CN108763031B - Log-based threat information detection method and device - Google Patents

Log-based threat information detection method and device Download PDF

Info

Publication number
CN108763031B
CN108763031B CN201810306120.2A CN201810306120A CN108763031B CN 108763031 B CN108763031 B CN 108763031B CN 201810306120 A CN201810306120 A CN 201810306120A CN 108763031 B CN108763031 B CN 108763031B
Authority
CN
China
Prior art keywords
file
threat
files
log
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810306120.2A
Other languages
Chinese (zh)
Other versions
CN108763031A (en
Inventor
白敏�
高浩浩
李朋举
韩志立
汪列军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc filed Critical Qax Technology Group Inc
Priority to CN201810306120.2A priority Critical patent/CN108763031B/en
Publication of CN108763031A publication Critical patent/CN108763031A/en
Application granted granted Critical
Publication of CN108763031B publication Critical patent/CN108763031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention discloses a threat information detection method and a device based on logs, wherein the method comprises the following steps: acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types, and adding the analyzed files of different IOC types to a detection engine queue; acquiring a target analysis file from the detection engine queue, and determining a corresponding target query mode according to the IOC type of the target analysis file; and if threat intelligence exists in the target analysis file according to the target query mode, generating threat alarm information, such as a lost host or a malicious file. The log files of different file types are analyzed, and the target analysis file is inquired in a corresponding defect detection inquiry mode, so that large-batch data can be processed simultaneously, and the detection efficiency of network security detection on mass data is greatly improved.

Description

Log-based threat information detection method and device
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for detecting threat intelligence based on logs.
Background
With the rapid development of computer technology and network applications, the amount of network information data is larger and larger, and the data security of mass data becomes more and more important. Data generated by various applications such as a current social network, mobile communication, network video and audio, electronic commerce, a sensor network, scientific experiments and the like can often generate mass data of tens of millions, hundreds of millions and billions, and in order to ensure the safety of the network, the mass data needs to be detected to ensure the safe operation of the network.
In the prior art, a conventional single type log detection mode is mainly adopted, and a network with a small data volume can be dealt with, but for a massive data network, the efficiency of the detection mode obviously cannot meet the requirement, so that the network operation speed is greatly reduced, and the coverage rate of data safety detection is small.
In the process of implementing the embodiment of the present invention, the inventor finds that the detection efficiency of the existing method for network security detection of mass data is too low.
Disclosure of Invention
Because the existing method has the problems, the embodiment of the invention provides a threat information detection method and device based on logs.
In a first aspect, an embodiment of the present invention provides a method for detecting threat intelligence based on a log, including:
acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types to obtain analyzed files, and adding the analyzed files to a detection engine queue;
acquiring a target analysis file from the detection engine queue, and determining a corresponding target query mode of the defect detection according to the IOC type of the target analysis file;
and if threat intelligence exists in the target analysis file according to the target query mode, generating threat alarm information.
Optionally, the analyzing the log file to obtain analyzed files of different threat indicator IOC types includes:
and analyzing the log file, detecting a malicious domain name, an IP (Internet protocol) or a malicious file in the log file by the IOC type of the log file in a main key mode, and obtaining analysis files of different IOC types.
Optionally, if threat intelligence exists in the target analysis file according to the target query mode, generating threat alarm information, specifically including:
carrying out batch query on the target analysis files according to the target query mode;
and if threat intelligence exists in the target analysis file, generating threat alarm information.
Optionally, the obtaining log files of different file types, analyzing the log files to obtain analyzed files of different threat indicator IOC types, and adding the analyzed files of different IOC types to a detection engine queue further includes:
and if the data volume of the analytic files of different IOC types is larger than a threshold value, temporarily storing the analytic files of different IOC types to a database.
Optionally, before generating threat warning information if it is found that threat intelligence exists in the target analysis file according to the target query manner, the method further includes:
and if the target analysis file is abnormal when being inquired according to the target inquiry mode, storing the abnormal value queue.
Optionally, the method further comprises:
determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for displaying according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
In a second aspect, an embodiment of the present invention further provides a threat intelligence detection apparatus based on a log, including:
the file analysis module is used for acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types to obtain analysis files, and adding the analysis files to a detection engine queue;
the corresponding query module is used for acquiring a target analysis file from the detection engine queue and determining a corresponding target query mode of the sink detection according to the IOC type of the target analysis file;
and the threat warning module is used for generating threat warning information if threat intelligence exists in the target analysis file according to the target query mode.
Optionally, the file parsing module is specifically configured to parse the log file, detect a malicious domain name, an IP, or a malicious file in the log file by using the IOC type of the log file in a primary key manner, and obtain parsed files of different IOC types.
Optionally, the threat alert module is specifically configured to:
carrying out batch query on the target analysis files according to the target query mode;
and if threat intelligence exists in the target analysis file, generating threat alarm information.
Optionally, the apparatus further comprises:
and the file temporary storage module is used for temporarily storing the analysis files of different IOC types into a database if the data volume of the analysis files of different IOC types is greater than a threshold value.
Optionally, the apparatus further comprises:
and the exception saving module is used for saving the value queue with exception if the exception exists when the target analysis file is inquired according to the target inquiry mode.
Optionally, the apparatus further comprises:
and the alarm display module is used for determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for display according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, which when called by the processor are capable of performing the above method.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium storing a computer program, which causes the computer to execute the above method.
According to the technical scheme, the log files of different file types are analyzed, the target analysis file is inquired in a corresponding defect detection inquiry mode, large-batch data can be processed simultaneously, and the detection efficiency of network security detection of mass data is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a threat intelligence detection method based on logs according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a defect detection method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating the results of a threat intelligence detector based on logs according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating the results of a threat intelligence detector based on logs according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram of a threat intelligence detection apparatus based on a log according to an embodiment of the present invention;
fig. 6 is a logic block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 1 shows a schematic flow chart of a threat intelligence detection method based on a log according to this embodiment, which includes:
s101, obtaining log files of different file types, analyzing the log files, matching different threat index IOC types to obtain analyzed files, and adding the analyzed files to a detection engine queue.
The file type of the log file may include multiple file modes, such as a file mode, a logstack mode or an API mode, and the specific file type may include log traffic such as JSON, Syslog, Netflow, DNS, HTTP and the like, log records of the SEIM system, and the like. By acquiring the log files of different file types, various logs are convenient to assemble and analyze, different types of log formats are compatible and analyzed to the maximum extent, and subsequent detection and matching are convenient.
The detection engine queue is a queue used for storing analysis files of different IOC types for subsequent defect detection.
S102, obtaining a target analysis file from the detection engine queue, and determining a corresponding target query mode of the sink detection according to the IOC type of the target analysis file.
The query modes of the miss detection include cc (command and control server) query, sinkhole query and dga (domain name system (DNS) generated by a special algorithm) query.
S103, if threat intelligence exists in the target analysis file according to the target query mode, threat alarm information is generated.
Specifically, as shown in fig. 2, after data is obtained from the detection engine queue, a corresponding database is queried through cc, sinkhole or dga, and whether the query is successful is determined; and if the query is successful, generating threat alarm information, otherwise, storing a failure field.
The present embodiment is divided into four parts as a whole, a log receiving part, a log parsing part, a detection engine part and a log alarm part. By adopting the four parts, the method is different from a common log detection mode, can receive various types of log formats, is excellent in performance processing, and effectively combines threat information to carry out log accurate matching through four log processing flows.
According to the embodiment, the log files of different file types are analyzed, and the target analysis file is inquired in a corresponding defect detection inquiry mode, so that large batches of data can be processed simultaneously, and the detection efficiency of network security detection of mass data is greatly improved.
Further, on the basis of the above method embodiment, the parsing the log file in S101 to obtain parsed files of different threat indicator IOC types specifically includes:
and analyzing the log file, detecting a malicious domain name, an IP (Internet protocol) or a malicious file in the log file by the IOC type of the log file in a main key mode, and obtaining analysis files of different IOC types.
Specifically, through two main module engines, various log formats are detected and processed, and a main KEY mode is used for matching an IOC (index Of threats) in information to detect a malicious domain name, an IP (Internet protocol) or a malicious file and provide detailed information for attack tracing, as shown in fig. 3 and 4, various types Of threat information can be effectively used for detecting and tracing logs Of the current network, such as logs, flow logs and file transmission logs, in various types Of threat information, as shown in fig. 3 and 4.
The embodiment provides an efficient log storage and alarm detection mechanism by matching with massive information, and can accurately detect and alarm by utilizing various existing information under the condition of a large log amount heterogeneous data source; meanwhile, according to an effective mode of log analysis, a threat information source is combined, abnormal attacks are found efficiently, and tracing is provided.
Further, on the basis of the above method embodiment, S103 specifically includes:
and S1031, carrying out batch query on the target analysis files according to the target query mode.
S1032, if the threat intelligence exists in the target analysis file, threat alarm information is generated.
Specifically, the failure detection is a core part of this embodiment, and is used to match and detect the failure detection threat information with the original log, and check the failure host and the abnormal behavior log. The specific process is shown in FIG. 2: firstly, acquiring data from a detection engine queue, and respectively carrying out batch cc, dga and sinkhole queries (kc mode); then, acquiring host, ip, sha1 and MD5 from the analyzed list, and inquiring 1000 batch queries kc or kt; then the process check _ complement. py is started, with the function: and the alarm information is assembled into a structural body by the check _ cc, the check _ dga, the check _ sinkhole and the constraint _ alert _ info, and is sent to the corresponding alarm module through the socket.
Malicious domain names, malicious IPs, malicious files and the like can be efficiently detected through the defect detection; by matching common weblogs, flow logs and behavior logs, malicious threats can be accurately found in effective IOC information and tracking and tracing can be carried out.
Further, on the basis of the above method embodiment, after S101, the method further includes:
s1012, if the data volume of the analysis files of different IOC types is larger than a threshold value, temporarily storing the analysis files of different IOC types in a database.
Specifically, different data sources are received and analyzed through the logstack, and the logs with large data volume are temporarily stored in the buffer queue, so that a computer can conveniently read and process the logs from the temporarily stored database. In order to avoid that the data storage occupies too much memory when the log flow is too large, the log can be temporarily stored in the kc library, and after the query and alarm field assembly is finished, an alarm is generated and the queried information in the kc library is deleted.
Further, on the basis of the foregoing method embodiment, before S103, the method further includes:
and S1023, if the target analysis file is abnormal according to the target query mode, storing the abnormal value queue.
In particular, when an abnormal file is spread or appears in a user network, a malicious sample needs to be discovered and an alarm needs to be generated in time to provide details of the malicious sample. Data can be obtained from the file reputation detection queue, and batch file reputation query (kt mode) is carried out; and executing through the key process check _ filepresentation. The check _ info and the constraint _ alert _ info assemble the alarm information into a structural body and send the structural body to a corresponding alarm module through a socket; and when the query is abnormal, saving the abnormal key list, and if the queue is empty, enabling the process sleep.
Further, on the basis of the above embodiment of the method, the method further comprises:
s104, determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for displaying according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
Specifically, threat alarm information detected by matching with threat intelligence is displayed at the front end through an alarm, and an original field log is written into a database. The alarm matched according to different information types has slightly different details of the designed alarm field, so that the user can conveniently check the alarm.
Specifically, a process log _ part.py may be executed, receive the log through a function recv _ log, parse the log through the function pars _ log, write the log to the kc engine through a function write _ kc, and cache.
According to the embodiment, the original log is not stored for a while by receiving a large number of alarm logs, and the original alarm storage and interface display can be performed on the malicious threat alarms generated by detection.
Fig. 5 shows a schematic structural diagram of a log-based threat intelligence detection apparatus provided in this embodiment, where the apparatus includes: a file parsing module 501, a corresponding query module 502 and a threat warning module 503, wherein:
the file analysis module 501 is configured to obtain log files of different file types, analyze the log files, match different threat indicator IOC types to obtain analysis files, and add the analysis files to a detection engine queue;
the corresponding query module 502 is configured to obtain a target analysis file from the detection engine queue, and determine a corresponding target query mode of the sink detection according to the IOC type of the target analysis file;
the threat warning module 503 is configured to generate threat warning information if it is found that threat intelligence exists in the target analysis file according to the target query manner.
Specifically, the file parsing module 501 obtains log files of different file types, parses the log files, matches different threat indicator IOC types to obtain parsed files, and adds the parsed files to a detection engine queue; the corresponding query module 502 obtains a target analysis file from the detection engine queue, and determines a corresponding target query mode of the sink-miss detection according to the IOC type of the target analysis file; the threat warning module 503 generates threat warning information if it is found that threat intelligence exists in the target analysis file according to the target query mode.
According to the embodiment, the log files of different file types are analyzed, and the target analysis file is inquired in a corresponding defect detection inquiry mode, so that large batches of data can be processed simultaneously, and the detection efficiency of network security detection of mass data is greatly improved.
Further, on the basis of the above apparatus embodiment, the file parsing module 501 is specifically configured to parse the log file, detect a malicious domain name, an IP, or a malicious file in the log file by using the IOC type of the log file in a primary key manner, and obtain parsed files of different IOC types.
Further, on the basis of the above apparatus embodiment, the threat alert module 503 is specifically configured to:
carrying out batch query on the target analysis files according to the target query mode;
and if threat intelligence exists in the target analysis file, generating threat alarm information.
Further, on the basis of the above embodiment of the apparatus, the apparatus further comprises:
and the file temporary storage module is used for temporarily storing the analysis files of different IOC types into a database if the data volume of the analysis files of different IOC types is greater than a threshold value.
Further, on the basis of the above embodiment of the apparatus, the apparatus further comprises:
and the exception saving module is used for saving the value queue with exception if the exception exists when the target analysis file is inquired according to the target inquiry mode.
Further, on the basis of the above embodiment of the apparatus, the apparatus further comprises:
and the alarm display module is used for determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for display according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
The threat intelligence detection apparatus based on log described in this embodiment may be used to implement the above method embodiments, and the principle and technical effect are similar, which are not described herein again.
Referring to fig. 6, the electronic device includes: a processor (processor)601, a memory (memory)602, and a bus 603;
wherein,
the processor 601 and the memory 602 communicate with each other through the bus 603;
the processor 601 is used for calling the program instructions in the memory 602 to execute the methods provided by the above-mentioned method embodiments.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the method embodiments described above.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
It should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (12)

1. A threat intelligence detection method based on logs is characterized by comprising the following steps:
acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types to obtain analyzed files, and adding the analyzed files to a detection engine queue;
acquiring a target analysis file from the detection engine queue, and determining a corresponding target query mode of the defect detection according to the IOC type of the target analysis file; the target query mode of the collapse detection comprises a command and control server query, a slot hole query and a DNS query generated by a special algorithm;
if threat intelligence exists in the target analysis file according to the target query mode, threat alarm information is generated;
the analyzing the log file to obtain analyzed files of different threat indicator IOC types specifically includes:
analyzing the log file, determining the IOC type of the log file in a main key mode, and detecting a malicious domain name, an IP (Internet protocol) or a malicious file in the log file to obtain analyzed files of different IOC types.
2. The method according to claim 1, wherein if it is found that threat intelligence exists in the target analysis file according to the target query method, generating threat alarm information specifically includes:
carrying out batch query on the target analysis files according to the target query mode;
and if threat intelligence exists in the target analysis file, generating threat alarm information.
3. The method of claim 1, wherein the obtaining log files of different file types, parsing the log files to obtain parsed files of different threat indicator IOC types, and adding the parsed files of different IOC types to a detection engine queue further comprises:
if the data volume of the analysis files of different IOC types is larger than a threshold value, the analysis files of different IOC types are temporarily stored in a database.
4. The method according to claim 1, wherein before generating threat alert information if threat intelligence exists in the target resolution file according to the target query manner, the method further comprises:
and if the target analysis file is abnormal when being inquired according to the target inquiry mode, storing the abnormal value queue.
5. The method according to any one of claims 1-4, further comprising:
and determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for displaying according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
6. A log-based threat intelligence detection apparatus, comprising:
the file analysis module is used for acquiring log files of different file types, analyzing the log files, matching different threat indicator IOC types to obtain analysis files, and adding the analysis files to a detection engine queue;
the corresponding query module is used for acquiring a target analysis file from the detection engine queue and determining a corresponding target query mode of the sink detection according to the IOC type of the target analysis file; the target query mode of the defect detection comprises a command and control server query, a slot hole query and a DNS query generated by a special algorithm;
the threat warning module is used for generating threat warning information if threat intelligence exists in the target analysis file according to the target query mode;
the file analysis module is specifically configured to analyze the log file, determine the IOC type of the log file by a primary key manner, and detect a malicious domain name, an IP, or a malicious file in the log file to obtain analysis files of different IOC types.
7. The apparatus of claim 6, wherein the threat alert module is specifically configured to:
carrying out batch query on the target analysis files according to the target query mode;
and if threat intelligence exists in the target analysis file, generating threat alarm information.
8. The apparatus of claim 6, further comprising:
and the file temporary storage module is used for temporarily storing the analysis files of different IOC types into a database if the data volume of the analysis files of different IOC types is greater than a threshold value.
9. The apparatus of claim 6, further comprising:
and the exception saving module is used for saving the value queue with exception if the exception exists when the target analysis file is inquired according to the target inquiry mode.
10. The apparatus according to any one of claims 6-9, further comprising:
and the alarm display module is used for determining a corresponding display type according to the type of the threat alarm information, sending the threat alarm information to a display for display according to the display type, generating an alarm log according to the threat alarm information, and storing the threat alarm information and the alarm log.
11. An electronic device, comprising:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 5.
12. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform the method according to any one of claims 1 to 5.
CN201810306120.2A 2018-04-08 2018-04-08 Log-based threat information detection method and device Active CN108763031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810306120.2A CN108763031B (en) 2018-04-08 2018-04-08 Log-based threat information detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810306120.2A CN108763031B (en) 2018-04-08 2018-04-08 Log-based threat information detection method and device

Publications (2)

Publication Number Publication Date
CN108763031A CN108763031A (en) 2018-11-06
CN108763031B true CN108763031B (en) 2022-05-24

Family

ID=63981150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810306120.2A Active CN108763031B (en) 2018-04-08 2018-04-08 Log-based threat information detection method and device

Country Status (1)

Country Link
CN (1) CN108763031B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450690B (en) * 2018-11-20 2022-01-25 杭州安恒信息技术股份有限公司 Method and device for quickly locking lost host in networking
CN110868379B (en) * 2018-12-19 2021-09-21 北京安天网络安全技术有限公司 Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment
CN109862003B (en) * 2019-01-24 2022-02-22 深信服科技股份有限公司 Method, device, system and storage medium for generating local threat intelligence library
CN110166421B (en) * 2019-04-01 2022-10-14 平安科技(深圳)有限公司 Intrusion control method and device based on log monitoring and terminal equipment
CN110188247B (en) * 2019-04-26 2021-07-20 奇安信科技集团股份有限公司 Information generation method, device, computer equipment and computer readable storage medium
CN110266670A (en) * 2019-06-06 2019-09-20 深圳前海微众银行股份有限公司 A kind of processing method and processing device of terminal network external connection behavior
CN112214290B (en) * 2019-07-11 2023-04-11 中移(苏州)软件技术有限公司 Log information processing method, edge node, center node and system
CN110362536A (en) * 2019-07-15 2019-10-22 北京工业大学 Log cipher text retrieval method based on alarm association
CN110351280B (en) * 2019-07-15 2022-05-27 杭州安恒信息技术股份有限公司 Method, system, equipment and readable storage medium for extracting threat information
CN110719291B (en) * 2019-10-16 2022-10-14 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN111277585B (en) * 2020-01-16 2022-09-30 深信服科技股份有限公司 Threat processing method, device, equipment and readable storage medium
CN113141334A (en) * 2020-01-19 2021-07-20 奇安信科技集团股份有限公司 Data acquisition and analysis method and system based on network attack
CN111404939B (en) * 2020-03-16 2022-08-09 深信服科技股份有限公司 Mail threat detection method, device, equipment and storage medium
CN111414402A (en) * 2020-03-19 2020-07-14 北京神州绿盟信息安全科技股份有限公司 Log threat analysis rule generation method and device
CN111478889B (en) * 2020-03-27 2022-09-02 新浪网技术(中国)有限公司 Alarm method and device
CN111858782A (en) * 2020-07-07 2020-10-30 Oppo(重庆)智能科技有限公司 Database construction method, device, medium and equipment based on information security
CN112769775B (en) * 2020-12-25 2023-05-12 深信服科技股份有限公司 Threat information association analysis method, system, equipment and computer medium
CN112749390A (en) * 2020-12-28 2021-05-04 深信服科技股份有限公司 Virus detection method, device, equipment and computer readable storage medium
CN113691524A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Alarm information processing method, system, electronic equipment and storage medium
CN114095217A (en) * 2021-11-06 2022-02-25 北京天融信网络安全技术有限公司 Evidence obtaining and tracing method and system for failing host snapshot
CN114006778B (en) * 2022-01-05 2022-03-25 北京微步在线科技有限公司 Threat information identification method and device, electronic equipment and storage medium
CN116155548B (en) * 2022-12-22 2024-08-23 新浪技术(中国)有限公司 Threat identification method and system
CN115865525B (en) * 2023-02-16 2023-05-26 北京微步在线科技有限公司 Log data processing method, device, electronic equipment and storage medium
CN118282745B (en) * 2024-04-08 2024-09-27 中国人民解放军61660部队 Host intrusion index detection method based on network collaboration mechanism

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824069A (en) * 2014-03-19 2014-05-28 北京邮电大学 Intrusion detection method based on multi-host-log correlation
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107295021A (en) * 2017-08-16 2017-10-24 深信服科技股份有限公司 The safety detection method and system of a kind of main frame based on centralized management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10581903B2 (en) * 2016-06-16 2020-03-03 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
US10366229B2 (en) * 2016-06-20 2019-07-30 Jask Labs Inc. Method for detecting a cyber attack
CN107145779B (en) * 2017-03-16 2020-01-17 北京网康科技有限公司 Method and device for identifying offline malicious software log
CN107819783A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 A kind of network security detection method and system based on threat information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824069A (en) * 2014-03-19 2014-05-28 北京邮电大学 Intrusion detection method based on multi-host-log correlation
CN105933186A (en) * 2016-06-30 2016-09-07 北京奇虎科技有限公司 Security detection method, device and system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107295021A (en) * 2017-08-16 2017-10-24 深信服科技股份有限公司 The safety detection method and system of a kind of main frame based on centralized management

Also Published As

Publication number Publication date
CN108763031A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
CN108763031B (en) Log-based threat information detection method and device
CN108092962B (en) Malicious URL detection method and device
CN109951477B (en) Method and device for detecting network attack based on threat intelligence
CN107302586B (en) Webshell detection method and device, computer device and readable storage medium
CN112131577A (en) Vulnerability detection method, device and equipment and computer readable storage medium
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
CN111193633B (en) Method and device for detecting abnormal network connection
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
CN110941823B (en) Threat information acquisition method and device
CN114465741B (en) Abnormality detection method, abnormality detection device, computer equipment and storage medium
CN115865525B (en) Log data processing method, device, electronic equipment and storage medium
US9087137B2 (en) Detection of custom parameters in a request URL
CN111740868A (en) Alarm data processing method and device and storage medium
CN110830500B (en) Network attack tracking method and device, electronic equipment and readable storage medium
CN111787030A (en) Network security inspection method, device, equipment and storage medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN114301659A (en) Network attack early warning method, system, device and storage medium
CN115481166B (en) Data storage method and device, electronic equipment and computer storage medium
CN114826727B (en) Flow data acquisition method, device, computer equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
CN107066538B (en) Data statistics method and device
CN112084504A (en) Virus file processing method and device, electronic equipment and readable storage medium
CN114070819B (en) Malicious domain name detection method, device, electronic device and storage medium
CN113556308B (en) Method, system, equipment and computer storage medium for detecting flow security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant