CN109688105B - Threat alarm information generation method and system - Google Patents

Threat alarm information generation method and system Download PDF

Info

Publication number
CN109688105B
CN109688105B CN201811377198.XA CN201811377198A CN109688105B CN 109688105 B CN109688105 B CN 109688105B CN 201811377198 A CN201811377198 A CN 201811377198A CN 109688105 B CN109688105 B CN 109688105B
Authority
CN
China
Prior art keywords
threat
information
network
behavior
abnormal behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811377198.XA
Other languages
Chinese (zh)
Other versions
CN109688105A (en
Inventor
李凤华
张玲翠
李莉
周曙光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811377198.XA priority Critical patent/CN109688105B/en
Publication of CN109688105A publication Critical patent/CN109688105A/en
Application granted granted Critical
Publication of CN109688105B publication Critical patent/CN109688105B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the invention provides a threat alarm information generation method and system. The method comprises the following steps: judging whether the obtained target information can represent that the network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information; and if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, wherein the threat alarm information is normalized and described based on a uniform description format. The embodiment of the invention provides a threat alarm information generation method and system, which identify a threat event by collecting and analyzing original acquisition information and/or abnormal behavior information of multiple systems, multiple users, multiple time and multiple regions, and convert the threat event into a uniform threat alarm format, so that network security is effectively monitored, and effective support is provided for data acquisition, network security monitoring and threat disposal.

Description

Threat alarm information generation method and system
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a threat alarm information generation method and system.
Background
With the continuous and rapid development and wide popularization of communication technology, network technology and information technology, a large-scale heterogeneous internet comprising a world-ground integrated network, an internet of things, a special network, a network where various service systems (such as an electronic credential service system, an electronic commerce system and an electronic government affairs system) are located, and the like is formed. A large number of systems with relevance in the aspects of services, users and the like are borne in a large-scale heterogeneous internet, each system can generate massive original log information and abnormal behavior information, aggregation, correlation and statistical analysis are needed to be carried out, multi-dimensional threat events are identified, a unified threat alarm description format is converted, and support is provided for data acquisition, network security monitoring and threat disposal. In the prior art, correlation analysis is mostly performed on a single system in a single dimension, and multi-system, multi-user, multi-time and multi-region overall analysis and unified description of threat alarm information are lacked.
Disclosure of Invention
Aiming at the technical problems in the prior art, the embodiment of the invention provides a threat alarm information generation method and system.
In a first aspect, an embodiment of the present invention provides a method for generating threat alarm information, including:
judging whether the obtained target information can represent that a network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information;
and if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, wherein the threat alarm information is normalized and described based on a uniform description format.
In a second aspect, an embodiment of the present invention provides a threat alarm information generating system, including:
the judging module is used for judging whether the acquired target information can represent that a network is threatened or not according to the threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information;
and the threat alarm information generation module is used for generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information if the target information is judged to represent that the network is threatened, wherein the threat alarm information is normalized and described based on a uniform description format.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the threat alarm information generation method and system provided by the embodiment of the invention, original acquisition information and/or abnormal behavior information of multiple systems, multiple users, multiple time and multiple regions are gathered and analyzed, a threat event is identified and converted into a uniform threat alarm format, so that network security is effectively monitored, and effective support is provided for data acquisition, network security monitoring and threat disposal.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of a threat alarm information generation method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of multidimensional association of abnormal behavior information according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a unified description format according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a threat alarm information generation system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a threat alert information generation system according to another embodiment of the present invention;
fig. 6 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For a better understanding of the embodiments of the present invention, the embodiments of the present invention are applied to a target network and the target network and a system and an apparatus therein are described herein.
The target network comprises any one or more of a network where the service system is located, a heaven and earth integrated network, an internet of things and a special network;
the service system includes but is not limited to: the system comprises an electronic certificate service system, an identity authentication service system, a password service system, a social network service system, an e-commerce service system and an e-government service system.
Systems and devices in the target network include, but are not limited to: electronic certificate approval service management system, electronic certificate state management and control system, unified certification service management system, electronic certificate check service system, multi-business electronic certificate collaborative issuing system, mass electronic certificate data storage system, identity authentication system, electronic certificate service portal system, electronic certificate unified management system of cross issuing platform, electronic certificate printing system, mobile intelligent terminal electronic certificate personal application software, PC terminal electronic certificate personal application software, electronic certificate business fusion application system, electronic certificate online/offline auditing support system, road electronic certificate checking system, enterprise electronic certificate management system, electronic certificate secure bearer transmission equipment management system, abnormal behavior information storage system, abnormal behavior information aggregation system, electronic certificate information management system, electronic certificate information management system, abnormal behavior information storage system, electronic certificate information aggregation system, electronic certificate management system, electronic, Abnormal behavior fusion analysis system, security situation analysis system, security event tracing and tracing system, emergency linkage handling system, identity authentication management system, access authentication system, massive electronic certificate inquiry and download service system, electronic certificate public verification component, opening business supervision service middleware, approval business supervision service middleware, electronic certificate application fusion middleware, internetwork interconnection security control system, password resource management system, whole network security equipment unified management system, data storage system, office system, file exchange system, supervision system, internet of things topological mapping system, security service demand and resource management system, data storage scheduling management system, internet of things security management and control center management system, equipment discovery and identification system and other systems, electronic certificate service operation scheduler, high-performance supervision business scheduling equipment, High-performance password operation scheduling controller, electronic certificate high-speed approval service equipment, unified authentication service equipment, identity authentication terminal, electronic signature server, electronic certificate safety bearing transmission equipment, electronic certificate medium card reader and other equipment.
Fig. 1 is a flowchart of a threat alarm information generation method according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
step 101, judging whether the obtained target information can represent that a network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information.
Specifically, an execution subject of the method provided by the embodiment of the present invention is referred to as an acquisition management center, and the acquisition management center may be located outside the target network or within the target network, but wherever the acquisition management center is located, the acquisition management center has the following functions: judging whether the obtained target information can represent that the network is threatened or not according to a threat characteristic library; and if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, and providing support for network security monitoring.
Further, the target information is original collected information or abnormal behavior information. Wherein, the original acquisition information refers to unprocessed log information and/or network traffic information, and the log information includes but is not limited to: which person, time, place, system, and operation, the network traffic information refers to network communication data and/or its statistics, and the network communication data includes but is not limited to: header, application layer information of each network protocol; abnormal behavior information refers to behavior information that deviates from the normal operation of one or more entities and may pose a threat to the network, and includes, but is not limited to: repeated reimbursement, revocation/flushing of credentials, reimbursement of counterfeit bills, issuance of large amounts of credentials for the same enterprise in a short time, issuance of large amounts of credentials for abnormal time, issuance of large amounts of credentials for the same user in a short time, multiple checking of counterfeit bills by the same user/enterprise, multiple trial and authentication failures of the same system, multiple trial and authorization failures of the same electronic credential by the same user, multiple trial and authorization failures of different electronic credentials by the same user, frequent change of state of the same credential, frequent change of electronic credential state by the same user, multiple certificate authentication failures, false system connection, multiple trial and password, abnormal satellite terminal access, abnormal use of password resources, illegal file operation, violation, illegal release, illegal storage, illegal medium access, etc, And (4) abnormal communication.
The target information can be obtained by any combination of one or more of the following ways: active acquisition and passive reception; the means of active acquisition may include any one or more of: calling an interface, reading a log file, reading a configuration file and reading a state file; the communication mode of passive reception comprises any one or more of the following modes: socket communication, shared memory, message queues, and pipes.
The threat characteristic library stores threat behavior characteristics and/or threat behavior association rules,
whether the obtained target information can represent that the network is threatened or not can be judged according to the threat characteristic library.
And 102, if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, wherein the threat alarm information is normalized and described based on a uniform description format.
Specifically, the network context information includes any one or more of: the physical address of the communication entity, the logical address of the communication entity, the user identifier, the source IP address, the destination IP address, the source port number, the destination port number, the transport layer protocol and the packet length.
If the acquisition management center judges that the target information can represent that the network is threatened, the network is judged to be threatened, therefore, the acquisition management center can generate threat alarm information according to any one or more of the threat feature library, the network context information and the target information so that the acquisition management center or other acquisition management centers can generate corresponding acquisition strategies according to the threat alarm information, and therefore corresponding acquisition agents in the network can acquire corresponding acquisition items according to the acquisition strategies, and further the acquisition items are analyzed and processed to better deal with or dispose the threat.
It should be noted that the threat alarm information is normalized and described based on a unified description format, where the unified description format includes any one or a combination of more than one of the following: threat type, threat object characteristic, threat object performance characteristic, threat range, threat level, threat start and stop time, attack entity characteristic, attack mode, attack path, information sharing entity and information receiving entity.
According to the method provided by the embodiment of the invention, the original collected information and/or abnormal behavior information of multiple systems, multiple users, multiple time and multiple regions are subjected to aggregation analysis, the threat event is identified and converted into a uniform threat alarm format, so that the network security is effectively monitored, and effective support is provided for data collection, network security monitoring and threat disposal.
On the basis of the above embodiments, the embodiment of the present invention explains a process of constructing a threat feature library. Namely, according to the threat characteristic library, determining whether the acquired target information can represent that the network is threatened, wherein the method further comprises the following steps:
obtaining threat behavior characteristics and/or threat behavior association rules to construct a threat characteristic library; wherein the content of the first and second substances,
the threat behavior characteristics comprise any one or more of threat type, threat level, threat behavior occurrence time or time interval threshold, threat behavior occurrence place, threat behavior occurrence entity and threat behavior content;
the threat behavior association rule comprises any one or more of abnormal behavior attribute information, an abnormal behavior attribute value, an abnormal behavior attribute threshold value and an operator.
Specifically, according to functional requirements and/or non-functional requirements, threat behavior characteristics and/or threat behavior association rules are obtained to build a threat characteristic library. Wherein the threat behavior characteristics include any combination of one or more of: the method comprises the following steps of (1) threat type, threat level, threat behavior occurrence time or time interval threshold, threat behavior occurrence place, threat behavior occurrence entity and threat behavior content; the threat behavior association rules include any combination of one or more of the following: abnormal behavior attribute information, an abnormal behavior attribute value, an abnormal behavior attribute threshold value and an operator.
How to construct the threat behavior signature in the threat signature library according to the functional requirements and/or non-functional requirements is described below by a specific example.
Threat behavior characteristics include, but are not limited to: threat type, threat level, threat behavior occurrence time or time interval threshold, threat behavior occurrence place, threat behavior occurrence entity and threat behavior content. The threat behavior occurrence location may be identified by a physical address (country, province, city, district, street) or a logical address (network address, such as an IP address or a MAC address).
An example of the threat behavior characteristics is shown in table 1, and table 1 is an example table of the threat behavior characteristics.
TABLE 1 exemplary table of threat behavior characteristics
Figure BDA0001871074510000071
Alternatively, the following threat behaviors may be defined:
(1) the same user opens/checks/reimburses a large number of electronic vouchers within a specified time threshold.
(2) Different users check/reimburse the same electronic certificate within a specified time threshold.
(3) The same user makes offers/pings/reimbursements for the same/different electronic credentials at different locations within a specified time threshold.
Alternatively, the threat behavior is represented in a document in XML format, as follows:
<?xml version="1.0"encoding="UTF-8"?>
<Policy PolicyId="credentials:invoice:threatdefine:SimplePolicy1"Version="1.0"RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
the same user opens/checks/reimburses a large number of electronic vouchers within a time range of a specified threshold
Figure BDA0001871074510000072
Figure BDA0001871074510000081
Figure BDA0001871074510000091
And defining a threat behavior association rule according to the functional requirement and/or the non-functional requirement of the system.
The threat behavior association rules include any combination of one or more of the following: system abnormal behavior attribute information, an abnormal behavior attribute value, an abnormal behavior attribute threshold value and an operator;
the system abnormal behavior attribute information is atomic attribute information which can be matched with rules, and includes but is not limited to: any one or more of operation time, operation place, user number, operation user name, operation user ID, operation behavior, operation result and system identification;
the abnormal behavior attribute value is a desirable value corresponding to the abnormal behavior attribute identifier, for example, if the abnormal behavior attribute is a system identifier, the abnormal behavior attribute value includes, but is not limited to: any one or more of a multi-service electronic certificate collaborative issuing system, a multi-service electronic certificate collaborative issuing system and an electronic certificate printing system.
The abnormal behavior attribute threshold value corresponds to the abnormal behavior attribute information, in the rule matching process, the instantiated abnormal behavior attribute information is counted, and if the abnormal behavior attribute threshold value is reached, the abnormal behavior attribute is met;
the operators include, but are not limited to: comparison operators and/or logical operators.
The comparison operator is used for expressing a comparison mode of the abnormal behavior attribute information with the abnormal behavior attribute value and the abnormal behavior attribute threshold, the comparison result is a logic value, true or false, and the comparison operator includes but is not limited to: equal to, larger than, smaller than, larger than or equal to, smaller than or equal to, and not equal to any one or more of;
the logical operator is used for expressing the relationship of a plurality of abnormal behavior attribute information, including but not limited to: and/or not.
For example, one threat behavior association rule is expressed as follows:
"number of users" >1000000
System ID-multi-service electronic certificate collaborative issuing system "
"operating time" <5min
The "number of users", "system ID" and "operation time" are abnormal behavior attribute information, the ">", "", "<" is a comparison operator, the "1000000" and the "5 min" are abnormal behavior attribute thresholds, and the "multi-service electronic credential collaborative issuing system" is an abnormal behavior attribute value.
The threat behavior association rule provided by the embodiment of the invention at least can achieve the effect of multidimensional association of abnormal behavior information provided by the embodiment of the invention in fig. 2, and single/multiple pieces of original collected information and/or abnormal behavior information with correlation are defined in multiple dimensions such as a system, a user, an abnormal behavior type, time and the like, wherein fig. 2 is a multidimensional association schematic diagram of abnormal behavior information provided by the embodiment of the invention.
On the basis of the above embodiments, the embodiments of the present invention specifically describe how to determine whether the target information can characterize the network as threatening. Since the target information is divided into two types, one type is original collected information, the other type is abnormal behavior information, and the determination modes of different types of target information are different, the determination processes of the two types of target information are specifically explained. First, the determination process of the original collected information is specifically explained:
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, and further comprising the following steps:
and analyzing the original acquisition information to generate an original acquisition information analysis result.
Specifically, the original collected information analysis result includes any combination of one or more of the following: operation time, operation place, operation user, operation behavior, operation times, operation result, entity reporting original acquisition information, entity generating original acquisition information, access entity and network;
the operation site includes: a physical address and/or a logical address;
the entities include any combination of one or more of the following: components, devices, systems, and individuals.
And matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result.
Matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result, further comprising:
instantiating the threat behavior association rule to form an instantiation association rule;
matching the abnormal behavior attribute information in the instantiation association rule with the analysis result of the original acquisition information;
if the matching is successful, judging whether the instantiation association rule meets a first preset condition, and updating an abnormal behavior attribute value corresponding to abnormal behavior attribute information in the instantiation association rule; if the matching fails, establishing a new association rule instance;
if the instantiation association rule meets the first preset condition, state transition is triggered;
and if the state is a threat state after the state is transferred, defining an original event for generating the original acquisition information as a threat event, and judging that the original acquisition information can represent that the network is threatened.
The following is a specific example of how association rules may be used to determine whether the raw collected information may characterize a network threat.
And in the process of matching the log information, successively instantiating the threat behavior association rules in the threat characteristic library.
And matching the abnormal behavior attribute information in the instantiation association rule with the analysis result of the original collected information.
First, an instantiation association rule, for example, instantiation association rule 1, indicates that "user ID", "system ID", "operation start time", "operation type" is abnormal behavior attribute information.
"user ID" - { user1User of2User of3… …, user99}
System ID-multi-service electronic certificate collaborative issuing system "
"operation start time" ═ 2018-10-018: 00:00 "
"operation type" -opening tool "
One resolvable form of the original collected information analysis result generated by the log information is atomic attribute information which is generated by a single user through single operation at a single time and a single place, for example, the user A inquires and downloads 1 ID to be ID in a massive electronic certificate inquiry and download service system at 2:00 in the early morning in a company internal networkxThe electronic ticket of (1).
Then, matching the analysis result of the original collected information with the instantiation association rule one by one, specifically, matching the field of the analysis result with the attribute identifier of the abnormal behavior in the instantiation association rule one by one, for example, matching the field of the analysis result with "user A", "early 2: 00", "internal network of company",mass electronic certificate inquiry downloading service system, inquiry downloading and IDxAnd matching with the user ID, the system ID, the operation starting time and the operation type in the instantiation association rule 1, wherein the abnormal behavior attribute value of the system ID in the instantiation association rule 1 is not equal to the mass electronic certificate inquiry downloading service system in the original acquisition information analysis result, so that the matching fails and other instantiation association rules are continuously matched.
If so, updating the abnormal behavior attribute value corresponding to the abnormal behavior attribute information in the instantiation association rule;
if the abnormal behavior attribute value cannot be matched, matching with an association rule in a threat feature library, instantiating the matched association rule, and setting the abnormal behavior attribute value corresponding to the corresponding abnormal behavior attribute identifier as 1;
optionally, if the log information does not include fields necessary for detecting a threat, such as a physical location and an IP address of a user, of association rules in the threat feature library, the log information is searched and extracted in the collected network traffic information according to network context information, such as a network topology, and the searched information is filled in the analysis result field for further threat determination.
Finally, if the abnormal behavior attribute information in the instantiation association rule is successfully matched with the original acquisition information analysis result, judging whether the instantiation association rule meets a first preset condition;
if the first preset condition is met, triggering state transition;
and if the state is a threat state after the state is transferred, defining the original event of the original acquisition information as a threat event.
The first preset condition includes but is not limited to: all abnormal behavior attribute fields meeting the instantiation association rule, at least one abnormal behavior attribute field meeting the instantiation association rule, and abnormal behavior attribute fields meeting the preset threshold number in the instantiation association rule;
the state transition is to perform state transition in an abnormal behavior state machine, and the state includes but is not limited to: normal state, potentially abnormal state, threat state.
On the basis of the above embodiments, the embodiments of the present invention specifically describe how to determine whether the target information can characterize the network as threatening. Since the target information is divided into two types, one type is original collected information, the other type is abnormal behavior information, and the determination modes of different types of target information are different, the determination processes of the two types of target information are specifically explained. In the above embodiment, the determination process of the original collected information has been specifically described, and the embodiment of the present invention specifically describes the determination process of the abnormal behavior information:
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, and further comprising the following steps:
and analyzing the abnormal behavior information to generate an abnormal behavior information analysis result.
The abnormal behavior information analysis result comprises any combination of one or more of the following: the method comprises the following steps of operation time, operation place, operation user, operation behavior, operation times, operation result, entity reporting abnormal behavior information, entity generating abnormal behavior, access entity and network.
The operation time includes but is not limited to: a time point, a time period, a set of time points, and a set of time periods;
the operation sites include, but are not limited to: an operation site and/or a set of operation sites;
the operation users include but are not limited to: an operating user and/or an operating user set;
the operational behaviors include, but are not limited to: an operational behavior and/or a set of operational behaviors;
the operation results include, but are not limited to: an operation result and/or an operation result set;
the entities reporting abnormal behavior information include, but are not limited to: reporting entities of abnormal behavior information and/or reporting entity sets of abnormal behavior information;
the entities that have abnormal behavior include, but are not limited to: entities which have abnormal behaviors and/or entity sets which have abnormal behaviors;
access entities include, but are not limited to: an access entity and/or a set of access entities;
via a network including, but not limited to: via a network and/or via a collection of networks.
And matching the abnormal behavior information analysis result with the threat behavior characteristics, and judging whether the abnormal behavior information can represent that the network is threatened according to the matching result.
Matching the analysis result of the abnormal behavior information with the threat behavior characteristics, and judging whether the abnormal behavior information can represent that the network is threatened according to the matching result, further comprising:
and matching the analysis result of the abnormal behavior information with the threat behavior characteristics, if a first matching condition is met, defining the abnormal behavior generating the abnormal behavior information as a threat event, and judging that the abnormal behavior information can represent that the network is threatened.
The matching method includes but is not limited to: any one or more of sequential matching, random matching and priority matching;
the first matching condition includes but is not limited to: a full match, at least one match, a number of matches greater than a predetermined threshold.
The following describes how to determine whether abnormal behavior information can characterize the network as being compromised by a specific example.
Abnormal behavior information 1: user' s1Request ID in 10:10 to 10:11 using IP address of 194.12.1.100x100 invoices.
The analysis result field and the corresponding content are as follows:
time period: 10:10-10: 11;
a place: an IP address (194.12.1.100);
the operation behaviors are as follows: inquiring;
the operation content is as follows: the same invoice number IDx
The times are as follows: the treatment is carried out 100 times.
Matching the fields with a threat characteristic list (table 1) in a threat characteristic library one by one, and satisfying the time for the record of the threat behavior characteristic number 1 in a range of 10:10-10:11<5min, IP address (194.12.1.100) meets any place, operation fields are all inquired, and the same invoice number IDxSatisfy arbitrary content, 100 times satisfy>Thus, all fields hit, indicating that the abnormal behavior is a threat event.
On the basis of the foregoing embodiments, generating threat alert information according to any one or more of the threat feature library, network context information, and the target information, further includes:
and judging whether the information of the threat event needs to be supplemented or not according to the threat characteristic library, and supplementing the information of the threat event according to the network context information when the judgment result shows that the information of the threat event needs to be supplemented.
Specifically, firstly, an information item set required for generating threat alarm information is determined according to the threat feature library, then, a difference set is made between the information item set required for generating the threat alarm information and an existing information item set of a threat event, whether information supplementation is required to be carried out on the threat event is judged according to whether the difference set is empty, when the difference set is not empty, information supplementation is required to be carried out on the threat event is judged, the information item required to be supplemented on the threat event information is determined, and then, according to the information item required to be supplemented on the threat event information, marking/extracting is carried out from network context information, and the threat event information is supplemented.
Further, a threat type corresponding to the threat event is searched in a threat characteristic library, and an information item set required for generating threat alarm information is determined according to the threat type. Wherein, the information items required for generating the threat alarm information include but are not limited to: the method comprises the steps of threatening a physical area of an object, threatening a logical area of the object, threatening an IP address of the object, belonging system of the object, attacking a physical address of an entity, attacking a logical address of an entity, attacking a physical attack path from the entity to the object, attacking a logical attack path from the entity to the object, threatening occurrence time, reporting entity of a threatening event and generating entity of the threatening event.
For example, the physical area of the threat object and/or the logical area of the threat object is looked up in the network context information based on the threat object IP address.
And carrying out normalization description on the threat event after information supplement based on the unified description format to generate threat alarm information.
Fig. 3 is a schematic diagram of a unified description format provided in an embodiment of the present invention, and as shown in fig. 3, the unified description format includes any one or a combination of more than one of the following:
threat type, threat object characteristic, threat object performance characteristic, threat range, threat level, threat start and stop time, attack entity characteristic, attack mode, attack path, information sharing entity and information receiving entity.
The fields in the unified description format are interpreted as follows:
threat types refer to types of threat events predefined in a library of threat signatures, including but not limited to: denial of service attack, illegal access, traffic anomaly, FTP Trojan, shock wave worm, vulnerability attack, backdoor attack, domain name hijacking, scanning detection, Trojan/virus and man-in-the-middle attack.
Threat objects refer to a set of objects in a network that are affected by an attack, including but not limited to: a device or device type, an operating system type with a potential threat. Devices or device types include, but are not limited to: satellite, mobile terminal, system server, router, gateway, firewall, IDS, IPS. Operating system types include, but are not limited to: windows, Linux, Android, iOS.
Threat zone refers to the physical and/or logical zone in which the threat object is located.
The threat level refers to the severity of the threat, and may be expressed, for example, as a discrete value, with an integer from 0 to 10, with a larger number indicating a more severe threat.
Threat start-stop time refers to the time of the earliest occurring event associated with a threat and the time at which the threat is expected to be eliminated.
The attacking entity refers to a party initiating an attack, including but not limited to: individuals, groups, and organizations.
The attack entity characteristics refer to the characteristics of attack entities with the same attack type after common characteristic extraction, and include but are not limited to: and any one or more of a logical area and a physical area.
The attack mode refers to any one or more of malicious software utilized by an attacking entity, an attack tool utilized and a network type passed through.
The network types include, but are not limited to: any one or more of a wired network and a wireless network.
Attack paths include, but are not limited to: the physical path refers to the sequential relation between the equipment through which the attacking entity reaches the attacked object and the equipment through which the attacking entity passes; the logical path refers to the vulnerability utilized by the attacking entity to achieve the attack purpose and the precedence relationship of the utilization vulnerability, or the precedence relationship between the executed operation and the executed operation.
Threat object features refer to the properties that enable the imaging of a threat object.
The characteristics include, but are not limited to, any one or more of a location of the threat object in a geographic area and/or a logical area, a type of service deployed on the threat object, an asset value of the threat object.
A threat object performance characteristic refers to a characterization of a state and/or a change in state of a threat object after an attack, including but not limited to: any one or more of CPU utilization, memory utilization, number of network interface receive packets, available link bandwidth, and TCP connection conditions.
The information sharing entity refers to a party sending abnormal behavior information and/or originally acquired information, and includes but is not limited to: systems, devices, people, and organizations.
The information receiving entity refers to a party receiving the alarm information; the description manner of the information receiving entity includes but is not limited to: information receiving entity type, awareness scope, and security level. The information receiving entity types include, but are not limited to: the system comprises an acquisition agent, a convergence system, an analysis system, a command system and a management system; the description of the knowledge range includes but is not limited to: administrative level, geographic area.
The method comprises the following steps of carrying out normalization description on the threat event after information supplement based on a unified description format, including carrying out information extraction on the threat event from the following aspects to generate threat alarm information:
threat type: the threat types matched by the threat event in the threat characteristic library.
The threat object: and extracting abnormal behaviors occurring in the threat events.
Threat scope: the physical and/or logical scope of the threat object is extracted.
Threat level: and analyzing the original collected information and/or any one or more of abnormal behavior information, threat behavior characteristics and threat object asset value information. For example, threat levels are computed based on threat types, threat occurrence locations, and threat object asset value combinations in the threat behavior signature. The wider the threat occurs, the more entities involved, the higher the threat level; the higher the threat object asset value, the higher the threat level.
Threat start-stop time: and extracting the earliest time of an operation time point or a time period in the threat event as the threat starting time, and representing the earliest time in a uniform time format.
An attack entity: a set of operational users of the threat event is extracted.
Attack entity characteristics: and extracting common characteristics of the attack entities.
The attack mode is as follows: and extracting any one or more of malware utilized by the attacking entity, attack tools utilized and network types passed by the attacking entity in the threat event.
Attack path: extracting all physical paths and the precedence relationship between an operation user and a system in the threat event, and/or extracting the vulnerability utilized by the threat event and the precedence relationship of the vulnerability, and/or extracting the operation executed by an attack entity in the threat event and the precedence relationship between the executed operations.
Threat object characteristics: and extracting common characteristics of the threat objects, including but not limited to any one or more of the service types, the geographic areas and the logical areas of the threat objects.
The threat object performance characteristics are as follows: the commonality of the performance characteristics of the threat object after the threat event occurs, including but not limited to a system state change, is extracted.
An information sharing entity: the system, device, person or organization that sent the threat event is extracted.
An information receiving entity: and calculating the type, the knowledge range and the security level of the receiving entity according to any one or more of the threat type, the severity and the threat object type of the threat event, and further determining the receiving entity of the alarm information.
And finally, forming threat alarm information by using each field extracted from the threat event.
Fig. 4 is a schematic structural diagram of a threat alarm information generating system according to an embodiment of the present invention, and as shown in fig. 4, the system includes:
a determining module 401, configured to determine, according to a threat feature library, whether acquired target information can represent that a network is threatened, where the target information is original acquired information or abnormal behavior information; and a threat alarm information generating module 402, configured to generate threat alarm information according to any one or more of the threat feature library, the network context information, and the target information if it is determined that the target information may represent that a network is threatened, where the threat alarm information is described in a normalized manner based on a uniform description format.
The system provided in the embodiment of the present invention specifically executes the flows of the above-mentioned methods, and for details, the contents of the above-mentioned methods are referred to, and are not described herein again. According to the system provided by the embodiment of the invention, the threat event is identified by collecting and analyzing the original collected information and/or abnormal behavior information of multiple systems, multiple users, multiple time and multiple regions, and the original collected information and/or abnormal behavior information is converted into a uniform threat alarm format, so that the network security is effectively monitored, and effective support is provided for data collection, network security monitoring and threat disposal.
Fig. 5 is a schematic structural diagram of a threat alert information generating system according to another embodiment of the present invention, which includes, but is not limited to, the following parts: the system comprises an information acquisition module, a threat judgment module, a threat alarm information packaging module, a threat characteristic library, a network configuration information library and a network topology information library, wherein the network configuration information library and the network topology information library are external information libraries.
The information acquisition module acquires original acquisition information and/or abnormal behavior information and sends the information to the threat judgment module; the threat determination module receives the original acquisition information and/or the abnormal behavior information, inquires threat behavior characteristics and/or threat behavior association rules in a threat characteristic library, analyzes and determines the original acquisition information and/or the abnormal behavior information, and sends a corresponding threat event to the threat alarm information encapsulation module if the threat is determined; the threat alarm information packaging module receives the threat event sent by the threat judgment module, if the threat event needs to be supplemented with information, network context information is searched in a network configuration information base and/or a network topology information base so as to supplement the threat event, and finally, the threat alarm information is uniformly described by using a uniform description format; and the threat characteristic library stores threat behavior characteristics and/or threat behavior association rules and responds to the inquiry of the threat judgment module.
Fig. 6 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device may include: a processor (processor)601, a communication Interface (Communications Interface)602, a memory (memory)603 and a communication bus 604, wherein the processor 601, the communication Interface 602 and the memory 603 complete communication with each other through the communication bus 604. The processor 601 may call a computer program stored on the memory 603 and executable on the processor 601 to perform the methods provided by the above embodiments, including for example: judging whether the obtained target information can represent that a network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information; and if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, wherein the threat alarm information is normalized and described based on a uniform description format.
In addition, the logic instructions in the memory 603 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and the method includes: judging whether the obtained target information can represent that a network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information; and if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat characteristic library, the network context information and the target information, wherein the threat alarm information is normalized and described based on a uniform description format.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A threat alarm information generation method is characterized by comprising the following steps:
judging whether the obtained target information can represent that a network is threatened or not according to a threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information;
if the target information is judged to represent that the network is threatened, generating threat alarm information according to any one or more of the threat feature library, the network context information and the target information, wherein the threat alarm information is subjected to normalization description based on a uniform description format;
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, wherein the method also comprises the following steps:
obtaining threat behavior characteristics and/or threat behavior association rules to construct a threat characteristic library; wherein the content of the first and second substances,
the threat behavior association rule comprises any one or more of abnormal behavior attribute information, an abnormal behavior attribute value, an abnormal behavior attribute threshold value and an operator;
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, and further comprising the following steps:
analyzing the original collected information to generate an original collected information analysis result;
matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result;
matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result, further comprising:
instantiating the threat behavior association rule to form an instantiation association rule;
matching the abnormal behavior attribute information in the instantiation association rule with the analysis result of the original acquisition information;
if the matching is successful, judging whether the instantiation association rule meets a first preset condition;
if the instantiation association rule meets the first preset condition, state transition is triggered;
and if the state is a threat state after the state is transferred, defining an original event for generating the original acquisition information as a threat event, and judging that the original acquisition information can represent that the network is threatened.
2. The method of claim 1, wherein the threat behavior characteristics include any one or more of a threat type, a threat level, a time of occurrence or a time interval threshold of a threat behavior, a place of occurrence of a threat behavior, an entity of occurrence of a threat behavior, and a content of the threat behavior.
3. The method of claim 1, wherein determining whether the obtained target information can represent a network threat according to a threat feature library, further comprises:
analyzing the abnormal behavior information to generate an abnormal behavior information analysis result;
and matching the abnormal behavior information analysis result with the threat behavior characteristics, and judging whether the abnormal behavior information can represent that the network is threatened according to the matching result.
4. The method of claim 3, wherein the abnormal behavior information parsing result is matched with the threat behavior feature, and whether the abnormal behavior information can characterize that a network is threatened is determined according to the matching result, further comprising:
and matching the analysis result of the abnormal behavior information with the threat behavior characteristics, if a first matching condition is met, defining the abnormal behavior generating the abnormal behavior information as a threat event, and judging that the abnormal behavior information can represent that the network is threatened.
5. The method of claim 1, wherein generating threat alert information based on any one or more of the threat characteristic library, network context information, and the target information, further comprises:
judging whether information supplement needs to be carried out on the threat event or not according to the threat characteristic library, and carrying out information supplement on the threat event according to network context information when the judgment result is that the information supplement needs to be carried out on the threat event;
and carrying out normalization description on the threat event after information supplement based on the unified description format to generate threat alarm information.
6. The method of claim 1, wherein the unified description format comprises: any one or more of a threat type, a threat object signature, a threat object performance signature, a threat range, a threat level, a threat start and end time, an attacker signature, an attack style, an attack path, an information sharer, and an information receiver.
7. A threat alert information generation system, comprising:
the judging module is used for judging whether the acquired target information can represent that a network is threatened or not according to the threat characteristic library, wherein the target information is original acquisition information or abnormal behavior information;
the threat alarm information generation module is used for generating threat alarm information according to any one or more of the threat feature library, the network context information and the target information if the target information is judged to represent that the network is threatened, wherein the threat alarm information is normalized and described based on a uniform description format;
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, wherein the method also comprises the following steps:
the judging module is also used for acquiring threat behavior characteristics and/or threat behavior association rules to construct a threat characteristic library; wherein the content of the first and second substances,
the threat behavior association rule comprises any one or more of abnormal behavior attribute information, an abnormal behavior attribute value, an abnormal behavior attribute threshold value and an operator;
according to the threat characteristic library, judging whether the acquired target information can represent that the network is threatened, and further comprising the following steps:
analyzing the original collected information to generate an original collected information analysis result;
matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result;
matching the analysis result of the original acquisition information with the threat behavior association rule, and judging whether the original acquisition information can represent that the network is threatened according to the matching result, further comprising:
instantiating the threat behavior association rule to form an instantiation association rule;
matching the abnormal behavior attribute information in the instantiation association rule with the analysis result of the original acquisition information;
if the matching is successful, judging whether the instantiation association rule meets a first preset condition;
if the instantiation association rule meets the first preset condition, state transition is triggered;
and if the state is a threat state after the state is transferred, defining an original event for generating the original acquisition information as a threat event, and judging that the original acquisition information can represent that the network is threatened.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 6 are implemented when the processor executes the program.
9. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
CN201811377198.XA 2018-11-19 2018-11-19 Threat alarm information generation method and system Active CN109688105B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811377198.XA CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811377198.XA CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Publications (2)

Publication Number Publication Date
CN109688105A CN109688105A (en) 2019-04-26
CN109688105B true CN109688105B (en) 2020-07-07

Family

ID=66185361

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811377198.XA Active CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Country Status (1)

Country Link
CN (1) CN109688105B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152968B (en) * 2019-06-27 2022-07-22 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN110765391B (en) * 2019-09-16 2022-02-22 华青融天(北京)软件股份有限公司 Security detection method and device, electronic equipment and storage medium
CN110866692A (en) * 2019-11-14 2020-03-06 北京明略软件系统有限公司 Generation method and generation device of early warning information and readable storage medium
CN111224953A (en) * 2019-12-25 2020-06-02 哈尔滨安天科技集团股份有限公司 Method, device and storage medium for discovering threat organization attack based on abnormal point
CN113328976B (en) * 2020-02-28 2022-11-22 华为技术有限公司 Security threat event identification method, device and equipment
CN111931935B (en) * 2020-09-27 2021-01-15 中国人民解放军国防科技大学 Network security knowledge extraction method and device based on One-shot learning
CN112261033A (en) * 2020-10-19 2021-01-22 北京京航计算通讯研究所 Network security protection method based on enterprise intranet
CN113259364B (en) * 2021-05-27 2021-10-22 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
CN115484151B (en) * 2022-09-23 2023-11-21 北京安天网络安全技术有限公司 Threat detection method, device, equipment and medium based on composite event processing

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562537A (en) * 2009-05-19 2009-10-21 华中科技大学 Distributed self-optimized intrusion detection alarm associated system
CN105843803A (en) * 2015-01-12 2016-08-10 上海悦程信息技术有限公司 Big data security visualization interaction analysis system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954335A (en) * 2014-03-27 2015-09-30 中国移动通信集团安徽有限公司 Method and system for preventing high-risk network intrusion
CN106209829A (en) * 2016-07-05 2016-12-07 杨林 A kind of network security management system based on warning strategies
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562537A (en) * 2009-05-19 2009-10-21 华中科技大学 Distributed self-optimized intrusion detection alarm associated system
CN105843803A (en) * 2015-01-12 2016-08-10 上海悦程信息技术有限公司 Big data security visualization interaction analysis system and method

Also Published As

Publication number Publication date
CN109688105A (en) 2019-04-26

Similar Documents

Publication Publication Date Title
CN109688105B (en) Threat alarm information generation method and system
CN109698819B (en) Threat disposal management method and system in network
US10855700B1 (en) Post-intrusion detection of cyber-attacks during lateral movement within networks
CN106663169B (en) System and method for high speed threat intelligence management using unsupervised machine learning and priority algorithms
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
AU2008207926B2 (en) Correlation and analysis of entity attributes
CN111193719A (en) Network intrusion protection system
US11310201B2 (en) Network security system with enhanced traffic analysis based on feedback loop
EP2715975B1 (en) Network asset information management
US8856911B2 (en) Methods, network services, and computer program products for recommending security policies to firewalls
US20120240228A1 (en) Multi-dimensional reputation scoring
US11681804B2 (en) System and method for automatic generation of malware detection traps
Corona et al. Information fusion for computer security: State of the art and open issues
WO2008091984A1 (en) Detecting image spam
EP2740028A2 (en) Asset model import connector
CN113518042B (en) Data processing method, device, equipment and storage medium
WO2021202116A1 (en) Multiple sourced classification
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
KR100977827B1 (en) Apparatus and method detecting connection mailcious web server system
KR100933986B1 (en) Integrated Signature Management and Distribution System and Method for Network Attack
CN114124453A (en) Network security information processing method and device, electronic equipment and storage medium
JP2018516398A (en) Optimizing data detection in communications
Vokorokos et al. Security of distributed intrusion detection system based on multisensor fusion
Affia et al. Securing an MQTT-based Traffic Light Perception System for Autonomous Driving
Hassan Construction of customizable SOA security framework using artificial neural networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant