CN109740344B - Threat information model building method and device, electronic equipment and storage medium - Google Patents
Threat information model building method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109740344B CN109740344B CN201811439436.5A CN201811439436A CN109740344B CN 109740344 B CN109740344 B CN 109740344B CN 201811439436 A CN201811439436 A CN 201811439436A CN 109740344 B CN109740344 B CN 109740344B
- Authority
- CN
- China
- Prior art keywords
- meta
- attack
- threat
- features
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000007781 pre-processing Methods 0.000 claims abstract description 12
- 230000000977 initiatory effect Effects 0.000 claims description 15
- 230000009471 action Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 7
- 230000007547 defect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000001010 compromised effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a threat information model building method, which is applicable to the field of data processing, and comprises the following steps: acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events, preprocessing the attack events to obtain meta-features of the attack events and attribute relations between the meta-features, taking the meta-features as nodes, taking the attribute relations between the meta-features as line segments for connecting the nodes, and establishing a threat information model. The invention also discloses a threat information model building device, electronic equipment and a storage medium, and the visibility of the threat information model is improved.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a threat intelligence model building method, a threat intelligence model building device, an electronic device, and a storage medium.
Background
In the face of increasingly severe network security situations, how to effectively treat network attacks in time is a core problem of concern of various organizations and enterprises. With the development of virtualization and cloud computing technology, the virtualization degree of a large data center is higher and higher, and the network boundary becomes increasingly blurred. Meanwhile, advanced persistent threat (ADVANCED PERSISTENT THREAT, APT) attack is a focus of public attention, and APT attack is also called "specific target" attack, and is a novel attack with an organized, specific target and extremely long duration.
Therefore, how to accurately and clearly describe the attack which has occurred and to analyze the possible threat actions later becomes a security problem to be solved by the current enterprises.
Disclosure of Invention
The invention mainly aims to provide a threat information model building method, a threat information model building device, electronic equipment and a storage medium, and the visibility of the existing threat information model is improved.
To achieve the above object, a first aspect of an embodiment of the present invention provides a threat intelligence model building method, including:
Acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
preprocessing the attack event to obtain the meta-feature of the attack event and the attribute relationship between the meta-feature;
and taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and establishing a threat information model.
A second aspect of the embodiment of the present invention provides a threat intelligence model building apparatus, including:
The acquisition module is used for acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
the preprocessing module is used for preprocessing the attack event to obtain meta-characteristics of the attack event and attribute relations between the meta-characteristics;
The establishing module is used for taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and establishing a threat information model.
A third aspect of an embodiment of the present invention provides an electronic device, including:
The system comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, and is characterized in that the processor realizes the threat intelligence model establishment method provided by the first aspect of the embodiment of the invention when executing the program.
A fourth aspect of the embodiment of the present invention provides a computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the threat intelligence model creation method provided by the first aspect of the embodiment of the present invention.
According to the embodiment of the invention, the threat information model is built by acquiring the attack event in the threat information, preprocessing the attack event to obtain the meta-feature of the attack event and the attribute relationship between the meta-features, taking the meta-feature as a node, and taking the attribute relationship between the meta-features as a line segment connecting the nodes. The visibility of the threat information model can be improved, and the multi-dimensional attribute relationship between the meta-feature of the attack initiating object and the meta-feature can be found.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other drawings may be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a threat intelligence model creation method according to an embodiment of the invention;
FIG. 2 is a flowchart illustrating a threat intelligence model creation method according to another embodiment of the invention;
FIG. 3 is a schematic diagram of a threat intelligence model provided in another embodiment of the invention;
FIG. 4 is a schematic structural diagram of a threat intelligence model apparatus according to another embodiment of the invention;
fig. 5 shows a hardware configuration diagram of an electronic device.
Detailed Description
In order to make the objects, features and advantages of the present invention more comprehensible, the technical solutions in the embodiments of the present invention will be clearly described in conjunction with the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart of a threat intelligence model establishing method according to an embodiment of the invention, where the method may be applied to an electronic device, and the electronic device may include: a mobile phone, tablet (Portable Android Device, PAD), notebook, personal digital assistant (personal DIGITAL ASSISTANT, PDA), etc., the method comprising the steps of:
s101, acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
Threat intelligence refers to evidence-based knowledge about existing or potential threats faced by IT or information assets, including contexts, mechanisms, metrics, inferences, and viable suggestions that can provide decision basis for threat responses, consisting of attack events.
The attack event refers to an information security event that attacks the information system through an attack partner by using a configuration defect, a protocol defect, a program defect or using a brute force attack of the information system through a network or other technical means, and causes an abnormality of the information system or causes a potential hazard to the current operation of the information system.
It can be appreciated that in the embodiment of the present invention, the number of attack events should be multiple to increase the integrity of the threat intelligence model, so as to facilitate the association analysis of subsequent threat intrusion.
S102, preprocessing an attack event to obtain meta-characteristics of the attack event and attribute relations between the meta-characteristics;
Meta-characteristics refer to the smallest attribute unit describing an attack event, such as a student information record, including the fields name (name), age (age), gender (size), class (class), etc., then the meta-characteristics are name, age, male, class. In an embodiment of the present invention, an attack event is characterized by a timestamp, a stage (scout, weaponized, stripped), a result (success, failure, confidentiality compromised, integrity compromised), a direction (unidirectional, bidirectional), a method (fish-fork phishing, denial of service attack), and external resources required to successfully complete the event activity. Specifically, for example, an attack initiation object (apt_group), an attack man-in-the-middle (attack_mid), a group alias (group_alias), an attack domain name (attack_domain), a registered mailbox (reg_email), a file name (file_name), a program database file (Program Database File, PDB), a file path (file_path), a mutex (mutex), and the like.
An attribute relationship refers to some action or membership that occurs between two meta-features, such as use (use), access (access), contain (Contain), release (Release), register (Reg), bind (Bind), identify (Is), locate (At), etc.
S103, taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and establishing a threat information model.
Wherein, the node represents the meta-feature of the attack event, and the line segment connecting the two nodes represents the attribute relationship between the meta-features. For example, a file name used by the file_hash is represented between the node file_hash and the node file_name.
In the embodiment of the invention, the attack event in the threat information is obtained, the attack event is preprocessed, the meta-feature of the attack event and the attribute relationship between the meta-features are obtained, then the meta-features are used as nodes, the attribute relationship between the meta-features is used as a line segment for connecting the nodes, and a threat information model is established. The visibility of the threat information model can be improved, and the multi-dimensional attribute relationship between the meta-feature of the attack initiating object and the meta-feature can be found.
Referring to fig. 2, fig. 2 is a flow chart of a threat intelligence model establishing method according to another embodiment of the invention, the method can be applied to an electronic device, and the method includes the following steps:
s201, acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
threat intelligence consists of a number of attack events. For example, APT attack partners may be tricked into downloading special multiple text format (RTF) document attachments via hypertext transfer protocol (Hypertext transfer protocol, HTTP) by way of phishing attacks.
S202, preprocessing an attack event to obtain meta-characteristics of the attack event and attribute relations between the meta-characteristics, wherein the meta-characteristics comprise attack initiating objects and threat characteristics;
Meta-features can be broadly classified into two categories, attack-initiating objects and threat features, according to the classification of the nodes. Wherein, the attack initiating object (APT_group), namely the attack entity, the attack partner name and the attack opponent. Threat features, namely attack man-in-the-middle (attack_mid), group alias (attack_domain), registration mailbox (reg_email), file name (file_name), program database file (Program Database File, PDB), file path (file_path), and mutex (mutex), etc.
In a complete attack event, meta-features are interrelated by attribute relationships, for example, meta-features are attack initiation object (apt_group) and group_aliases (group_alias), and attribute relationships between the two are aliases (alias), which represent the Group aliases of the attack initiation object in this attack event.
Specifically, USE represents the relationship between two nodes as used/used, for example: some Campaign uses some domain name/IP/URL/MD 5 and some domain name uses some IP as the resolution address.
ACCESS represents the relationship between two nodes as accessed/accessed, for example: a HASH accesses a domain name/IP.
CONTAIN represents that the relationship between two nodes is inclusive/inclusive, e.g.: a certain HASH contains a certain mutex.
RELEASE represents the relationship between two nodes as released/released, for example: one HASH file releases the other HASH.
REG stands for registration, and some entity registers mailbox.
BIND represents a binding, e.g., an IP BINDs a domain name.
IS stands for identifying an event or entity.
An AT represents a location, for example, where an entity has performed some activity AT a location.
S203, taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and establishing a threat information model.
Referring to fig. 3, fig. 3 is a schematic diagram of a threat intelligence model provided in another embodiment of the invention, through which relevant meta-features of an attack organization can be known, and multi-dimensional attribute relationships between the meta-features can be found. Wherein, as shown in fig. 3, the child nodes may be divided into multiple stages. For example, a primary child node, a secondary child node, and the like. Exemplary, parent and level one child nodes and their attribute relationships are shown in Table 1:
TABLE 1
| Father node | Primary sub-node | Attribute relationships |
| APT_Group | IP | Attack |
| APT_Group | Machine ID | Attack |
| APT_Group | IP | Use |
| APT_Group | Domain | Use |
| APT_Group | Machine ID | Use |
| APT_Group | Sample Hash | Use |
| GroupAlias | APT Group | Alias |
Illustratively, the primary and secondary child nodes and their attribute relationships are shown in Table 2:
TABLE 2
| Primary sub-node | Secondary child node | Attribute relationships |
| Attck_domain | reg | registor |
| Attck_domain | reg | reg_email |
| Attck_domain | at | created_date |
| Attck_domain | bind | attck_ip |
| Attck_domain | use | file_hash |
| file_hash | contain | pdb |
| file_hash | use | file_name |
| file_hash | use | file_path |
| file_hash | use | mutex |
In the embodiment of the invention, the attack event in the threat information is obtained, the attack event is preprocessed, the meta-feature of the attack event and the attribute relationship between the meta-features are obtained, then the meta-features are used as nodes, the attribute relationship between the meta-features is used as a line segment for connecting the nodes, and a threat information model is established. The visibility of the threat information model can be improved, and the multi-dimensional attribute relationship between the meta-feature of the attack initiating object and the meta-feature can be found.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a threat intelligence model apparatus according to another embodiment of the invention, the apparatus may be built in an electronic device, and the apparatus includes:
An acquisition module 301, a preprocessing module 302 and a setup module 303.
The acquiring module 301 is configured to acquire an attack event in threat information, where the threat information includes a plurality of attack events.
Threat intelligence refers to evidence-based knowledge of existing or potential threats faced by IT or information assets, including contexts, mechanisms, metrics, inference and viable suggestions, that can provide decision basis for threat responses, consisting of attack events.
The attack event refers to an information security event that attacks the information system through an attack partner by using a configuration defect, a protocol defect, a program defect or using a brute force attack of the information system through a network or other technical means, and causes an abnormality of the information system or causes a potential hazard to the current operation of the information system.
The preprocessing module 302 is configured to preprocess the attack event to obtain a meta-feature of the attack event and an attribute relationship between the meta-features.
Meta-characteristics refer to the smallest attribute unit describing an attack event, such as a student information record, including the fields name (name), age (age), gender (size), class (class), etc., then the meta-characteristics are name, age, male, class. In an embodiment of the present invention, the type of an attack event, its meta-characteristics can be classified into time stamp, stage (reconnaissance, weaponization, stripping), outcome (success, failure, confidentiality compromised, integrity compromised), direction (unidirectional, bidirectional), method (fish-fork phishing, denial of service attack) and external resources required to successfully complete the event activity. Specifically, for example, an attack initiation object (apt_group), an attack man-in-the-middle (attack_mid), a group alias (group_alias), an attack domain name (attack_domain), a registered mailbox (reg_email), a file name (file_name), a program database file (Program Database File, PDB), a file path (file_path), a mutex (mutex), and the like.
An attribute relationship refers to some action or usage relationship that occurs between two meta-features, such as use, access, containment (Cotain), release, registration (Reg), binding (Bind), validation (Is), location (At), etc.
The establishing module 303 is configured to establish a threat information model by using meta-features as nodes and attribute relationships between the meta-features as line segments connecting the nodes.
Wherein, the node represents the meta-feature of the attack event, and the line segment connecting the two nodes represents the attribute relationship between the meta-features. For example, a file name file_name used by the file_hash is indicated between the node file_hash and the node file_name.
In the embodiment of the invention, the attack event in the threat information is obtained, the attack event is preprocessed, the meta-feature of the attack event and the attribute relationship between the meta-features are obtained, then the meta-features are used as nodes, the attribute relationship between the meta-features is used as a line segment for connecting the nodes, and a threat information model is established. The visibility of the threat information model can be improved, and the meta-feature of the attack initiating object and the multidimensional attribute relation between the meta-features can be found.
Referring to fig. 5, fig. 5 shows a hardware configuration diagram of an electronic device.
The electronic device described in the present embodiment includes:
the memory 41, the processor 42 and the computer program stored in the memory 41 and executable on the processor, the processor executing the program implements the threat intelligence model creation method described in the foregoing embodiment shown in fig. 1 or fig. 2.
Further, the electronic device further includes:
At least one input device 43; at least one output device 44.
The memory 41, the processor 42, the input device 43 and the output device 44 are connected by a bus 45.
The input device 43 may be a camera, a touch panel, a physical button, a mouse, or the like. The output device 44 may be in particular a display screen.
The memory 41 may be a high-speed random access memory (RAM, random Access Memory) memory or a non-volatile memory (non-volatile memory), such as a disk memory. Memory 41 is used to store a set of executable program code and processor 42 is coupled to memory 41.
Further, the embodiment of the present invention also provides a computer readable storage medium, which may be provided in the terminal in each of the above embodiments, and the computer readable storage medium may be a memory in the embodiment shown in fig. 5. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the threat intelligence model creation method described in the foregoing embodiments shown in fig. 1 or fig. 2. Further, the computer-readable medium may be a usb disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, etc. which may store the program code.
It should be noted that, in each embodiment of the present invention, each functional module may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such an understanding, the technical solution of the invention may be embodied essentially or partly in the form of a software product or in part in addition to the prior art.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present invention is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present invention.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing describes a threat information model establishing method, apparatus, electronic device and storage medium provided by the present invention, and those skilled in the art may change the specific implementation and application scope according to the idea of the embodiment of the present invention, so that the content of the present specification should not be construed as limiting the present invention.
Claims (8)
1. A threat intelligence model building method, comprising:
Acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
preprocessing the attack event to obtain the meta-feature of the attack event and the attribute relationship between the meta-feature;
taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and establishing a threat information model;
The meta-feature comprises an attack initiating object and a threat feature, wherein the attribute relationship between the meta-features refers to a certain action or membership occurring between the two meta-features, and the threat information model is used for exploring the multi-dimensional attribute relationship between the meta-feature of the attack initiating object and the meta-feature;
The attribute relationship includes at least one of the following relationships: use, access, include, release, register, bind, identify, locate, wherein in the attack event, meta-features are interrelated by attribute relationships.
2. The method of claim 1, wherein the nodes comprise parent nodes and child nodes;
the parent node represents the attack-initiating object and the child node represents the threat feature.
3. The method according to any one of claims 1 to 2, wherein said inputting the meta-characteristics and attribute relationships to a pre-set threat intelligence model comprises:
And taking the attack initiating object as a father node and the threat characteristic as a child node to be input into a preset threat information model.
4. A threat intelligence model building apparatus, comprising:
The acquisition module is used for acquiring attack events in threat information, wherein the threat information comprises a plurality of attack events;
the preprocessing module is used for preprocessing the attack event to obtain meta-characteristics of the attack event and attribute relations between the meta-characteristics;
the building module is used for taking the meta-features as nodes, taking attribute relations among the meta-features as line segments for connecting the nodes, and building a threat information model;
The meta-feature comprises an attack initiating object and a threat feature, wherein the attribute relationship between the meta-features refers to a certain action or membership occurring between the two meta-features, and the threat information model is used for exploring the multi-dimensional attribute relationship between the meta-feature of the attack initiating object and the meta-feature;
The attribute relationship includes at least one of the following relationships: use, access, include, release, register, bind, identify, locate, wherein in the attack event, meta-features are interrelated by attribute relationships.
5. The apparatus of claim 4, wherein the nodes in an input module comprise parent and child nodes;
the parent node represents the attack-initiating object and the child node represents the threat feature.
6. The apparatus according to any one of claims 4 to 5, wherein the input module is specifically configured to input the attack-initiating-object as a parent node and the threat feature as a child node to a preset threat intelligence model.
7. An electronic device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the threat intelligence model creation method of any of claims 1 to 3 when executing the computer program.
8. A computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the threat intelligence model creation method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811439436.5A CN109740344B (en) | 2018-11-28 | 2018-11-28 | Threat information model building method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811439436.5A CN109740344B (en) | 2018-11-28 | 2018-11-28 | Threat information model building method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109740344A CN109740344A (en) | 2019-05-10 |
| CN109740344B true CN109740344B (en) | 2024-04-19 |
Family
ID=66358279
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811439436.5A Active CN109740344B (en) | 2018-11-28 | 2018-11-28 | Threat information model building method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109740344B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162951B (en) * | 2021-05-20 | 2023-05-12 | 深信服科技股份有限公司 | Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102360346A (en) * | 2011-10-31 | 2012-02-22 | 武汉大学 | Text inference method based on limited semantic dependency analysis |
| CN106060018A (en) * | 2016-05-19 | 2016-10-26 | 中国电子科技网络信息安全有限公司 | Network threat information sharing model |
| CN106055981A (en) * | 2016-06-03 | 2016-10-26 | 北京奇虎科技有限公司 | Method and device for generating threat intelligence |
| CN106384048A (en) * | 2016-08-30 | 2017-02-08 | 北京奇虎科技有限公司 | Threat message processing method and device |
| CN107566376A (en) * | 2017-09-11 | 2018-01-09 | 中国信息安全测评中心 | One kind threatens information generation method, apparatus and system |
| CN107579855A (en) * | 2017-09-21 | 2018-01-12 | 桂林电子科技大学 | A kind of layering multiple domain visible safety O&M method based on chart database |
| CN107786564A (en) * | 2017-11-02 | 2018-03-09 | 杭州安恒信息技术有限公司 | Based on attack detection method, system and the electronic equipment for threatening information |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7930256B2 (en) * | 2006-05-23 | 2011-04-19 | Charles River Analytics, Inc. | Security system for and method of detecting and responding to cyber attacks on large network systems |
| US20120221485A1 (en) * | 2009-12-01 | 2012-08-30 | Leidner Jochen L | Methods and systems for risk mining and for generating entity risk profiles |
-
2018
- 2018-11-28 CN CN201811439436.5A patent/CN109740344B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102360346A (en) * | 2011-10-31 | 2012-02-22 | 武汉大学 | Text inference method based on limited semantic dependency analysis |
| CN106060018A (en) * | 2016-05-19 | 2016-10-26 | 中国电子科技网络信息安全有限公司 | Network threat information sharing model |
| CN106055981A (en) * | 2016-06-03 | 2016-10-26 | 北京奇虎科技有限公司 | Method and device for generating threat intelligence |
| CN106384048A (en) * | 2016-08-30 | 2017-02-08 | 北京奇虎科技有限公司 | Threat message processing method and device |
| CN107566376A (en) * | 2017-09-11 | 2018-01-09 | 中国信息安全测评中心 | One kind threatens information generation method, apparatus and system |
| CN107579855A (en) * | 2017-09-21 | 2018-01-12 | 桂林电子科技大学 | A kind of layering multiple domain visible safety O&M method based on chart database |
| CN107786564A (en) * | 2017-11-02 | 2018-03-09 | 杭州安恒信息技术有限公司 | Based on attack detection method, system and the electronic equipment for threatening information |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108460278A (en) * | 2018-02-13 | 2018-08-28 | 北京奇安信科技有限公司 | A kind of threat information processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109740344A (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lastdrager | Achieving a consensual definition of phishing based on a systematic review of the literature | |
| US9858626B2 (en) | Social sharing of security information in a group | |
| EP2691848B1 (en) | Determining machine behavior | |
| US9871758B2 (en) | User recommendations in a social media network | |
| US9652597B2 (en) | Systems and methods for detecting information leakage by an organizational insider | |
| Chang | A cybernetics social cloud | |
| CN107547495B (en) | System and method for protecting a computer from unauthorized remote management | |
| US10708300B2 (en) | Detection of fraudulent account usage in distributed computing systems | |
| US10255423B2 (en) | Systems and methods for providing image-based security measures | |
| CN109726556A (en) | The near line cluster of entity attribute in anti-abuse infrastructure and propagation | |
| US20190166151A1 (en) | Detecting a Root Cause for a Vulnerability Using Subjective Logic in Social Media | |
| Martin et al. | Expectations of privacy and trust: Examining the views of IT professionals | |
| CN103973635A (en) | Page access control method, and related device and system | |
| US20230104176A1 (en) | Using a Machine Learning System to Process a Corpus of Documents Associated With a User to Determine a User-Specific and/or Process-Specific Consequence Index | |
| CN110929185A (en) | Website directory detection method and device, computer equipment and computer storage medium | |
| CN109740344B (en) | Threat information model building method and device, electronic equipment and storage medium | |
| Lapso et al. | Whitelisting system state in windows forensic memory visualizations | |
| Labuschagne et al. | Towards an automated security awareness system in a virtualized environment | |
| US10158659B1 (en) | Phony profiles detector | |
| US20190325487A1 (en) | Capturing company page quality | |
| White et al. | It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit | |
| Ariyadasa et al. | PhishRepo: a seamless collection of phishing data to fill a research gap in the phishing domain | |
| Tanyi | A Vulnerability Assessment Approach for Home Networks: A case of Cameroon | |
| Horan | Open-Source Intelligence Investigations: Development and Application of Efficient Tools | |
| Shireesha et al. | Performance evaluation of captcha word ranking algorithm to break video captcha |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co.,Ltd. Address before: 100000 Floor 15, Floor 17, Floor 1, 1701-26, Building No. 10, Jiuxianqiao Road, Chaoyang District, Beijing Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |