daily record, and the threat warning information and the alarm log are stored.
The third aspect, the embodiment of the present invention also propose a kind of electronic equipment, including:
At least one processor;And
At least one processor being connect with the processor communication, wherein:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to
Order is able to carry out the above method.
Fourth aspect, the embodiment of the present invention also propose a kind of non-transient computer readable storage medium, the non-transient meter
Calculation machine readable storage medium storing program for executing stores computer program, and the computer program makes the computer execute the above method.
As shown from the above technical solution, the embodiment of the present invention is parsed by the journal file to different file types,
And target resolution file is inquired using the inquiry mode of corresponding detection of falling, high-volume data can be handled simultaneously,
Greatly improve the detection efficiency to the network security detection of mass data.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these figures.
Fig. 1 is a kind of flow diagram for threat information detection method based on daily record that one embodiment of the invention provides;
Fig. 2 is a kind of flow diagram for detection method of falling that one embodiment of the invention provides;
Fig. 3 is a kind of threat information detection side result schematic diagram based on daily record that one embodiment of the invention provides;
Fig. 4 is a kind of threat information detection side result schematic diagram based on daily record that another embodiment of the present invention provides;
Fig. 5 is a kind of structural schematic diagram for threat information detection device based on daily record that one embodiment of the invention provides;
Fig. 6 is the logic diagram for the electronic equipment that one embodiment of the invention provides.
Specific implementation mode
Below in conjunction with the accompanying drawings, the specific implementation mode of the present invention is further described.Following embodiment is only used for more
Technical scheme of the present invention is clearly demonstrated, and not intended to limit the protection scope of the present invention.
Fig. 1 shows a kind of flow diagram of threat information detection method based on daily record provided in this embodiment, packet
It includes:
S101, the journal file for obtaining different file types, parse the journal file, match different threats and refer to
IOC types are marked, obtain resolution file, and the resolution file is added to detecting and alarm queue.
Wherein, the file type of journal file may include a variety of file modes, as file mode, logstash modes or
API modes, specific file type may include the daily records such as JSON, Syslog, Netflow, DNS and HTTP flow and SEIM
The log recording etc. of system.By obtaining the journal file of different file types, facilitate convergence and all kinds of daily records of parsing, maximum journey
Different types of journal format is compatible with and parsed on degree, it is convenient to be subsequently detected and match.
The detecting and alarm queue is for storing the resolution file of different IOC types with the team for the detection that subsequently carries out falling
Row.
S102, target resolution file is obtained from the detecting and alarm queue, according to the IOC classes of the target resolution file
Type determines the target query mode of corresponding detection of falling.
Wherein, the inquiry mode of detection of falling includes that cc (order and control server) inquiries, sinkhole (slot hole) are looked into
It askes and dga (the DNS domain name that particular algorithm generates) is inquired.
If S103, being inquired in the target resolution file according to the target query mode in the presence of information is threatened, give birth to
At threat warning information.
Specifically, it as shown in Fig. 2, after obtaining data from detecting and alarm queue, is looked by cc, sinkhole or dga
Corresponding database is ask, and judges whether inquiry succeeds;If successful inquiring, threat warning information is generated, otherwise preserves and loses
Lose field.
The present embodiment is divided into four parts, daily record receiving portion, daily record parsing part, detecting and alarm part and day on the whole
Will alerts part.By using aforementioned four part, it is different from common daily record detection mode, multiple types daily record can be received
Format, performance is outstanding in terms of performance processing, by four most log processing flows, effectively combines and information is threatened to carry out daily record
Precisely matching.
The present embodiment is parsed by the journal file to different file types, and looking into using corresponding detection of falling
Inquiry mode inquires target resolution file, can handle high-volume data simultaneously, greatly improve the network to mass data
The detection efficiency of safety detection.
Further, on the basis of above method embodiment, the journal file is parsed described in S101, is obtained
To the different resolution files for threatening index IOC types, specifically include:
The journal file is parsed, by the IOC types of journal file described in major key mode, and detects the day
Malice domain name, IP or malicious file in will file obtain the resolution file of different IOC types.
Specifically, by two primary module engines, all kinds of journal formats are detected processing, pass through main KEY modes
With the IOC (Indicators Of Compromise threaten index) in information, malice domain name, IP or malice text are detected
Part, and detail information is provided and is traced to the source for attack, it as shown in Figures 3 and 4, can be in a plurality of types of threat informations, effectively
All kinds of threat information of reason it is all types of to existing net for daily record, traffic log and file transmission etc. daily records be detected and trace back
Source.
The present embodiment provides a kind of efficient daily record storage and alarm detection mechanism, energy by the matching with magnanimity information
Enough in the case of large log amount heterogeneous data source, utilizes and have all kinds of informations progress precisely detection and alarm;Root simultaneously
According to the effective means of log analysis, in conjunction with information source is threatened, efficiently note abnormalities attack and offer retrospect.
Further, on the basis of above method embodiment, S103 is specifically included:
S1031, batch query is carried out to the target resolution file according to the target query mode.
If S1032, inquiring in the target resolution file in the presence of information is threatened, threat warning information is generated.
Specifically, detection of falling is the core of the present embodiment, and for that will fall, detection will threaten information and original log
Matching detection checks fall host and abnormal behaviour daily record.Detailed process is referring to Fig. 2:It is obtained from detecting and alarm queue first
Data carry out batch cc, dga, sinkhole inquiry (kc modes) respectively;Then analytically after list in obtain host, ip,
Sha1, MD5,1000 batch queries kc or kt;Then launching process check_compromise.py passes through function:
Check_cc, check_dga, check_sinkhole and construct_alert_info carry out warning information to be assembled into knot
Structure body is sent to corresponding alarm module by socket.
By fall detection can efficient detection go out malice domain name, malice IP and malicious file etc.;It is common by matching
Network log, traffic log and user behaviors log, deliberate threat can be precisely found in effective IOC information and is chased after
Track is traced to the source.
Further, on the basis of above method embodiment, after S101, further include:
If the data volume of the resolution file of S1012, the difference IOC types is more than threshold value, by the difference IOC types
Resolution file keep in database.
Specifically, reception parsing is carried out to different data sources by Logstash, for the big daily record of data volume just with slow
It deposits queue to be kept in, to facilitate computer to read and handle from temporary database.When excessive in order to avoid daily record flow
Data storage committed memory is excessive, can keep in daily record in the libraries kc, after inquiring and alerting field assembling, generates and accuses
It warns and deletes the information inquired in the libraries kc.
Further, on the basis of above method embodiment, before S103, further include:
If S1023, existing when inquiring the target resolution file according to the target query mode abnormal, will occur different
Normal value queue is preserved.
Specifically, it when abnormal document is propagated or occurred in user network, needs to find malice sample in time and produce
Raw alarm provides malice sample details.It can be detected from file prestige and obtain data in queue, carry out batch documents reputation query
(kt modes);And executed by critical processes check_filerepputation.py, pass through function:Check_info and
Construct_alert_info carries out warning information to be assembled into structure, and corresponding alarm mould is sent to by socket
Block;When inquiring abnormal, the key list for occurring abnormal are preserved, if queue be it is empty if allow process sleep.
Further, on the basis of above method embodiment, the method further includes:
S104, corresponding display type is determined according to the type of the threat warning information, and according to the display type
The threat warning information is sent to display to show, alarm log is generated according to the threat warning information, and will
The threat warning information and the alarm log are stored.
Specifically, by with threaten the threat warning information that arrives of information matching detection by alarm display in front end, and will be former
Database is written in beginning field daily record.For the alarm that different information types match, the alarm field details of design are slightly different,
To facilitate user to check.
Specifically, daily record can be received by function recv_log, pass through function with executive process log_parse.py
Parse_log parses daily record, and kc engines are written in daily record by function write_kc and are cached.
The present embodiment wouldn't store original log, the malice prestige that can generate detection by receiving a large amount of alarm logs
Side of body alarm carries out storage and the showing interface of original alarm.
Fig. 5 shows a kind of structural schematic diagram of threat information detection device based on daily record provided in this embodiment, institute
Stating device includes:Document analysis module 501, corresponding enquiry module 502 and threat warning module 503, wherein:
The document analysis module 501 is used to obtain the journal file of different file types, is carried out to the journal file
Parsing matches different threat index IOC types, obtains resolution file, and the resolution file is added to detecting and alarm queue;
The corresponding enquiry module 502 is used to obtain target resolution file from the detecting and alarm queue, according to described
The IOC types of target resolution file determine the target query mode of corresponding detection of falling;
If the threat warning module 503 according to the target query mode for inquiring in the target resolution file
In the presence of information is threatened, then threat warning information is generated.
Specifically, the document analysis module 501 obtains the journal file of different file types, to the journal file into
Row parsing, matches different threat index IOC types, obtains resolution file, and the resolution file is added to detecting and alarm team
Row;The corresponding enquiry module 502 obtains target resolution file from the detecting and alarm queue, and text is parsed according to the target
The IOC types of part determine the target query mode of corresponding detection of falling;If the threat warning module 503 is according to the target
Inquiry mode, which inquires to exist in the target resolution file, threatens information, then generates threat warning information.
The present embodiment is parsed by the journal file to different file types, and looking into using corresponding detection of falling
Inquiry mode inquires target resolution file, can handle high-volume data simultaneously, greatly improve the network to mass data
The detection efficiency of safety detection.
Further, on the basis of above-mentioned apparatus embodiment, the document analysis module 501 was specifically used for the day
Will file is parsed, and by the IOC types of journal file described in major key mode, and detects the malice domain in the journal file
Name, IP or malicious file, obtain the resolution file of different IOC types.
Further, on the basis of above-mentioned apparatus embodiment, the threat warning module 503 is specifically used for:
Batch query is carried out to the target resolution file according to the target query mode;
Information is threatened if inquiring and existing in the target resolution file, generates threat warning information.
Further, on the basis of above-mentioned apparatus embodiment, described device further includes:
File temporary storage module will be described if the data volume of the resolution file for the difference IOC types is more than threshold value
The resolution file of different IOC types is kept in database.
Further, on the basis of above-mentioned apparatus embodiment, described device further includes:
Abnormal preserving module, if there are different when for inquiring the target resolution file according to the target query mode
Often, then abnormal value queue will occur to preserve.
Further, on the basis of above-mentioned apparatus embodiment, described device further includes:
Alarm display module, for determining corresponding display type according to the type of the threat warning information, and according to
The threat warning information is sent to display and shown by the display type, is generated and is accused according to the threat warning information
Alert daily record, and the threat warning information and the alarm log are stored.
The threat information detection device based on daily record described in the present embodiment can be used for executing above method embodiment,
Principle is similar with technique effect, and details are not described herein again.
Reference Fig. 6, the electronic equipment, including:Processor (processor) 601, memory (memory) 602 and total
Line 603;
Wherein,
The processor 601 and memory 602 complete mutual communication by the bus 603;
The processor 601 is used to call the program instruction in the memory 602, to execute above-mentioned each method embodiment
The method provided.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine executes, computer is able to carry out the method that above-mentioned each method embodiment is provided.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute the method that above-mentioned each method embodiment is provided.
The apparatus embodiments described above are merely exemplary, wherein the unit illustrated as separating component can
It is physically separated with being or may not be, the component shown as unit may or may not be physics list
Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
It should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although reference
Invention is explained in detail for previous embodiment, it will be understood by those of ordinary skill in the art that:It still can be right
Technical solution recorded in foregoing embodiments is modified or equivalent replacement of some of the technical features;And this
A little modification or replacements, the spirit and model of various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution
It encloses.
Claims (14)
1. a kind of threat information detection method based on daily record, which is characterized in that including:
The journal file for obtaining different file types parses the journal file, matches different threat index IOC classes
Type obtains resolution file, and the resolution file is added to detecting and alarm queue;
Target resolution file is obtained from the detecting and alarm queue, according to the determination pair of the IOC types of the target resolution file
The target query mode for the detection of falling answered;
If inquiring to exist in the target resolution file according to the target query mode and threatening information, threat warning is generated
Information.
2. according to the method described in claim 1, it is characterized in that, described parse the journal file, difference is obtained
The resolution file for threatening index IOC types, specifically includes:
The journal file is parsed, by the IOC types of journal file described in major key mode, and detects the daily record text
Malice domain name, IP or malicious file in part obtain the resolution file of different IOC types.
If 3. according to the method described in claim 1, it is characterized in that, it is described inquired according to the target query mode it is described
Exist in target resolution file and threaten information, then generates threat warning information, specifically include:
Batch query is carried out to the target resolution file according to the target query mode;
Information is threatened if inquiring and existing in the target resolution file, generates threat warning information.
4. according to the method described in claim 1, it is characterized in that, the journal file for obtaining different file types, to institute
It states journal file to be parsed, obtains the different resolution files for threatening index IOC types, and by the solution of the difference IOC types
Analysis file is added to after detecting and alarm queue, further includes:
If the data volume of the resolution file of the difference IOC types is more than threshold value, by the resolution file of the difference IOC types
It keeps in database.
If 5. according to the method described in claim 1, it is characterized in that, it is described inquired according to the target query mode it is described
There is threat information in target resolution file further includes before then generating threat warning information:
There is exception when if inquiring the target resolution file according to the target query mode, abnormal value queue will occur
It is preserved.
6. according to claim 1-5 any one of them methods, which is characterized in that the method further includes:
Corresponding display type is determined according to the type of the threat warning information, and according to the display type by the threat
Warning information is sent to display and is shown, generates alarm log according to the threat warning information, and the threat is accused
Alert information and the alarm log are stored.
7. a kind of threat information detection device based on daily record, which is characterized in that including:
Document analysis module, the journal file for obtaining different file types parse the journal file, and matching is not
With index IOC types are threatened, resolution file is obtained, and the resolution file is added to detecting and alarm queue;
Corresponding enquiry module parses text for obtaining target resolution file from the detecting and alarm queue according to the target
The IOC types of part determine the target query mode of corresponding detection of falling;
Threat warning module, if threatening feelings for inquiring to exist in the target resolution file according to the target query mode
Report, then generate threat warning information.
8. device according to claim 7, which is characterized in that the document analysis module is specifically used for daily record text
Part is parsed, by the IOC types of journal file described in major key mode, and detect the malice domain name in the journal file,
IP or malicious file obtain the resolution file of different IOC types.
9. device according to claim 7, which is characterized in that the threat warning module is specifically used for:
Batch query is carried out to the target resolution file according to the target query mode;
Information is threatened if inquiring and existing in the target resolution file, generates threat warning information.
10. device according to claim 7, which is characterized in that described device further includes:
File temporary storage module, if the data volume of the resolution file for the difference IOC types is more than threshold value, by the difference
The resolution file of IOC types is kept in database.
11. device according to claim 7, which is characterized in that described device further includes:
Abnormal preserving module, if there is exception when for inquiring the target resolution file according to the target query mode,
The value queue for occurring abnormal is preserved.
12. according to claim 7-11 any one of them devices, which is characterized in that described device further includes:
Alarm display module, for determining corresponding display type according to the type of the threat warning information, and according to described
The threat warning information is sent to display and shown by display type, and alarm day is generated according to the threat warning information
Will, and the threat warning information and the alarm log are stored.
13. a kind of electronic equipment, which is characterized in that including:
At least one processor;And
At least one processor being connect with the processor communication, wherein:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough methods executed as described in claim 1 to 6 is any.
14. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer program is stored up, the computer program makes the computer execute the method as described in claim 1 to 6 is any.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810306120.2A CN108763031B (en) | 2018-04-08 | 2018-04-08 | Log-based threat information detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810306120.2A CN108763031B (en) | 2018-04-08 | 2018-04-08 | Log-based threat information detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108763031A true CN108763031A (en) | 2018-11-06 |
| CN108763031B CN108763031B (en) | 2022-05-24 |
Family
ID=63981150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810306120.2A Active CN108763031B (en) | 2018-04-08 | 2018-04-08 | Log-based threat information detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108763031B (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450690A (en) * | 2018-11-20 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | It falls in quick lock in networking the method and apparatus of host |
| CN109862003A (en) * | 2019-01-24 | 2019-06-07 | 深信服科技股份有限公司 | Local generation method, device, system and the storage medium for threatening information bank |
| CN110166421A (en) * | 2019-04-01 | 2019-08-23 | 平安科技(深圳)有限公司 | Invasion control method, device and terminal device based on log monitoring |
| CN110188247A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Information generation method, device, computer equipment and computer readable storage medium |
| CN110266670A (en) * | 2019-06-06 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of processing method and processing device of terminal network external connection behavior |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
| CN110362536A (en) * | 2019-07-15 | 2019-10-22 | 北京工业大学 | Log cipher text retrieval method based on alarm association |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Network threat identification method and identification system based on threat information |
| CN110868379A (en) * | 2018-12-19 | 2020-03-06 | 北京安天网络安全技术有限公司 | Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment |
| CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
| CN111404939A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Mail threat detection method, device, equipment and storage medium |
| CN111414402A (en) * | 2020-03-19 | 2020-07-14 | 北京神州绿盟信息安全科技股份有限公司 | Log threat analysis rule generation method and device |
| CN111478889A (en) * | 2020-03-27 | 2020-07-31 | 新浪网技术(中国)有限公司 | Alarm method and device |
| CN111858782A (en) * | 2020-07-07 | 2020-10-30 | Oppo(重庆)智能科技有限公司 | Database construction method, device, medium and equipment based on information security |
| CN112214290A (en) * | 2019-07-11 | 2021-01-12 | 中移(苏州)软件技术有限公司 | Log information processing method, edge node, center node and system |
| CN112749390A (en) * | 2020-12-28 | 2021-05-04 | 深信服科技股份有限公司 | Virus detection method, device, equipment and computer readable storage medium |
| CN112769775A (en) * | 2020-12-25 | 2021-05-07 | 深信服科技股份有限公司 | Threat information correlation analysis method, system, equipment and computer medium |
| CN113141334A (en) * | 2020-01-19 | 2021-07-20 | 奇安信科技集团股份有限公司 | Data acquisition and analysis method and system based on network attack |
| CN113691524A (en) * | 2021-08-23 | 2021-11-23 | 杭州安恒信息技术股份有限公司 | Alarm information processing method, system, electronic equipment and storage medium |
| CN114006778A (en) * | 2022-01-05 | 2022-02-01 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
| CN115865525A (en) * | 2023-02-16 | 2023-03-28 | 北京微步在线科技有限公司 | Log data processing method and device, electronic equipment and storage medium |
| CN116155548A (en) * | 2022-12-22 | 2023-05-23 | 新浪技术(中国)有限公司 | Threat identification method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107295021A (en) * | 2017-08-16 | 2017-10-24 | 深信服科技股份有限公司 | The safety detection method and system of a kind of main frame based on centralized management |
| US20170366576A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
| US20180004942A1 (en) * | 2016-06-20 | 2018-01-04 | Jask Labs Inc. | Method for detecting a cyber attack |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
-
2018
- 2018-04-08 CN CN201810306120.2A patent/CN108763031B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| US20170366576A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
| US20180004942A1 (en) * | 2016-06-20 | 2018-01-04 | Jask Labs Inc. | Method for detecting a cyber attack |
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107295021A (en) * | 2017-08-16 | 2017-10-24 | 深信服科技股份有限公司 | The safety detection method and system of a kind of main frame based on centralized management |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450690B (en) * | 2018-11-20 | 2022-01-25 | 杭州安恒信息技术股份有限公司 | Method and device for quickly locking lost host in networking |
| CN109450690A (en) * | 2018-11-20 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | It falls in quick lock in networking the method and apparatus of host |
| CN110868379A (en) * | 2018-12-19 | 2020-03-06 | 北京安天网络安全技术有限公司 | Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment |
| CN110868379B (en) * | 2018-12-19 | 2021-09-21 | 北京安天网络安全技术有限公司 | Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment |
| CN109862003A (en) * | 2019-01-24 | 2019-06-07 | 深信服科技股份有限公司 | Local generation method, device, system and the storage medium for threatening information bank |
| CN109862003B (en) * | 2019-01-24 | 2022-02-22 | 深信服科技股份有限公司 | Method, device, system and storage medium for generating local threat intelligence library |
| CN110166421B (en) * | 2019-04-01 | 2022-10-14 | 平安科技(深圳)有限公司 | Intrusion control method and device based on log monitoring and terminal equipment |
| CN110166421A (en) * | 2019-04-01 | 2019-08-23 | 平安科技(深圳)有限公司 | Invasion control method, device and terminal device based on log monitoring |
| CN110188247B (en) * | 2019-04-26 | 2021-07-20 | 奇安信科技集团股份有限公司 | Information generation method, device, computer equipment and computer readable storage medium |
| CN110188247A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Information generation method, device, computer equipment and computer readable storage medium |
| CN110266670A (en) * | 2019-06-06 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of processing method and processing device of terminal network external connection behavior |
| CN112214290B (en) * | 2019-07-11 | 2023-04-11 | 中移(苏州)软件技术有限公司 | Log information processing method, edge node, center node and system |
| CN112214290A (en) * | 2019-07-11 | 2021-01-12 | 中移(苏州)软件技术有限公司 | Log information processing method, edge node, center node and system |
| CN110362536A (en) * | 2019-07-15 | 2019-10-22 | 北京工业大学 | Log cipher text retrieval method based on alarm association |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Network threat identification method and identification system based on threat information |
| CN111277585B (en) * | 2020-01-16 | 2022-09-30 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
| CN111277585A (en) * | 2020-01-16 | 2020-06-12 | 深信服科技股份有限公司 | Threat processing method, device, equipment and readable storage medium |
| CN113141334A (en) * | 2020-01-19 | 2021-07-20 | 奇安信科技集团股份有限公司 | Data acquisition and analysis method and system based on network attack |
| CN111404939B (en) * | 2020-03-16 | 2022-08-09 | 深信服科技股份有限公司 | Mail threat detection method, device, equipment and storage medium |
| CN111404939A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Mail threat detection method, device, equipment and storage medium |
| CN111414402A (en) * | 2020-03-19 | 2020-07-14 | 北京神州绿盟信息安全科技股份有限公司 | Log threat analysis rule generation method and device |
| CN111478889A (en) * | 2020-03-27 | 2020-07-31 | 新浪网技术(中国)有限公司 | Alarm method and device |
| CN111858782A (en) * | 2020-07-07 | 2020-10-30 | Oppo(重庆)智能科技有限公司 | Database construction method, device, medium and equipment based on information security |
| CN112769775A (en) * | 2020-12-25 | 2021-05-07 | 深信服科技股份有限公司 | Threat information correlation analysis method, system, equipment and computer medium |
| CN112769775B (en) * | 2020-12-25 | 2023-05-12 | 深信服科技股份有限公司 | Threat information association analysis method, system, equipment and computer medium |
| CN112749390A (en) * | 2020-12-28 | 2021-05-04 | 深信服科技股份有限公司 | Virus detection method, device, equipment and computer readable storage medium |
| CN113691524A (en) * | 2021-08-23 | 2021-11-23 | 杭州安恒信息技术股份有限公司 | Alarm information processing method, system, electronic equipment and storage medium |
| CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
| CN114006778B (en) * | 2022-01-05 | 2022-03-25 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN114006778A (en) * | 2022-01-05 | 2022-02-01 | 北京微步在线科技有限公司 | Threat information identification method and device, electronic equipment and storage medium |
| CN116155548A (en) * | 2022-12-22 | 2023-05-23 | 新浪技术(中国)有限公司 | Threat identification method and system |
| CN115865525A (en) * | 2023-02-16 | 2023-03-28 | 北京微步在线科技有限公司 | Log data processing method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108763031B (en) | 2022-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108763031A (en) | A kind of threat information detection method and device based on daily record | |
| MacDermott et al. | Iot forensics: Challenges for the ioa era | |
| CN110232010A (en) | A kind of alarm method, alarm server and monitoring server | |
| CN107547490B (en) | Scanner identification method, device and system | |
| CN113728581B (en) | System and method for SIEM rule classification and condition execution | |
| CN112463553B (en) | System and method for analyzing intelligent alarms based on common alarm association | |
| US11113142B2 (en) | Early risk detection and management in a software-defined data center | |
| CN108073625A (en) | For the system and method for metadata information management | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| US20210133742A1 (en) | Detection of security threats in a network environment | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| US20150026293A1 (en) | Method, apparatus, terminal, and server for synchronizing terminal mirror | |
| CN110149319A (en) | The method for tracing and device, storage medium, electronic device of APT tissue | |
| CN110188538A (en) | Using the method and device of sandbox cluster detection data | |
| CN102340416B (en) | Time slice-based method and device for event statistics | |
| Las-Casas et al. | A big data architecture for security data and its application to phishing characterization | |
| Chen et al. | A streaming-based network monitoring and threat detection system | |
| CN115033876A (en) | Log processing method, log processing device, computer device and storage medium | |
| CN112287339A (en) | APT intrusion detection method and device and computer equipment | |
| CN113472580B (en) | Alarm system and alarm method based on dynamic loading mechanism | |
| CN110941823B (en) | Threat information acquisition method and device | |
| Dong et al. | {DISTDET}: A {Cost-Effective} Distributed Cyber Threat Detection System | |
| US20130145289A1 (en) | Real-time duplication of a chat transcript between a person of interest and a correspondent of the person of interest for use by a law enforcement agent | |
| CN108985053A (en) | distributed data processing method and device | |
| CN108337100B (en) | Cloud platform monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |