CN109784049B - Method, apparatus, system, and medium for threat data processing - Google Patents
Method, apparatus, system, and medium for threat data processing Download PDFInfo
- Publication number
- CN109784049B CN109784049B CN201811578787.4A CN201811578787A CN109784049B CN 109784049 B CN109784049 B CN 109784049B CN 201811578787 A CN201811578787 A CN 201811578787A CN 109784049 B CN109784049 B CN 109784049B
- Authority
- CN
- China
- Prior art keywords
- white list
- data
- processed
- detection
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present disclosure provides a method of threat data processing, the method comprising: acquiring a first white list and a second white list, wherein the first white list comprises registered normal DGA domain names, and the second white list comprises domain names of normal manufacturers; updating the first white list and the second white list, and regularly transmitting the updated first white list and the second white list to the detection platform; and the detection platform performs matching detection on the data to be processed, when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, the detection result of the data to be processed is sent to the display terminal, and otherwise, the data to be processed is added into the second white list. The present disclosure also provides a threat data processing apparatus, system, and medium.
Description
Technical Field
The present disclosure relates to a method, device system, and medium of threat data processing.
Background
With the continuous development of communication technology, the application of internet technology is more and more extensive, and at the same time, the network security is continuously threatened by hacker technology. At present, various defense means are provided to deal with hacker intrusion, and security software such as a web shield, antivirus software, security guards and the like can resist the hacker intrusion to a certain extent and maintain the network security.
However, in the threat information service field and the threat detection service query based on the big data service, the domain name and the URL of the message to be detected are detected by using the black list and the white list, which have the problem of incomplete integrity, thus causing the false alarm of the detection platform and reducing the accuracy and efficiency of the detection.
Disclosure of Invention
The present disclosure addresses the above-identified problems by providing a method, apparatus, system, and medium for threat data processing. Through an automatic data flow, a DGA white list and a top 10w white list are obtained, the DGA white list and the top 10w white list are updated and transmitted to a detection platform at regular time, the detection platform detects data to be detected by using the updated DGA white list and the top 10w white list, accurate threat Index (IOC) information is provided, the false alarm rate of the detection platform is reduced, and the threat analysis efficiency of analysts is improved.
One aspect of the present disclosure provides a method of threat data processing, comprising: acquiring a first white list and a second white list, wherein the first white list comprises registered normal DGA domain names, and the second white list comprises domain names of normal manufacturers; updating the first white list and the second white list, and regularly transmitting the updated first white list and the updated second white list to a detection platform; the detection platform carries out matching detection on data to be processed, when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, a detection result of the data to be processed is sent to a display terminal, and otherwise, the data to be processed is added into the second white list.
Optionally, the method further comprises: classifying the data to be processed, storing the data to be processed into a database according to a classification result, and establishing an index for the data to be processed.
Optionally, the first white list is a DGA white list, and the second white list is a top 10w white list.
Optionally, the performing, by the detection platform, matching and detecting the data to be processed includes: and respectively carrying out matching detection on the data to be processed and the first white list and the second white list, and discarding the data to be processed if the data to be processed is in the first white list and/or the second white list.
Optionally, the sending the detection result of the to-be-processed data to a display terminal further includes: and performing aggregation and association processing on the detection results, and sending the processed detection results to the display terminal.
Optionally, the display information of the display terminal includes the detection result, malicious family information, and type information.
Optionally, the detection result is one or more threat indicator information.
Another aspect of the present disclosure further provides an electronic device for threat data processing, including: a processor; a memory storing a computer executable program which, when executed by the processor, causes the processor to perform the above-described method of threat data processing.
In another aspect, the present disclosure provides a system for threat data processing, including: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module acquires a first white list and a second white list, the first white list comprises registered normal DGA domain names, and the second white list comprises domain names of normal manufacturers; the updating module is used for updating the first white list and the second white list and transmitting the updated first white list and the updated second white list to a detection platform at regular time; and the matching detection module is used for performing matching detection on the data to be processed by the detection platform, when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, sending a detection result of the data to be processed to a display terminal, and if not, adding the data to be processed into the second white list.
Another aspect of the present disclosure also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described method of threat data processing.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
fig. 1 schematically illustrates a flow chart of a method of threat data processing provided in accordance with an embodiment of the present disclosure.
FIG. 2 schematically illustrates an operational flow diagram of a method of threat data processing provided in accordance with an embodiment of the present disclosure.
Fig. 3 schematically shows a block diagram of an electronic device according to the present disclosure.
FIG. 4 schematically illustrates a block diagram of a system for threat data processing of an embodiment of the present disclosure.
Detailed Description
Other aspects, advantages, and salient features of the disclosure will become apparent to those skilled in the art from the following detailed description, which, taken in conjunction with the annexed drawings, discloses exemplary embodiments of the disclosure.
In the present disclosure, the terms "include" and "comprise," as well as derivatives thereof, mean inclusion without limitation; the term "or" is inclusive, meaning and/or.
In this specification, the various embodiments described below which are used to describe the principles of the present disclosure are by way of illustration only and should not be construed in any way to limit the scope of the disclosure. The following description with reference to the accompanying drawings is provided to assist in a comprehensive understanding of exemplary embodiments of the present disclosure as defined by the claims and their equivalents. The following description includes various specific details to aid understanding, but such details are to be regarded as illustrative only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Moreover, descriptions of well-known functions and constructions are omitted for clarity and conciseness. Moreover, throughout the drawings, the same reference numerals are used for similar functions and operations.
Fig. 1 schematically illustrates a flow chart of a method of threat data processing provided in accordance with an embodiment of the present disclosure. FIG. 2 schematically illustrates an operational flow diagram of a method of threat data processing provided in accordance with an embodiment of the present disclosure. The method described in fig. 1 is explained in detail with reference to fig. 2, and as shown in fig. 1, the method includes the following operations:
s1, obtaining a first white list and a second white list, wherein the first white list includes registered regular DGA domain names, and the second white list includes domain names of regular vendors.
The first white list is a DGA white list, which contains already registered DGA domains that are actively used. DGA is a domain name generation algorithm that uses random characters to generate C & C domain names, thereby avoiding domain name blacklist detection, which is not efficient for a continuously updated DGA algorithm.
The second white list is top 10w white list, which contains domain names of some regular vendors, such as www. the top 10w white list means that the domain names of the regular vendors contained in the white list are in the order of 10 ten thousand, and are the domain names of the first 10w regular vendors with higher access quantity.
And acquiring a common DGA white list and a top 10w magnitude white list through an automatic data stream. The data related tasks can be completed in a flow and automation mode by adopting the automatic data flow.
And S2, updating the first white list and the second white list, and periodically transmitting the updated first white list and the second white list to the detection platform.
And continuously carrying out data cleaning and updating on the first white list and the second white list within the time between two transmissions to finally form a domain name feature set, and regularly transmitting the first white list and the second white list formed after updating to a threat detection platform or other detection platforms to realize regular updating and ensure the effectiveness of the first white list and the second white list.
And (3) data cleaning, for example, a certain data is not in the first white list and not in the second white list, and the data accesses a normal website, at this time, the domain name of the data needs to be added into the first white list or the second white list so as to optimize the first white list and the second white list and reduce false alarm of threat index information.
And S3, the detection platform carries out matching detection on the data to be processed, when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, the monitoring result of the data to be processed is sent to the display terminal, and otherwise, the data to be processed is added into the second white list.
Operation S3 includes the following sub-operations:
and S31, classifying the data to be processed, storing the data to be processed into a database according to the classification result, and establishing an index for the data to be processed.
And classifying the data to be processed, wherein the classification type comprises TPD, IP, DOMAIN, URL, PORT and the like. The data to be processed are classified and then stored in a local database, high-performance matching query is supported, a local index is established, and data searching is facilitated.
And S32, acquiring the data to be processed from the repository, and judging whether the data is data of types such as DGA, CC, TPD and the like.
Specifically, whether the domain name is a TPD type or not is judged, a secondary domain name is analyzed and inquired in a database, and if the result is obtained and the mark type is the TPD type, and the TPD type is indicated; judging the CC type according to an ioc _ category return value, wherein if the return value is beyond the TPD type, the CC type is indicated; for DGA type, if tags [ 'DGA' ], it indicates that it is DGA type.
S33, judging whether the data to be processed is matched with the first white list and/or the second white list, if the data to be processed is in the first white list and/or the second white list, discarding the data to be processed, and returning to be null; otherwise, a sub-operation S34 is performed.
And S34, classifying and detecting the data to be processed according to different types of data to be processed and recording the detection result when the data to be processed is not in the first white list and the second white list.
Specifically, the TPD type data has no ioc field and directly returns a detection result; the DGA type data is not in a first white list (DGA white list) and not in a second white list (top 10w white list), and the detection result is directly returned; for CC type data, the parameters of an align _ port, an align _ url and an align _ top need to be controlled, if the parameters are empty, the data are directly returned, and if the parameters are not empty, the data are returned according to the port and ud in the parameters.
Specifically, the ignore query url is indicated by the ignore _ url, if the query url is true, the url field analyzed by the TPD is not matched, otherwise, the url field analyzed by the TPD is matched, the current ioc is returned if the match is hit, the current ioc is not hit, and the null is returned even if a plurality of iocs exist in the library. And an ignore _ port indicates whether a query port is ignored, if the query port is true, the port field analyzed by the TPD is not matched, otherwise, the port field analyzed by the TPD is matched, the current ioc is returned if the current ioc is hit, and the current ioc is not hit even if a plurality of iocs exist in the library, and the current ioc is returned to be empty. And the ignore query of the top domain name is represented by the ignore query of the top domain name, if the query is true, the top domain name is not matched, otherwise, the top domain name is matched, the hit is returned to be null, and the ioc query is continuously carried out when the miss is not hit.
And S35, performing aggregation and association processing on the detection results, and sending the processed detection results to a display terminal, wherein the display information of the display terminal comprises the detection results, malicious family information and type information. Wherein, the detection result comprises one or more threat index information.
Specifically, the detection result is subjected to aggregation processing and then provided to a display terminal for displaying through Broker association, and fields shown in the following table are displayed.
| Family name | IOC list | Type | Info |
| Apt group | host/port/uri | domain_port | level 3 |
The information displayed by the front end of the display terminal can be as shown in the following table.
| APT tissue | IOC | Type (B) |
| OceanLotus, sea lotus flower | cdn.mediastatics.net,0 | DOMAIN_PORT |
| OceanLotus, sea lotus flower | image.Iastapi.org,0 | DOMAIN_PORT |
| OceanLotus, sea lotus flower | 81.95.7.12,47557 | IP_PORT |
| OceanLotus, sea lotus flower | 81.95.7.12,587 | IP_PORT |
| OceanLotus, sea lotus flower | 91.229.77.192,47557 | IP_PORT |
| OceanLotus, sea lotus flower | 89.34.237.142,44818 | IP_PORT |
As shown in fig. 3, electronic device 300 includes a processor 310, a computer-readable storage medium 320. The electronic device 300 may perform the methods described above with reference to fig. 1 and 2 for message processing.
In particular, processor 310 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 310 may also include on-board memory for caching purposes. The processor 310 may be a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure described with reference to fig. 1 and 2.
Computer-readable storage medium 320 may be, for example, any medium that can contain, store, communicate, propagate, or transport the instructions. For example, a readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the readable storage medium include: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or wired/wireless communication links.
The computer-readable storage medium 320 may include a computer program 321, which computer program 321 may include code/computer-executable instructions that, when executed by the processor 310, cause the processor 310 to perform a method flow such as described above in connection with fig. 1 and 2, and any variations thereof.
The computer program 321 may be configured with, for example, computer program code comprising computer program modules. For example, in an example embodiment, code in computer program 321 may include one or more program modules, including, for example, 321A, module 321B … …. It should be noted that the division and number of modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, which when executed by the processor 310, enable the processor 310 to execute the method flows described above in connection with fig. 1 and 2, for example, and any variations thereof.
According to embodiments of the present disclosure, a computer readable medium may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, optical fiber cable, radio frequency signals, etc., or any suitable combination of the foregoing.
FIG. 4 schematically illustrates a block diagram of a system for threat data processing of an embodiment of the present disclosure.
As shown in fig. 4, the threat data processing system includes an acquisition module 410, an update module 420, and a match detection module 430.
Specifically, the obtaining module 410 is configured to obtain, through an automated data stream, a common DGA white list and a top 10 w-level white list.
And the updating module 420 is configured to continuously perform data cleaning and updating on the DGA white list and the top 10 w-level white list within the time between two transmissions, finally form a domain name feature set, and periodically transmit the updated DGA white list and the top 10 w-level white list to the threat detection platform or other detection platforms.
And the matching detection module 430 is configured to perform matching detection on the data to be processed through the detection platform, and when the data to be processed is not matched with the first white list and the second white list, send a monitoring result of the data to be processed to the display terminal if the data to be processed accesses a malicious website, or add the data to be processed to the second white list.
It is understood that the obtaining module 410, the updating module 420, and the match detecting module 430 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the invention, at least one of the obtaining module 410, the updating module 420, and the match detecting module 430 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in a suitable combination of three implementations of software, hardware, and firmware. Alternatively, at least one of the obtaining module 410, the updating module 420, the match detection module 430 may be at least partially implemented as a computer program module, which, when executed by a computer, may perform the functions of the respective module.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.
Claims (7)
1. A method of threat data processing, the method comprising:
acquiring a first white list and a second white list, wherein the first white list comprises registered normal DGA domain names, and the second white list comprises domain names of normal manufacturers;
updating the first white list and the second white list, and regularly transmitting the updated first white list and the updated second white list to a detection platform;
the detection platform carries out matching detection on data to be processed, when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, a detection result of the data to be processed is sent to a display terminal, and otherwise, the data to be processed is added into the second white list;
respectively matching and detecting the data to be processed with the first white list and the second white list, if the data to be processed is in the first white list and/or the second white list, discarding the data to be processed, otherwise, if the data to be processed is not in the first white list and the second white list, performing classification detection according to different types of data to be processed and recording detection results;
the type of the data to be processed comprises at least one of TPD, DGA or CC, and the method for judging the type of the data to be processed comprises the following steps:
determining whether the data to be processed is of a TPD type or not by analyzing a query result of the secondary domain name in a database; determining whether the data to be processed is of a CC type or not according to the returned value of the ioc type; determining whether the data to be processed is of a DGA type or not according to the label;
wherein, the sending the detection result of the data to be processed to the display terminal further comprises:
carrying out aggregation and association processing on the detection results, and sending the processed detection results to the display terminal;
the display information of the display terminal comprises the detection result, malicious family information and type information.
2. The method of threat data processing according to claim 1, further comprising:
classifying the data to be processed, storing the data to be processed into a database according to a classification result, and establishing an index for the data to be processed.
3. The method of threat data processing of claim 1, wherein the first whitelist is a DGA whitelist and the second whitelist is a top 10w whitelist.
4. The method of threat data processing according to claim 1, wherein the detection result is one or more threat indicator information.
5. An electronic device for threat data processing, comprising:
a processor;
memory storing a computer executable program which, when executed by the processor, causes the processor to perform the method of threat data processing as claimed in claims 1-4.
6. A threat data processing system, the threat data processing system comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module acquires a first white list and a second white list, the first white list comprises registered normal DGA domain names, and the second white list comprises domain names of normal manufacturers;
the updating module is used for updating the first white list and the second white list and transmitting the updated first white list and the updated second white list to a detection platform at regular time;
the matching detection module is used for performing matching detection on data to be processed by the detection platform, and when the data to be processed is not matched with the first white list and the second white list, if the data to be processed accesses a malicious website, a detection result of the data to be processed is sent to a display terminal, otherwise, the data to be processed is added into the second white list; respectively matching and detecting the data to be processed with the first white list and the second white list, if the data to be processed is in the first white list and/or the second white list, discarding the data to be processed, otherwise, if the data to be processed is not in the first white list and the second white list, performing classification detection according to different types of data to be processed and recording detection results;
the type of the data to be processed comprises at least one of TPD, DGA or CC, and the method for judging the type of the data to be processed comprises the following steps:
determining whether the data to be processed is of a TPD type or not by analyzing a query result of the secondary domain name in a database; determining whether the data to be processed is of a CC type or not according to the returned value of the ioc type; determining whether the data to be processed is of a DGA type or not according to the label;
wherein, the sending the detection result of the data to be processed to the display terminal further comprises:
carrying out aggregation and association processing on the detection results, and sending the processed detection results to the display terminal;
the display information of the display terminal comprises the detection result, malicious family information and type information.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of threat data processing according to claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811578787.4A CN109784049B (en) | 2018-12-21 | 2018-12-21 | Method, apparatus, system, and medium for threat data processing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811578787.4A CN109784049B (en) | 2018-12-21 | 2018-12-21 | Method, apparatus, system, and medium for threat data processing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109784049A CN109784049A (en) | 2019-05-21 |
| CN109784049B true CN109784049B (en) | 2021-04-09 |
Family
ID=66497585
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811578787.4A Active CN109784049B (en) | 2018-12-21 | 2018-12-21 | Method, apparatus, system, and medium for threat data processing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109784049B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111641663B (en) * | 2020-07-06 | 2022-08-12 | 奇安信科技集团股份有限公司 | Safety detection method and device |
| CN112069505B (en) * | 2020-09-15 | 2021-11-23 | 北京微步在线科技有限公司 | Audit information processing method and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108092962A (en) * | 2017-12-08 | 2018-05-29 | 北京奇安信科技有限公司 | A kind of malice URL detection method and device |
| CN108156174A (en) * | 2018-01-15 | 2018-06-12 | 深圳市联软科技股份有限公司 | Botnet detection method, device, equipment and medium based on the analysis of C&C domain names |
| CN108632227A (en) * | 2017-03-23 | 2018-10-09 | 中国移动通信集团广东有限公司 | A kind of malice domain name detection process method and device |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106055981B (en) * | 2016-06-03 | 2019-08-20 | 北京奇虎科技有限公司 | Threaten the generation method and device of information |
| CN105897752B (en) * | 2016-06-03 | 2019-08-02 | 北京奇虎科技有限公司 | The safety detection method and device of unknown domain name |
| CN105897751B (en) * | 2016-06-03 | 2019-08-02 | 北京奇虎科技有限公司 | Threaten the generation method and device of information |
| CN106101104A (en) * | 2016-06-15 | 2016-11-09 | 国家计算机网络与信息安全管理中心 | A kind of malice domain name detection method based on domain name mapping and system |
| CN107682323B (en) * | 2017-09-20 | 2020-05-12 | 东北大学 | Industrial control system network access security early warning system and method |
| CN107645503B (en) * | 2017-09-20 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | Rule-based method for detecting DGA family to which malicious domain name belongs |
| CN108460278B (en) * | 2018-02-13 | 2020-07-14 | 奇安信科技集团股份有限公司 | Threat information processing method and device |
-
2018
- 2018-12-21 CN CN201811578787.4A patent/CN109784049B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632227A (en) * | 2017-03-23 | 2018-10-09 | 中国移动通信集团广东有限公司 | A kind of malice domain name detection process method and device |
| CN108092962A (en) * | 2017-12-08 | 2018-05-29 | 北京奇安信科技有限公司 | A kind of malice URL detection method and device |
| CN108156174A (en) * | 2018-01-15 | 2018-06-12 | 深圳市联软科技股份有限公司 | Botnet detection method, device, equipment and medium based on the analysis of C&C domain names |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109784049A (en) | 2019-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210019674A1 (en) | Risk profiling and rating of extended relationships using ontological databases | |
| ES2732824T3 (en) | Systems and procedures for spam detection using character histograms | |
| US11714908B2 (en) | Bit-level data generation and artificial intelligence techniques and architectures for data protection | |
| EP3053083A2 (en) | Advanced persistent threat (apt) detection center | |
| US10158733B2 (en) | Automated DPI process | |
| CN110545277B (en) | Risk processing method and device applied to security system, computing equipment and medium | |
| CN109729095B (en) | Data processing method, data processing device, computing equipment and media | |
| CN109784049B (en) | Method, apparatus, system, and medium for threat data processing | |
| US20160335341A1 (en) | Determining entity relationship when entities contain other entities | |
| CN105404631B (en) | Picture identification method and device | |
| CN110201393A (en) | Configuration data storage method and device and electronic equipment | |
| CN112019519B (en) | Method and device for detecting threat degree of network security information and electronic device | |
| CN110569282A (en) | Data processing method, data processing device, computing equipment and computer readable storage medium | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN109905396A (en) | A kind of WebShell file test method, device and electronic equipment | |
| CN113114680A (en) | Detection method and detection device for file uploading vulnerability | |
| CN106060023A (en) | Malicious data interception processing method and device | |
| US20210288976A1 (en) | Methods and apparatus to analyze network traffic for malicious activity | |
| CN114547320A (en) | Information processing method and device, and asset knowledge graph construction method and device | |
| CN108154033A (en) | A kind of method, apparatus, electronic equipment and the storage medium of administrative vulnerability information | |
| EP3671512A1 (en) | Automated software vulnerability determination | |
| US20210027306A1 (en) | System to automatically find, classify, and take actions against counterfeit products and/or fake assets online | |
| US20120185459A1 (en) | Identifying universal resource locator rewriting rules | |
| KR20130068769A (en) | Apparatus for analyzing connections about security events based on rule and method thereof | |
| CN110427538A (en) | A kind of data query method, storage method, device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co., Ltd. Address before: Beijing Chaoyang District Jiuxianqiao Road 10, building 15, floor 17, layer 1701-26, 3 Applicant before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |