CN108763031B - A log-based threat intelligence detection method and device - Google Patents

A log-based threat intelligence detection method and device Download PDF

Info

Publication number
CN108763031B
CN108763031B CN201810306120.2A CN201810306120A CN108763031B CN 108763031 B CN108763031 B CN 108763031B CN 201810306120 A CN201810306120 A CN 201810306120A CN 108763031 B CN108763031 B CN 108763031B
Authority
CN
China
Prior art keywords
file
threat
log
files
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810306120.2A
Other languages
Chinese (zh)
Other versions
CN108763031A (en
Inventor
白敏�
高浩浩
李朋举
韩志立
汪列军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc filed Critical Qax Technology Group Inc
Priority to CN201810306120.2A priority Critical patent/CN108763031B/en
Publication of CN108763031A publication Critical patent/CN108763031A/en
Application granted granted Critical
Publication of CN108763031B publication Critical patent/CN108763031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Telephonic Communication Services (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a threat information detection method and a device based on logs, wherein the method comprises the following steps: acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types, and adding the analyzed files of different IOC types to a detection engine queue; acquiring a target analysis file from the detection engine queue, and determining a corresponding target query mode according to the IOC type of the target analysis file; and if threat intelligence exists in the target analysis file according to the target query mode, generating threat alarm information, such as a lost host or a malicious file. The log files of different file types are analyzed, and the target analysis file is inquired in a corresponding defect detection inquiry mode, so that large-batch data can be processed simultaneously, and the detection efficiency of network security detection on mass data is greatly improved.

Description

一种基于日志的威胁情报检测方法及装置A log-based threat intelligence detection method and device

技术领域technical field

本发明实施例涉及网络安全技术领域,具体涉及一种基于日志的威胁情报检测方法及装置。Embodiments of the present invention relate to the technical field of network security, and in particular, to a log-based threat intelligence detection method and device.

背景技术Background technique

随着计算机技术和网络应用的迅速发展,网络信息数据量越来越大,海量数据的数据安全变得越来越重要。当今社会化网络、移动通信、网络视频音频、电子商务、传感器网络、科学实验等各种应用产生的数据,往往能够产生千万级、亿级甚至十亿、百亿级的海量数据,为了保证网络的安全,需要对这些海量数据进行检测,以保证网络的安全运行。With the rapid development of computer technology and network applications, the amount of network information data is increasing, and the data security of massive data has become more and more important. Today's data generated by various applications such as social networks, mobile communications, network video and audio, e-commerce, sensor networks, and scientific experiments can often generate massive data of tens of millions, billions, or even billions and tens of billions. The security of the network requires the detection of these massive data to ensure the safe operation of the network.

现有技术主要采用常规的对单一类型的日志检测方式,能够应对数据量较小的网络,但是对于海量数据网络,其检测方式的效率显然无法满足要求,从而导致网络运行速度的大幅度降低,同时数据安全检测的覆盖率较小。The prior art mainly adopts a conventional single-type log detection method, which can cope with a network with a small amount of data. However, for a massive data network, the efficiency of the detection method obviously cannot meet the requirements, resulting in a significant reduction in the network operation speed. At the same time, the coverage of data security detection is small.

在实现本发明实施例的过程中,发明人发现现有的方法对于海量数据的网络安全检测的检测效率过低。In the process of implementing the embodiments of the present invention, the inventor finds that the detection efficiency of the existing method for network security detection of massive data is too low.

发明内容SUMMARY OF THE INVENTION

由于现有方法存在上述问题,本发明实施例提出一种基于日志的威胁情报检测方法及装置。Due to the above problems existing in the existing methods, the embodiments of the present invention provide a log-based threat intelligence detection method and device.

第一方面,本发明实施例提出一种基于日志的威胁情报检测方法,包括:In a first aspect, an embodiment of the present invention provides a log-based threat intelligence detection method, including:

获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;Obtain log files of different file types, parse the log files, match different threat indicator IOC types, obtain parsed files, and add the parsed files to the detection engine queue;

从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;Obtain the target parsing file from the detection engine queue, and determine the target query mode of the corresponding loss detection according to the IOC type of the target parsing file;

若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that threat intelligence exists in the target analysis file according to the target query method, threat alarm information is generated.

可选地,所述对所述日志文件进行解析,得到不同威胁指标IOC类型的解析文件,具体包括:Optionally, the log file is parsed to obtain parsed files of different threat indicator IOC types, specifically including:

对所述日志文件进行解析,通过主键方式所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。The log file is parsed, the IOC type of the log file is determined by the primary key, and malicious domain names, IPs or malicious files in the log file are detected, and parsed files of different IOC types are obtained.

可选地,所述若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息,具体包括:Optionally, generating threat warning information if it is found that threat intelligence exists in the target analysis file according to the target query method, specifically including:

根据所述目标查询方式对所述目标解析文件进行批量查询;Perform batch query on the target parsing file according to the target query mode;

若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that there is threat intelligence in the target analysis file, threat alarm information is generated.

可选地,所述获取不同文件类型的日志文件,对所述日志文件进行解析,得到不同威胁指标IOC类型的解析文件,并将所述不同IOC类型的解析文件添加至检测引擎队列之后,还包括:Optionally, after obtaining log files of different file types, parsing the log files, obtaining parsed files of different threat indicator IOC types, and adding the parsed files of different IOC types to the detection engine queue, also include:

若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。If the data amount of the parsed files of the different IOC types is greater than the threshold, the parsed files of the different IOC types are temporarily stored in the database.

可选地,所述若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息之前,还包括:Optionally, before generating threat warning information, if it is found that threat intelligence exists in the target analysis file according to the target query method, the method further includes:

若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。If there is an exception when querying the target parsing file according to the target query mode, the abnormal value queue is stored.

可选地,所述方法还包括:Optionally, the method further includes:

根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。The corresponding display type is determined according to the type of the threat alarm information, the threat alarm information is sent to the display for display according to the display type, an alarm log is generated according to the threat alarm information, and the threat alarm information and the The alarm log is stored.

第二方面,本发明实施例还提出一种基于日志的威胁情报检测装置,包括:In a second aspect, an embodiment of the present invention further provides a log-based threat intelligence detection device, including:

文件解析模块,用于获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;a file parsing module, configured to obtain log files of different file types, parse the log files, match different threat index IOC types, obtain parsing files, and add the parsing files to the detection engine queue;

对应查询模块,用于从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;A corresponding query module, configured to obtain a target parsing file from the detection engine queue, and determine a corresponding target query mode for trap detection according to the IOC type of the target parsing file;

威胁告警模块,用于若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。A threat warning module, configured to generate threat warning information if threat intelligence exists in the target analysis file according to the target query method.

可选地,所述文件解析模块具体用于对所述日志文件进行解析,通过主键方式所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。Optionally, the file parsing module is specifically configured to parse the log file, detect the malicious domain name, IP or malicious file in the log file by using the primary key method of the IOC type of the log file, and obtain different IOCs. Type of parsing file.

可选地,所述威胁告警模块具体用于:Optionally, the threat alarm module is specifically used for:

根据所述目标查询方式对所述目标解析文件进行批量查询;Perform batch query on the target parsing file according to the target query mode;

若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that there is threat intelligence in the target analysis file, threat alarm information is generated.

可选地,所述装置还包括:Optionally, the device further includes:

文件暂存模块,用于若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。A file temporary storage module, configured to temporarily store the parsed files of different IOC types in a database if the data amount of the parsed files of different IOC types is greater than a threshold.

可选地,所述装置还包括:Optionally, the device further includes:

异常保存模块,用于若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。The exception saving module is configured to save the abnormal value queue if there is an exception when querying the target parsing file according to the target query mode.

可选地,所述装置还包括:Optionally, the device further includes:

告警显示模块,用于根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。An alarm display module is configured to determine a corresponding display type according to the type of the threat alarm information, send the threat alarm information to a display for display according to the display type, generate an alarm log according to the threat alarm information, and record the The threat alarm information and the alarm log are stored.

第三方面,本发明实施例还提出一种电子设备,包括:In a third aspect, an embodiment of the present invention further provides an electronic device, including:

至少一个处理器;以及at least one processor; and

与所述处理器通信连接的至少一个存储器,其中:at least one memory communicatively coupled to the processor, wherein:

所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行上述方法。The memory stores program instructions executable by the processor, the processor invoking the program instructions capable of performing the above-described method.

第四方面,本发明实施例还提出一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机程序,所述计算机程序使所述计算机执行上述方法。In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores a computer program, and the computer program causes the computer to execute the above method.

由上述技术方案可知,本发明实施例通过对不同文件类型的日志文件进行解析,并采用对应的失陷检测的查询方式对目标解析文件进行查询,能够同时处理大批量数据,大大提高对海量数据的网络安全检测的检测效率。It can be seen from the above technical solutions that the embodiment of the present invention can process large batches of data at the same time by analyzing log files of different file types, and querying the target analysis file by using the corresponding query method of failure detection, which greatly improves the processing efficiency of massive data. Detection efficiency of network security detection.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative efforts.

图1为本发明一实施例提供的一种基于日志的威胁情报检测方法的流程示意图;FIG. 1 is a schematic flowchart of a log-based threat intelligence detection method according to an embodiment of the present invention;

图2为本发明一实施例提供的一种失陷检测方法的流程示意图;FIG. 2 is a schematic flowchart of a method for detecting a loss according to an embodiment of the present invention;

图3为本发明一实施例提供的一种基于日志的威胁情报检测方结果示意图;3 is a schematic diagram of a result of a log-based threat intelligence detection method provided by an embodiment of the present invention;

图4为本发明另一实施例提供的一种基于日志的威胁情报检测方结果示意图;4 is a schematic diagram of a result of a log-based threat intelligence detection method provided by another embodiment of the present invention;

图5为本发明一实施例提供的一种基于日志的威胁情报检测装置的结构示意图;5 is a schematic structural diagram of a log-based threat intelligence detection device according to an embodiment of the present invention;

图6为本发明一实施例提供的电子设备的逻辑框图。FIG. 6 is a logical block diagram of an electronic device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图,对本发明的具体实施方式作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The specific embodiments of the present invention will be further described below with reference to the accompanying drawings. The following examples are only used to illustrate the technical solutions of the present invention more clearly, and cannot be used to limit the protection scope of the present invention.

图1示出了本实施例提供的一种基于日志的威胁情报检测方法的流程示意图,包括:FIG. 1 shows a schematic flowchart of a log-based threat intelligence detection method provided in this embodiment, including:

S101、获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列。S101. Obtain log files of different file types, parse the log files, match different threat indicator IOC types, obtain parsed files, and add the parsed files to a detection engine queue.

其中,日志文件的文件类型可以包括多种文件方式,如文件方式、logstash方式或API方式,具体的文件类型可以包括JSON、Syslog、Netflow、DNS及HTTP等日志流量以及SEIM系统的日志记录等。通过获取不同文件类型的日志文件,方便汇聚和解析各类日志,最大程度上兼容并解析不同类型的日志格式,方便后续进行检测和匹配。The file types of log files may include various file methods, such as file methods, logstash methods, or API methods. Specific file types may include log traffic such as JSON, Syslog, Netflow, DNS, and HTTP, as well as log records of the SEIM system. By obtaining log files of different file types, it is convenient to aggregate and parse various types of logs, maximize compatibility and parsing of different types of log formats, and facilitate subsequent detection and matching.

所述检测引擎队列为用于存储不同IOC类型的解析文件以后续进行失陷检测的队列。The detection engine queue is a queue for storing parsed files of different IOC types for subsequent failure detection.

S102、从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式。S102. Acquire a target parsing file from the detection engine queue, and determine a corresponding target query mode for failure detection according to the IOC type of the target parsing file.

其中,失陷检测的查询方式包括cc(命令和控制服务器)查询、sinkhole(槽洞)查询和dga(特殊算法生成的DNS域名)查询。Among them, the query methods of the failure detection include cc (command and control server) query, sinkhole (slot hole) query and dga (DNS domain name generated by a special algorithm) query.

S103、若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。S103. If it is found that threat intelligence exists in the target analysis file according to the target query method, generate threat alarm information.

具体地,如图2所示,当从检测引擎队列中获取数据后,通过cc、sinkhole或dga查询对应的数据库,并判断查询是否成功;如果查询成功,则生成威胁告警信息,否则保存失败字段。Specifically, as shown in Figure 2, after obtaining data from the detection engine queue, query the corresponding database through cc, sinkhole or dga, and determine whether the query is successful; if the query is successful, generate threat alarm information, otherwise save the failure field .

本实施例整体上分为四个部分,日志接收部分、日志解析部分、检测引擎部分和日志告警部分。通过采用上述四个部分,有别于常见的日志检测方式,可以接收多种类型日志格式,性能处理方面表现优秀,通过四大部分的日志处理流程,有效结合威胁情报进行日志精准匹配。This embodiment is divided into four parts as a whole, a log receiving part, a log parsing part, a detection engine part and a log alarm part. By using the above four parts, different from common log detection methods, it can receive various types of log formats, and has excellent performance processing. Through the log processing process of the four major parts, it can effectively combine threat intelligence for accurate log matching.

本实施例通过对不同文件类型的日志文件进行解析,并采用对应的失陷检测的查询方式对目标解析文件进行查询,能够同时处理大批量数据,大大提高对海量数据的网络安全检测的检测效率。This embodiment parses log files of different file types, and queries the target parsing file by using the corresponding query method of failure detection, which can process large batches of data at the same time, and greatly improves the detection efficiency of network security detection for massive data.

进一步地,在上述方法实施例的基础上,S101中所述对所述日志文件进行解析,得到不同威胁指标IOC类型的解析文件,具体包括:Further, on the basis of the above method embodiments, the log file is parsed as described in S101 to obtain parsed files of different threat indicator IOC types, specifically including:

对所述日志文件进行解析,通过主键方式所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。The log file is parsed, the IOC type of the log file is determined by the primary key, and malicious domain names, IPs or malicious files in the log file are detected, and parsed files of different IOC types are obtained.

具体地,通过两个主模块引擎,将各类日志格式进行检测处理,通过主KEY方式匹配情报中的IOC(Indicators Of Compromise威胁指标),检测出恶意域名、IP或者恶意文件,并提供详情信息供攻击溯源,如图3和4所示,能够在多种类型的威胁情报信息中,有效理由各类威胁情报对现网各类型为日志、流量日志、以及文件传输的等日志进行检测并溯源。Specifically, through two main module engines, various log formats are detected and processed, and the IOC (Indicators Of Compromise threat indicator) in the intelligence is matched by the main KEY method to detect malicious domain names, IPs or malicious files, and provide detailed information. For attack source tracing, as shown in Figures 3 and 4, it can detect and trace the source of various types of logs on the existing network, such as logs, traffic logs, and file transfers, among various types of threat intelligence information and various types of threat intelligence. .

本实施例通过与海量情报的匹配,提供一种高效的日志存储及告警检测机制,能够在大日志量异构数据源的情况下,利用已有各类情报信息进行精准检测及告警;同时根据日志分析的有效方式,结合威胁情报源,高效的发现异常攻击及提供追溯。This embodiment provides an efficient log storage and alarm detection mechanism by matching with massive amounts of intelligence, and can use various existing intelligence information for accurate detection and alarm in the case of heterogeneous data sources with a large amount of logs; An effective way of log analysis, combined with threat intelligence sources, to efficiently discover abnormal attacks and provide traceability.

进一步地,在上述方法实施例的基础上,S103具体包括:Further, on the basis of the above method embodiments, S103 specifically includes:

S1031、根据所述目标查询方式对所述目标解析文件进行批量查询。S1031. Perform a batch query on the target parsing file according to the target query mode.

S1032、若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。S1032. If it is found that threat intelligence exists in the target analysis file, generate threat alarm information.

具体地,失陷检测是本实施例的核心部分,用于将失陷检测威胁情报与原始日志匹配检测,查看失陷主机及异常行为日志。具体流程参见图2:首先从检测引擎队列中获取数据,分别进行批量cc、dga、sinkhole查询(kc方式);然后从解析后的list中获取host、ip、sha1、MD5,1000条批量查询kc或者kt;接着启动进程check_compromise.py,通过函数:check_cc、check_dga、check_sinkhole和construct_alert_info将告警信息进行组装成结构体,通过socket发送给对应的告警模块。Specifically, the compromise detection is the core part of this embodiment, which is used for matching detection of the compromise detection threat intelligence with the original log, and checking the compromised host and abnormal behavior logs. The specific process is shown in Figure 2: First, obtain data from the detection engine queue, and perform batch cc, dga, and sinkhole queries (kc mode); then obtain host, ip, sha1, MD5 from the parsed list, and query kc in batches of 1000 Or kt; then start the process check_compromise.py, assemble the alarm information into a structure through the functions: check_cc, check_dga, check_sinkhole and construct_alert_info, and send it to the corresponding alarm module through the socket.

通过失陷检测能够高效检测出恶意域名、恶意IP以及恶意文件等;通过匹配常见的网络日志、流量日志以及行为日志,能够在有效的IOC情报中精准找到恶意威胁并进行追踪溯源。Through failure detection, malicious domain names, malicious IPs, and malicious files can be efficiently detected; by matching common network logs, traffic logs, and behavior logs, malicious threats can be accurately found and traced in effective IOC intelligence.

进一步地,在上述方法实施例的基础上,S101之后,还包括:Further, on the basis of the above method embodiments, after S101, the method further includes:

S1012、若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。S1012. If the data amount of the parsed files of different IOC types is greater than a threshold, temporarily store the parsed files of different IOC types in a database.

具体地,通过Logstash对不同数据源进行接收解析,对于数据量大的日志才用缓存队列进行暂存,以方便计算机从暂存的数据库中读取并处理。为了避免日志流量过大时数据存储占用内存过大,可以将日志暂存到kc库中,在查询和告警字段组装结束后,产生告警并删除kc库中已经查询过的信息。Specifically, different data sources are received and parsed through Logstash, and logs with a large amount of data are temporarily stored in a cache queue, so that the computer can read and process from the temporarily stored database. To prevent the data storage from taking up too much memory when the log traffic is too large, you can temporarily store the logs in the kc library. After the query and alarm fields are assembled, an alarm is generated and the information that has been queried in the kc library is deleted.

进一步地,在上述方法实施例的基础上,S103之前,还包括:Further, on the basis of the above method embodiments, before S103, the method further includes:

S1023、若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。S1023. If there is an abnormality when querying the target parsing file according to the target query mode, store the abnormal value in a queue.

具体地,当异常文件是在用户网络中传播或出现时,需要及时发现恶意样本并产生告警提供恶意样本详情。可以从文件信誉检测队列中获取数据,进行批量文件信誉查询(kt方式);并通过关键进程check_filerepputation.py执行,通过函数:check_info和construct_alert_info将告警信息进行组装成结构体,通过socket发送给对应的告警模块;当查询异常时,将出现异常的key list保存,若队列为空则让进程sleep。Specifically, when an abnormal file spreads or appears in the user network, it is necessary to discover malicious samples in time and generate an alarm to provide details of the malicious samples. The data can be obtained from the file reputation detection queue to perform batch file reputation query (kt mode); and executed through the key process check_filerepputation.py, the alarm information is assembled into a structure through the functions: check_info and construct_alert_info, and sent to the corresponding through the socket. Alarm module; when the query is abnormal, save the key list of the abnormality, and let the process sleep if the queue is empty.

进一步地,在上述方法实施例的基础上,所述方法还包括:Further, on the basis of the above method embodiments, the method further includes:

S104、根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。S104. Determine a corresponding display type according to the type of the threat alarm information, send the threat alarm information to a display for display according to the display type, generate an alarm log according to the threat alarm information, and send the threat alarm information and the alarm log are stored.

具体地,将与威胁情报匹配检测到的威胁告警信息通过告警展示在前端,并将原始字段日志写入数据库。针对不同情报类型匹配出的告警,设计的告警字段详情略有不同,以方便用户查看。Specifically, the threat alarm information detected by matching the threat intelligence is displayed on the front end through the alarm, and the original field log is written into the database. For the alarms matched by different intelligence types, the design details of the alarm fields are slightly different for the convenience of users.

具体地,可以执行进程log_parse.py,通过函数recv_log接收日志,通过函数parse_log解析日志,通过函数write_kc将日志写入kc引擎并缓存。Specifically, the process log_parse.py can be executed, the log is received by the function recv_log, the log is parsed by the function parse_log, and the log is written into the kc engine and cached by the function write_kc.

本实施例通过接收大量告警日志,暂不存储原始日志,能够将检测产生的恶意威胁告警进行原始告警的存储及界面展示。In this embodiment, by receiving a large number of alarm logs and without storing the original logs for the time being, the malicious threat alarm generated by the detection can be stored and displayed on the interface of the original alarm.

图5示出了本实施例提供的一种基于日志的威胁情报检测装置的结构示意图,所述装置包括:文件解析模块501、对应查询模块502和威胁告警模块503,其中:FIG. 5 shows a schematic structural diagram of a log-based threat intelligence detection device provided in this embodiment. The device includes: a file parsing module 501, a corresponding query module 502, and a threat alarm module 503, wherein:

所述文件解析模块501用于获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;The file parsing module 501 is configured to obtain log files of different file types, parse the log files, match different threat indicator IOC types, obtain parsing files, and add the parsing files to the detection engine queue;

所述对应查询模块502用于从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;The corresponding query module 502 is configured to obtain a target analysis file from the detection engine queue, and determine a corresponding target query mode for trap detection according to the IOC type of the target analysis file;

所述威胁告警模块503用于若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。The threat alarm module 503 is configured to generate threat alarm information if threat intelligence exists in the target analysis file according to the target query method.

具体地,所述文件解析模块501获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;所述对应查询模块502从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;所述威胁告警模块503若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。Specifically, the file parsing module 501 obtains log files of different file types, parses the log files, matches different threat indicator IOC types, obtains parsing files, and adds the parsing files to the detection engine queue; the The corresponding query module 502 obtains the target analysis file from the detection engine queue, and determines the corresponding target query mode for failure detection according to the IOC type of the target analysis file; the threat alarm module 503, if the threat alarm module 503 queries according to the target query method. If threat intelligence exists in the target parsing file, threat warning information is generated.

本实施例通过对不同文件类型的日志文件进行解析,并采用对应的失陷检测的查询方式对目标解析文件进行查询,能够同时处理大批量数据,大大提高对海量数据的网络安全检测的检测效率。In this embodiment, by analyzing log files of different file types, and querying the target parsing file by using the corresponding failure detection query method, large batches of data can be processed simultaneously, and the detection efficiency of network security detection of massive data can be greatly improved.

进一步地,在上述装置实施例的基础上,所述文件解析模块501具体用于对所述日志文件进行解析,通过主键方式所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。Further, on the basis of the above-mentioned apparatus embodiment, the file parsing module 501 is specifically configured to parse the log file, and detect the malicious domain name in the log file by means of the primary key of the IOC type of the log file. , IP or malicious files to get parsed files of different IOC types.

进一步地,在上述装置实施例的基础上,所述威胁告警模块503具体用于:Further, on the basis of the above device embodiments, the threat alarm module 503 is specifically used for:

根据所述目标查询方式对所述目标解析文件进行批量查询;Perform batch query on the target parsing file according to the target query mode;

若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that there is threat intelligence in the target analysis file, threat alarm information is generated.

进一步地,在上述装置实施例的基础上,所述装置还包括:Further, on the basis of the above device embodiments, the device further includes:

文件暂存模块,用于若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。A file temporary storage module, configured to temporarily store the parsed files of different IOC types in a database if the data amount of the parsed files of different IOC types is greater than a threshold.

进一步地,在上述装置实施例的基础上,所述装置还包括:Further, on the basis of the above device embodiments, the device further includes:

异常保存模块,用于若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。The exception saving module is configured to save the abnormal value queue if there is an exception when querying the target parsing file according to the target query mode.

进一步地,在上述装置实施例的基础上,所述装置还包括:Further, on the basis of the above device embodiments, the device further includes:

告警显示模块,用于根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。An alarm display module is configured to determine a corresponding display type according to the type of the threat alarm information, send the threat alarm information to a display for display according to the display type, generate an alarm log according to the threat alarm information, and record the The threat alarm information and the alarm log are stored.

本实施例所述的基于日志的威胁情报检测装置可以用于执行上述方法实施例,其原理和技术效果类似,此处不再赘述。The log-based threat intelligence detection apparatus described in this embodiment can be used to execute the foregoing method embodiments, and its principles and technical effects are similar, and details are not repeated here.

参照图6,所述电子设备,包括:处理器(processor)601、存储器(memory)602和总线603;6 , the electronic device includes: a processor (processor) 601, a memory (memory) 602 and a bus 603;

其中,in,

所述处理器601和存储器602通过所述总线603完成相互间的通信;The processor 601 and the memory 602 communicate with each other through the bus 603;

所述处理器601用于调用所述存储器602中的程序指令,以执行上述各方法实施例所提供的方法。The processor 601 is configured to call program instructions in the memory 602 to execute the methods provided by the above method embodiments.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer program The methods provided by the above method embodiments can be executed.

本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法。This embodiment provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided by the above method embodiments.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。It should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be used for The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (12)

1.一种基于日志的威胁情报检测方法,其特征在于,包括:1. A log-based threat intelligence detection method is characterized in that, comprising: 获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;Obtain log files of different file types, parse the log files, match different threat indicator IOC types, obtain parsed files, and add the parsed files to the detection engine queue; 从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;其中,所述失陷检测的目标查询方式包括命令和控制服务器查询、槽洞查询和特殊算法生成的DNS查询;Obtain the target parsing file from the detection engine queue, and determine the corresponding target query mode for failure detection according to the IOC type of the target analysis file; wherein, the target query mode for failure detection includes command and control server query, slot hole Queries and DNS queries generated by special algorithms; 若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息;If it is found that threat intelligence exists in the target analysis file according to the target query method, generating threat warning information; 其中,所述对所述日志文件进行解析,得到不同威胁指标IOC类型的解析文件,具体包括:Wherein, the said log file is parsed to obtain parsed files of different threat indicator IOC types, specifically including: 对所述日志文件进行解析,通过主键方式确定 所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。The log file is parsed, the IOC type of the log file is determined by the primary key mode, and malicious domain names, IPs or malicious files in the log file are detected, and parsed files of different IOC types are obtained. 2.根据权利要求1所述的方法,其特征在于,所述若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息,具体包括:2. The method according to claim 1, characterized in that, if the target analysis file is queried according to the target query method to find that there is threat intelligence in the target analysis file, generating threat warning information, specifically comprising: 根据所述目标查询方式对所述目标解析文件进行批量查询;Perform batch query on the target parsing file according to the target query mode; 若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that there is threat intelligence in the target analysis file, threat alarm information is generated. 3.根据权利要求1所述的方法,其特征在于,所述获取不同文件类型的日志文件,对所述日志文件进行解析,得到不同威胁指标IOC类型的解析文件,并将所述不同IOC类型的解析文件添加至检测引擎队列之后,还包括:3. The method according to claim 1, wherein the log files of different file types are obtained, the log files are parsed, the analysis files of different threat indicator IOC types are obtained, and the different IOC types are analyzed. After the parsing file is added to the detection engine queue, it also includes: 若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。If the data amount of the parsed files of the different IOC types is greater than the threshold, the parsed files of the different IOC types are temporarily stored in the database. 4.根据权利要求1所述的方法,其特征在于,所述若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息之前,还包括:4. The method according to claim 1, characterized in that, before generating threat warning information, further comprising: 若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。If there is an exception when querying the target parsing file according to the target query mode, the abnormal value queue is stored. 5.根据权利要求1-4任一项所述的方法,其特征在于,所述方法还包括:5. The method according to any one of claims 1-4, wherein the method further comprises: 根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。The corresponding display type is determined according to the type of the threat alarm information, the threat alarm information is sent to the display for display according to the display type, an alarm log is generated according to the threat alarm information, and the threat alarm information and the The alarm log is stored. 6.一种基于日志的威胁情报检测装置,其特征在于,包括:6. A log-based threat intelligence detection device, comprising: 文件解析模块,用于获取不同文件类型的日志文件,对所述日志文件进行解析,匹配不同威胁指标IOC类型,得到解析文件,并将所述解析文件添加至检测引擎队列;a file parsing module, configured to obtain log files of different file types, parse the log files, match different threat index IOC types, obtain parsing files, and add the parsing files to the detection engine queue; 对应查询模块,用于从所述检测引擎队列中获取目标解析文件,根据所述目标解析文件的IOC类型确定对应的失陷检测的目标查询方式;其中,所述失陷检测的目标查询方式包括命令和控制服务器查询、槽洞查询和特殊算法生成的DNS查询;The corresponding query module is used to obtain the target analysis file from the detection engine queue, and determine the target query mode of the corresponding loss detection according to the IOC type of the target analysis file; wherein, the target query mode of the failure detection includes commands and Control server queries, slot queries and DNS queries generated by special algorithms; 威胁告警模块,用于若根据所述目标查询方式查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息;a threat warning module, configured to generate threat warning information if threat intelligence exists in the target analysis file according to the target query method; 其中,所述文件解析模块具体用于对所述日志文件进行解析,通过主键方式确定 所述日志文件的IOC类型,并检测所述日志文件中的恶意域名、IP或者恶意文件,得到不同IOC类型的解析文件。The file parsing module is specifically configured to parse the log file, determine the IOC type of the log file by means of a primary key, and detect malicious domain names, IPs or malicious files in the log file, and obtain different IOC types parsing file. 7.根据权利要求6所述的装置,其特征在于,所述威胁告警模块具体用于:7. The device according to claim 6, wherein the threat alarm module is specifically used for: 根据所述目标查询方式对所述目标解析文件进行批量查询;Perform batch query on the target parsing file according to the target query mode; 若查询到所述目标解析文件中存在威胁情报,则生成威胁告警信息。If it is found that there is threat intelligence in the target analysis file, threat alarm information is generated. 8.根据权利要求6所述的装置,其特征在于,所述装置还包括:8. The apparatus of claim 6, wherein the apparatus further comprises: 文件暂存模块,用于若所述不同IOC类型的解析文件的数据量大于阈值,则将所述不同IOC类型的解析文件暂存至数据库。A file temporary storage module, configured to temporarily store the parsed files of different IOC types in a database if the data amount of the parsed files of different IOC types is greater than a threshold. 9.根据权利要求6所述的装置,其特征在于,所述装置还包括:9. The apparatus of claim 6, wherein the apparatus further comprises: 异常保存模块,用于若根据所述目标查询方式查询所述目标解析文件时存在异常,则将出现异常的值队列进行保存。The exception saving module is configured to save the abnormal value queue if there is an exception when querying the target parsing file according to the target query mode. 10.根据权利要求6-9任一项所述的装置,其特征在于,所述装置还包括:10. The device according to any one of claims 6-9, wherein the device further comprises: 告警显示模块,用于根据所述威胁告警信息的类型确定对应的显示类型,并根据所述显示类型将所述威胁告警信息发送至显示器进行显示,根据所述威胁告警信息生成告警日志,并将所述威胁告警信息和所述告警日志进行存储。An alarm display module is configured to determine a corresponding display type according to the type of the threat alarm information, send the threat alarm information to a display for display according to the display type, generate an alarm log according to the threat alarm information, and record the The threat alarm information and the alarm log are stored. 11.一种电子设备,其特征在于,包括:11. An electronic device, characterized in that, comprising: 至少一个处理器;以及at least one processor; and 与所述处理器通信连接的至少一个存储器,其中:at least one memory communicatively coupled to the processor, wherein: 所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行如权利要求1至5任一所述的方法。The memory stores program instructions executable by the processor, and the processor invokes the program instructions to perform the method as claimed in any one of claims 1 to 5. 12.一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机程序,所述计算机程序使所述计算机执行如权利要求1至5任一所述的方法。12. A non-transitory computer-readable storage medium, characterized in that, the non-transitory computer-readable storage medium stores a computer program, and the computer program causes the computer to execute any one of claims 1 to 5. Methods.
CN201810306120.2A 2018-04-08 2018-04-08 A log-based threat intelligence detection method and device Active CN108763031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810306120.2A CN108763031B (en) 2018-04-08 2018-04-08 A log-based threat intelligence detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810306120.2A CN108763031B (en) 2018-04-08 2018-04-08 A log-based threat intelligence detection method and device

Publications (2)

Publication Number Publication Date
CN108763031A CN108763031A (en) 2018-11-06
CN108763031B true CN108763031B (en) 2022-05-24

Family

ID=63981150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810306120.2A Active CN108763031B (en) 2018-04-08 2018-04-08 A log-based threat intelligence detection method and device

Country Status (1)

Country Link
CN (1) CN108763031B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450690B (en) * 2018-11-20 2022-01-25 杭州安恒信息技术股份有限公司 Method and device for quickly locking lost host in networking
CN110868379B (en) * 2018-12-19 2021-09-21 北京安天网络安全技术有限公司 Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment
CN109862003B (en) * 2019-01-24 2022-02-22 深信服科技股份有限公司 Method, device, system and storage medium for generating local threat intelligence library
CN110166421B (en) * 2019-04-01 2022-10-14 平安科技(深圳)有限公司 Intrusion control method and device based on log monitoring and terminal equipment
CN110188247B (en) * 2019-04-26 2021-07-20 奇安信科技集团股份有限公司 Intelligence generating method, apparatus, computer equipment, and computer-readable storage medium
CN110266670A (en) * 2019-06-06 2019-09-20 深圳前海微众银行股份有限公司 Method and device for processing terminal network outreach behavior
CN112214290B (en) * 2019-07-11 2023-04-11 中移(苏州)软件技术有限公司 Log information processing method, edge node, center node and system
CN110362536A (en) * 2019-07-15 2019-10-22 北京工业大学 Log cipher text retrieval method based on alarm association
CN110351280B (en) * 2019-07-15 2022-05-27 杭州安恒信息技术股份有限公司 A method, system, device and readable storage medium for extracting threat intelligence
CN110719291B (en) * 2019-10-16 2022-10-14 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN111277585B (en) * 2020-01-16 2022-09-30 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
CN113141334A (en) * 2020-01-19 2021-07-20 奇安信科技集团股份有限公司 Data acquisition and analysis method and system based on network attack
CN111404939B (en) * 2020-03-16 2022-08-09 深信服科技股份有限公司 Mail threat detection method, device, equipment and storage medium
CN111414402A (en) * 2020-03-19 2020-07-14 北京神州绿盟信息安全科技股份有限公司 Log threat analysis rule generation method and device
CN111478889B (en) * 2020-03-27 2022-09-02 新浪网技术(中国)有限公司 Alarm method and device
CN111858782A (en) * 2020-07-07 2020-10-30 Oppo(重庆)智能科技有限公司 Database construction method, device, medium and equipment based on information security
CN112769775B (en) * 2020-12-25 2023-05-12 深信服科技股份有限公司 Threat information association analysis method, system, equipment and computer medium
CN112749390A (en) * 2020-12-28 2021-05-04 深信服科技股份有限公司 Virus detection method, device, equipment and computer readable storage medium
CN113691524A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Alarm information processing method, system, electronic equipment and storage medium
CN114095217A (en) * 2021-11-06 2022-02-25 北京天融信网络安全技术有限公司 Evidence obtaining and tracing method and system for failing host snapshot
CN114006778B (en) * 2022-01-05 2022-03-25 北京微步在线科技有限公司 Threat information identification method and device, electronic equipment and storage medium
CN116155548B (en) * 2022-12-22 2024-08-23 新浪技术(中国)有限公司 Threat identification method and system
CN115865525B (en) * 2023-02-16 2023-05-26 北京微步在线科技有限公司 Log data processing method, device, electronic equipment and storage medium
CN118282745B (en) * 2024-04-08 2024-09-27 中国人民解放军61660部队 Host intrusion index detection method based on network collaboration mechanism

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824069A (en) * 2014-03-19 2014-05-28 北京邮电大学 Intrusion detection method based on multi-host-log correlation
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107295021A (en) * 2017-08-16 2017-10-24 深信服科技股份有限公司 The safety detection method and system of a kind of main frame based on centralized management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10581903B2 (en) * 2016-06-16 2020-03-03 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
US10366229B2 (en) * 2016-06-20 2019-07-30 Jask Labs Inc. Method for detecting a cyber attack
CN107145779B (en) * 2017-03-16 2020-01-17 北京网康科技有限公司 Method and device for identifying offline malicious software log
CN107819783A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 A kind of network security detection method and system based on threat information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824069A (en) * 2014-03-19 2014-05-28 北京邮电大学 Intrusion detection method based on multi-host-log correlation
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107295021A (en) * 2017-08-16 2017-10-24 深信服科技股份有限公司 The safety detection method and system of a kind of main frame based on centralized management

Also Published As

Publication number Publication date
CN108763031A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
CN108763031B (en) A log-based threat intelligence detection method and device
US11429625B2 (en) Query engine for remote endpoint information retrieval
CN112100545A (en) Visualization method, apparatus, device and readable storage medium of network assets
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN108337269B (en) A WebShell Detection Method
CN110188538B (en) Method and device for detecting data using sandbox cluster
CN107733902A (en) A kind of monitoring method and device of target data diffusion process
CN110941823B (en) Threat information acquisition method and device
CN112910895B (en) Network attack behavior detection method and device, computer equipment and system
CN115865525B (en) Log data processing method, device, electronic equipment and storage medium
CN111193633B (en) Method and device for detecting abnormal network connection
CN111740868A (en) Alarm data processing method and device and storage medium
CN105959294B (en) A kind of malice domain name discrimination method and device
CN115766258B (en) Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph
CN110830500B (en) Network attack tracking method and device, electronic equipment and readable storage medium
CN112579418A (en) Method, device, equipment and computer readable medium for identifying access log
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN115811468A (en) Distribution method, device, electronic equipment and storage medium of flow collection strategy
CN114793204A (en) Network asset detection method
CN114461864A (en) An alarm tracing method and device
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
US11133977B2 (en) Anonymizing action implementation data obtained from incident analysis systems
CN110188537B (en) Data separation storage method and device, storage medium, and electronic device
CN110505238A (en) Processing device and method of message queue based on EDR
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant