CN109862003A - Local generation method, device, system and the storage medium for threatening information bank - Google Patents
Local generation method, device, system and the storage medium for threatening information bank Download PDFInfo
- Publication number
- CN109862003A CN109862003A CN201910071066.2A CN201910071066A CN109862003A CN 109862003 A CN109862003 A CN 109862003A CN 201910071066 A CN201910071066 A CN 201910071066A CN 109862003 A CN109862003 A CN 109862003A
- Authority
- CN
- China
- Prior art keywords
- information
- intranet
- local
- security log
- bank
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of local generation methods for threatening information bank, comprising the following steps: obtains local security log;Extraction of being classified from the security log according to network behavior data threatens information;Local threat information bank is generated according to the threat information.The invention also discloses a kind of local generating means, system and storage mediums for threatening information bank.The present invention can be customized for individual consumer, effectively promote the utilization rate of information.
Description
Technical field
The present invention relates to computer field more particularly to a kind of local generation method for threatening information bank, device, system and
Storage medium.
Background technique
Information is threatened to typically refer to the underlying security data related with the threat extracted after analyzing known threat,
As (Uniform Resoure Locator, unified resource are fixed by sample md5 (Message-Digest, eap-message digest), malice URL
Position symbol), malice domain name, the letter threatened known to malice IP (Internet Protocol Address, Internet protocol address) etc.
Breath.
Currently, the threat information of safety product mainly includes following three sources: (1) being subscribed to from open source mechanism;(2) it pays
Certain expense threatens the mechanism of information to obtain (such as micro-stepping online, Google VirusTotal) from special output;(3) pass through
Existing automated analysis sample, which generates, threatens information.The information in above-mentioned source is made by safety product threatens information bank to be built in
Inside product, and cloud more new demand servicing is provided, and then information will be threatened to be exported indirectly to user.Since above-mentioned threat information is not
For the individual independence tailor of user, most of information is not particularly suited for user itself, so that user is to information
Utilization rate is not high, causes the waste of information and system resource and the waste of customer investment fund.
To sum up, existing threat information there is for individual consumer's applicability is not strong, information availability is low the problems such as.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill
Art.
Summary of the invention
The main purpose of the present invention is to provide a kind of local generation methods for threatening information bank, it is intended to solve existing prestige
Coerce the existing problem not strong for individual consumer's applicability, information availability is low of information.
To achieve the above object, the present invention provides a kind of local generation method for threatening information bank, the local threat feelings
Report library generation method the following steps are included:
Obtain local security log;
Extraction of being classified from the security log according to network behavior data threatens information;
Local threat information bank is generated according to the threat information.
Preferably, the step of extraction of being classified from the security log according to network behavior data threatens information is wrapped
It includes: obtaining the corresponding network behavior data of all kinds of threat information;It is mentioned from the security log according to the network behavior data
Take all kinds of threat information.
Preferably, described that information is threatened to include: the second information for describing request of the Intranet to outer net, describe outer net attack letter
The third information and description Intranet of breath attack the combination of at least one of the 4th three kinds of information of information of information, and description Intranet is set
First information of standby information.
Preferably, described to extract all kinds of threat information from the security log according to the network behavior data
The step of include: the detection security log, the description information of Intranet equipment is extracted from the security log, by the description
Information is recorded as the first information;The security log is detected, the request that analysis Intranet is issued to outer net is extracted the abnormal of Intranet and visited
It asks information, the abnormal access information of Intranet is recorded as the second information;And/or the detection security log, analysis access Intranet
Extranet information, extract the abnormal access information of outer net, the abnormal access information of outer net be recorded as third information;And/or inspection
The security log is surveyed, the abnormal access information of the Intranet equipment of analysis access Intranet records the abnormal access information
For the 4th information.
Preferably, the detection security log, extracts the description information of Intranet equipment from the security log, will
After the step of description information is recorded as the first information, further includes: the description information of the Intranet equipment is detected, in extraction
The non-conformance description information of net equipment;The non-conformance description information is stored to generate the electronic health record of each Intranet equipment.
Preferably, the local generation method for threatening information bank further include: in the network data for detecting Intranet equipment
When, the network data is compared with the threat information in the local threat information bank;Institute is updated according to comparison result
State security log.
To achieve the above object, the present invention also provides a kind of local generating means for threatening information bank, described device includes:
Module is obtained, for obtaining local security log;Threaten information extraction module, for according to network behavior data from the peace
Classification, which is extracted, in full-time will threatens information;Generation module, for generating local threat information bank according to the threat information.
To achieve the above object, the present invention also provides a kind of local generation system for threatening information bank, described device includes:
Memory, processor and the local generation for threatening information bank that is stored on the memory and can run on the processor
Program, the local generation program for threatening information bank is realized when being executed by the processor locally threatens information as described above
The step of generation method in library.
To achieve the above object, the present invention also provides a kind of storage medium, local threat is stored on the storage medium
The generation program of information bank, the local generation program for threatening information bank are realized as described above local when being executed by processor
The step of threatening the generation method of information bank.
A kind of local generation method, device, system and storage medium for threatening information bank that the embodiment of the present invention proposes, leads to
It crosses and obtains local security log, extraction of being classified from security log using network behavior data threatens information, thus according to prestige
Coerce information generate it is local threaten information bank, since the threat information of extraction is locally generated and obtains, the threat information and this
The network equipment on ground and the corresponding each network behavior of the network equipment are directly linked, and the local of generation threatens information bank closer to this
The demand of ground user threatens the utilization rate of information high individual consumer's strong applicability.
Detailed description of the invention
Fig. 1 be the hardware running environment that the embodiment of the present invention is related to terminal apparatus structure schematic diagram;
Fig. 2 is the flow diagram of the local generation method first embodiment for threatening information bank of the invention;
Fig. 3 is the flow diagram of the local generation method second embodiment for threatening information bank of the invention;
Fig. 4 is the flow diagram of the local generation method fourth embodiment for threatening information bank of the invention;
Fig. 5 is the flow diagram of local the 5th embodiment of generation method for threatening information bank of the invention;
Fig. 6 is the flow diagram of the local generation method sixth embodiment for threatening information bank of the invention;
Fig. 7 is the structural block diagram of the local generating means for threatening information bank of the invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The primary solutions of the embodiment of the present invention are: obtaining local security log;According to network behavior data from peace
Classification, which is extracted, in full-time will threatens information;Information bank is locally threatened according to threatening information to generate.
The embodiment of the present invention provides a kind of local generation method, device, system and storage medium for threatening information bank, passes through
Local security log is obtained, extraction of classifying from security log using network behavior data threatens information, thus according to threat
Information generates local threat information bank, since the threat information of extraction is locally generated and obtains, the threat information and local
The network equipment and the corresponding each network behavior of the network equipment be directly linked, the local of generation threatens information bank closer to local
The demand of user threatens the utilization rate of information high individual consumer's strong applicability.
As shown in Figure 1, Fig. 1 is the terminal structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
The terminal of that embodiment of the invention can be PC (PersonalComputer, personal computer), be also possible to intelligent hand
(Moving Picture Experts Group Audio Layer III is moved by machine, tablet computer, E-book reader, MP3
State image expert's compression standard audio level 3) player, MP4 (Moving Picture Experts Group Audio
Layer IV, dynamic image expert's compression standard audio level 3) player, portable computer etc. be having a display function removable
Dynamic formula terminal device.
As shown in Figure 1, the terminal may include: processor 1001, such as CPU (Central Processing Unit,
Central processing unit), network interface 1004, user interface 1003, memory 1005, communication bus 1002.Wherein, communication bus
1002 for realizing the connection communication between these components.User interface 1003 may include display screen (Display), input list
First (such as keyboard, Keyboard), optionally, user interface 1003 can also include the wireline interface or wireless interface of standard.
Optionally, network interface 1004 may include standard wireline interface and wireless interface (such as WI-FI interface).Memory 1005 can
To be high speed RAM memory (volatile memory), it is also possible to stable nonvolatile memory (NVM, non-volatile
), such as magnetic disk storage memory.Optionally, memory 1005 can also be the storage dress independently of aforementioned processor 1001
It sets.
Optionally, terminal can also include camera, RF (Radio Frequency, radio frequency) circuit, sensor, audio
Circuit, WiFi module etc..Wherein, sensor can be optical sensor, motion sensor or other sensors.
Specifically, the optical sensor includes ambient light sensor or proximity sensor, and the ambient light sensor can root
The brightness of display screen is adjusted according to the light and shade of ambient light, the proximity sensor can be in mobile terminal close to object (such as human body
Ear) when, close display screen and/or adjustment backlight.The motion sensor includes gravity accelerometer, is passed as movement
One kind of sensor, gravity accelerometer can detect terminal when being kept in motion in all directions (generally three axis) plus
Velocity magnitude, it may also be used for identification mobile terminal posture application (such as horizontal/vertical screen switch, the induction control of dependent game, magnetic
Power meter pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;Certainly, mobile terminal can also configure gyro
The other sensors such as instrument, barometer, hygrometer, infrared sensor, details are not described herein.
It will be understood by those skilled in the art that the restriction of the not structure paired terminal of terminal structure shown in Fig. 1, can wrap
It includes than illustrating more or fewer components, perhaps combines the different arrangements of certain components or component.
As shown in Figure 1, in further embodiments, the memory 1005 of the computer storage medium includes electrical connection
Storage unit, network communication module and Subscriber Interface Module SIM, the content of storage unit storage include but is not limited to local prestige
Coerce the generation program or operating system of information bank.The operating system is used to manage the local generation program for threatening information bank, net
Network communication module and Subscriber Interface Module SIM.
In terminal shown in Fig. 1, network interface 1004 is mainly used for connecting background server, carries out with background server
Data communication;User interface 1003 is mainly used for connecting client (user terminal), carries out data communication with client;And processor
1001 can be used for calling the local generation program for threatening information bank stored in memory 1005, and execute following operation:
Obtain local security log;
Extraction of being classified from the security log according to network behavior data threatens information;
Local threat information bank is generated according to the threat information.
Further, processor 1001 can call the local generation journey for threatening information bank stored in memory 1005
Sequence also executes following operation:
Obtain the corresponding network behavior data of all kinds of threat information;
All kinds of threat information is extracted from the security log according to the network behavior data.
Further, description request from Intranet to outer net the second information, description outer net attack information third information and
The combination of at least one of the 4th three kinds of information of information of Intranet attack information, and the first feelings of description Intranet facility information are described
Report.
Further, processor 1001 can call the local generation journey for threatening information bank stored in memory 1005
Sequence also executes following operation:
The security log is detected, the description information of Intranet equipment is extracted from the security log, the description is believed
Breath is recorded as the first information;
The security log is detected, the abnormal access information of Intranet is extracted in the request that analysis Intranet is issued to outer net, will be interior
The abnormal access information of net is recorded as the second information;And/or
The security log is detected, the extranet information of analysis access Intranet extracts the abnormal access information of outer net, by outer net
Abnormal access information be recorded as third information;And/or
Detect the security log, the abnormal access information of the Intranet equipment of analysis access Intranet, by the abnormal visit
Ask that information is recorded as the 4th information.
Further, processor 1001 can call the local generation journey for threatening information bank stored in memory 1005
Sequence also executes following operation:
The description information of the Intranet equipment is detected, the non-conformance description information of Intranet equipment is extracted;
The non-conformance description information is stored to generate the electronic health record of each Intranet equipment.
Further, processor 1001 can call the local generation journey for threatening information bank stored in memory 1005
Sequence also executes following operation:
When detecting the network data of Intranet equipment, by the network data and the local prestige threatened in information bank
Side of body information is compared;
The security log is updated according to comparison result.
Referring to Fig. 2, first embodiment of the invention provides a kind of local generation method for threatening information bank, the local threat
The generation method of information bank includes:
Step S210 obtains local security log;
The security log includes the information generated when each terminal switch machine, operation program, system report an error, these information
Store in the form of a file, this document can be, but not limited to be txt (Text, text), doc/docx (DOCument, document),
Electrical form and picture etc..This document is denoted as security log by terminal.
In the present embodiment, the mode for obtaining security log can be is added manually by user, is also possible to locally applied
It is obtained automatically after generation.It is described it is locally applied can be local IDS (Intrusion Detection System, invasion inspection
Examining system), Situation Awareness application etc..
The intruding detection system includes real-time intrusion detection and two kinds of subsequent intrusion detection.Real-time intrusion detection refers to
It is carried out during network connection, historical behavior model, storage expertise and mind in a computer of the system according to user
Judge through the network model operation current to user, once discovery invasion sign disconnects the company of invader and host immediately
It connects, and collects evidence and implement data recovery.This detection process is that continuous circulation carries out.And subsequent intrusion detection then refers to
By the network management personnel with network security professional knowledge come what is carried out, it is that administrator periodically or non-periodically carries out, does not have
There is real-time, therefore the ability of invasion is defendd to be not so good as system for real-time intrusion detection.
The Situation Awareness application can be by the deep original flow acquired in network and key equipment log, to user
It analyzed, be associated in conjunction with message and Threat moulding ability with entity behavior, further investigate attack behavior logic, thus
It can allow and system identification and judge the behavior of legitimate user and malicious attacker, carry out the visual presentation such as business, threats, solution
The unknowable problem of safety, realizes round-the-clock comprehensive sensing network security postures.It includes industry internet that Situation Awareness, which is applied,
Security postures perception and early warning platform, networked asset information census and risk perceptions system etc..
Step S220, extraction of being classified from security log according to network behavior data threaten information;
Network behavior data include the network access behavior of the network equipment.Network behavior data can be according to the path of access
Classify.For example, network behavior data can be the network equipment access outer net of Intranet, it is also possible to the network equipment of outer net
Intranet is accessed, can also be access etc. mutually between the network equipment of Intranet.Wherein, the network equipment can be PC, server, collection
Line device, interchanger, bridge, router, gateway, network interface card, WAP (Wireless Application Protocol, nothing
Line application protocol) access point, printer and modem, fiber optical transceiver, optical cable etc..
Since network security fault has a variety of situations, for instance it can be possible that the network equipment with Intranet communication connection
It is abnormal, it may be possible to the exception occurred when Intranet request outer net, it may be possible to the exception occurred when outer net request Intranet, it is also possible to
Be occur when being requested access to mutually between Intranet it is abnormal etc., it is therefore necessary to for network security fault classification to threatening feelings
Report is classified, and with apparent orderliness is analyzed threat information.
Terminal is taxonomically extracted from security log according to the classification of network behavior data and threatens information.Wherein, feelings are threatened
Report is the underlying security data related with the network security fault extracted after analyzing network security fault, such as sample
Md5, malice URL, malice domain name/IP etc..Specifically, terminal is according to corresponding network behavior data retrieval security log, from peace
The corresponding threat information of the network behavior data is extracted in full-time will.
Step S230 locally threatens information bank according to threatening information to generate.
Terminal establishes local threat information bank, will threaten information deposit is local to threaten information bank.Wherein, local to threaten information
Library, which can be, to be stored in the form of a file in the memory of terminal.This document can be, but not limited to be txt (Text, text),
Doc/docx (DOCument, document), electrical form and picture etc..Memory includes but is not limited to register, delays at a high speed
It deposits, memory and External memory equipment etc..Further, terminal will threaten information deposit is local to threaten information bank.Terminal can be
Information will be threatened to be sequentially stored into local threat information bank with time sequencing, can also be to threaten the size of data of information that will threaten
Information is sequentially stored into local threat information bank according to sequence from big to small or from small to large.
Preferably, the local quantity for threatening information bank can be one or more.Such as it can be by the threat of different classifications
Information is stored in the same local threat information bank jointly, is also possible to be stored in multiple local threat information banks correspondingly respectively
(i.e. a kind of threat information is corresponding to be stored in a local threat information bank, and classification of information quantity is threatened to threaten information with local
The quantity in library is consistent), it can also be that the combination of wherein several classification for threatening information is stored in some and locally threatens information bank.?
In other embodiments, the other applications of terminal can also from it is local threaten be obtained in information bank the threat information of storage with
Just it uses.
The local generation method for threatening information bank provided in this embodiment utilizes net by obtaining local security log
Network behavioral data, which classifies to extract from security log, threatens information, thus according to threatening information to generate local threat information bank, by
Locally generated in the threat information of extraction and obtain, the threat information is corresponding with the local network equipment and the network equipment
Each network behavior be directly linked, the local demand for threatening information bank closer to local user of generation is applicable in individual consumer
Property it is strong, threaten the utilization rate of information high.
Referring to Fig. 3, second embodiment of the invention provides a kind of local generation method for threatening information bank, implements based on first
Example, step S220 include:
Step S310 obtains the corresponding network behavior data of all kinds of threat information;
The acquisition network behavior data of terminal classification.Wherein, network behavior data include the port letter of network equipment access
Breath.In the present embodiment, network behavior data are classified according to the path of access.For example, network behavior data can be it is interior
The data that the network equipment access outer net of net generates can also be the data that the network equipment access Intranet of outer net generates, may be used also
Be Intranet the network equipment between access the data etc. of generation mutually.
Step S320 extracts all kinds of threat information according to network behavior data from security log.
Terminal extracts corresponding threat information according to all kinds of network behavior data from security log.Specifically, terminal
The port information accessed according to the network equipment extracts threat information corresponding to corresponding network behavior data.Wherein, network is set
Standby includes Intranet equipment and outer net equipment.Intranet equipment is the network equipment communicated to connect with Intranet, and outer net equipment is and outer net
The network equipment of communication connection.Specifically, terminal parses security log, is extracted and is corresponded to according to the port information of network equipment access
Threat information.
Third embodiment of the invention provides a kind of local generation method for threatening information bank, is based on second embodiment, threatens
Information includes the first information for describing Intranet facility information, describes outside the second information and/or description of the request of Intranet to outer net
The third information of net attack information and/or the 4th information of description Intranet attack information.
In the present embodiment, the classification of information is threatened to be divided into the first information, the second information and/or according to network behavior data
Three information and/or the 4th information.Wherein, the first information describes Intranet facility information, Intranet equipment include but is not limited to server,
The network equipments such as terminal.Intranet facility information includes but is not limited to IP and description information of Intranet equipment etc..That is the first information packet
Include the description information of Intranet device IP and Intranet equipment.Second information describes request of the Intranet to outer net;In the present embodiment, second
Information include but is not limited to Intranet requested to outer net the IP of Intranet equipment, the IP of outer net equipment, Intranet device request DNS and
URL, the request data and outer net equipment of Intranet device request outer net equipment respond the response data etc. of the request.Third information is retouched
Outer net attack information is stated, specifically, third information describes attack information of the outer net equipment to Intranet equipment;In the present embodiment, tool
Body can include: the outer net IP of outer net equipment, the IP of Intranet equipment, outer net equipment into the query-attack of Intranet attack Intranet equipment
Query-attack data and Intranet equipment respond the response data etc. of the request.
The local generation method for threatening information bank provided in this embodiment, by classifying to threat information, Neng Gougeng
Orderly clearly local network safe state is analyzed, allowing user, more clearly aware networks safety is asked
Where topic, to targetedly safeguard network security using corresponding measure.
Referring to Fig. 4, fourth embodiment of the invention provides a kind of local generation method for threatening information bank, is implemented based on third
Example, step S220 include:
Step S410 detects security log, and the description information of Intranet equipment is extracted from security log, description information is remembered
Record is the first information;
Terminal detects security log, extracts the Intranet device IP in security log, is extracted according to Intranet device IP corresponding
The description information is recorded as the first information by the description information of Intranet equipment.Wherein, the description information of Intranet equipment includes Intranet
The information such as IP, title, storage address and the function description of equipment.First information, which includes that Intranet equipment is all in security log, to be retouched
State information.
Step S420, detects security log, and the abnormal access letter of Intranet is extracted in the request that analysis Intranet is issued to outer net
Breath, is recorded as the second information for the abnormal access information of Intranet;And/or
Terminal detects security log, obtains Intranet according to the access port of the Intranet equipment in security log and issues to outer net
Request.Specifically, the request data that terminal analysis Intranet equipment is issued to outer net equipment, according to the request data from safety day
The abnormal access information that Intranet is extracted in will, is recorded as the second information for the abnormal access information of Intranet.In the present embodiment, terminal
Security log is detected using detection techniques such as DGA (Domain Generate Algorithm), the tunnels DNS, extracts Intranet request
Outer net device IP or outer net equipment domain name;Terminal analyzes safe day using UA (User-Agent, user agent) analytical technology
Will extracts the malice URL of Intranet device IP access.UA refers to browser, its information includes hardware platform, system software, application
Software and individual subscriber preference setting information.Terminal analyzes security log using UA analytical technology, obtains the access number of browser
According to the malice URL that therefrom extraction Intranet device IP accesses.Terminal detects security log using sandbox detection technique, extracts malice
DNS, URL that file is requested when executing.Wherein, it is requested when the malice URL and malicious file of Intranet device IP access are executed
DNS, URL are the second information.Sandbox is a kind of way that application program is run in limited security context, and this way is to want
The code access permissions of application program are authorized in limitation.For example, it is clear to download to IE (Internet Explorer, network pathfinder)
The control of device look at is run using internet authority set.The application program resided in LAN sharing uses local area network at the terminal
Authority set operation.Terminal can be used sandbox operation and download to the trusted application program in the part in terminal.Terminal is using husky
Box detection technique detects security log, and wherein un-trusted file corresponding DNS, URL are extracted.Wherein, not accredited
The file appointed is malicious file.
Step S430 detects security log, and the extranet information of analysis access Intranet extracts the abnormal access information of outer net,
The abnormal access information of outer net is recorded as third information;And/or
Terminal detects security log, according to the access port acquisition of information outer net of the outer net equipment in security log to Intranet
The request of sending.Further, the request that terminal analysis outer net is issued to Intranet, specifically, terminal analysis outer net equipment are inside
The request that net equipment issues, the abnormal access information of outer net is extracted according to the data of the request, by outer net out of security log
Abnormal access information is recorded as third information.In the present embodiment, specifically, terminal uses DGA (Domain Generate
Algorithm), the detection techniques such as tunnel DNS detect security log, extract the outer net device IP or outer net device Domain of Intranet request
Name;Terminal analyzes security log using UA (User-Agent, user agent) analytical technology, extracts the evil of Intranet device IP access
Anticipate URL.Terminal detects security log using sandbox detection technique, extracts DNS, the URL requested when malicious file executes.Wherein,
DNS, URL that the malice URL and malicious file of the access of Intranet device IP are requested when executing are the second information.Terminal is according to safety day
The IP and file MD5 of the network equipment in will detect security log, and the extranet information of analysis access Intranet extracts the exception of outer net
The abnormal access information of outer net is recorded as third information by access information.Wherein, abnormal access information includes but is not limited to visit
Ask error message, the access information of abnormal frequency, there is aggressive access information etc..Specifically, terminal uses WAF (Web
Application Firewall, website application layer intrusion prevention system), IPS (Intrusion Prevention System,
Intrusion prevention system) etc. detection techniques detect security log, extract and launch a offensive the outer net device IP of behavior to Intranet.Wherein,
Outer net equipment can be external network server or outer network termination etc..Specifically, terminal detects security log using antivirus engine, extracts
The corresponding cryptographic Hash of malicious file.Terminal will launch a offensive the outer net device IP and the corresponding Hash of malicious file of behavior to Intranet
Value is recorded as third information.
Step S440 detects security log, the abnormal access information of the Intranet equipment of analysis access Intranet, by abnormal visit
Ask that information is recorded as the 4th information.
Terminal detect security log, according to the access port acquisition of information Intranet equipment of the Intranet equipment in security log it
Between the request that issues mutually.Specifically, the request between terminal analysis Intranet equipment, according to the data of the request from security log
The interior abnormal access information for extracting Intranet, is recorded as the 4th information for the abnormal access information of Intranet.Wherein, the data of the request
Identification information and IP including issuing the network equipment of request, the identification information and IP of the destination network device of request, Yi Jifa
The command information etc. requested out.In the present embodiment, specifically, terminal analyzes Intranet equipment according to the IP in detection security log
Between access information, extract abnormal access information therein, which be recorded as the 4th information.Specifically,
Terminal detects security log using detection techniques such as WAF, IPS, and the Intranet that behavior was launched a offensive to Intranet or scanned in extraction is set
Standby IP.The Intranet device IP that behavior is launched a offensive or scanned to Intranet is recorded as the 4th information by terminal.
All kinds of threat information can be stored in multiple local threat information banks by terminal correspondingly, such as establish four sheets
Ground threatens information bank, and the first information, the second information, third information and the 4th information are stored in four local threat information respectively
Library.All kinds of threat information can also be stored in simultaneously a local threat information bank by terminal.Terminal can also be with multiple classifications
Threaten the multiple local threat information banks of the combination deposit of information.Such as the first information and the second information are stored in a local
Information bank is threatened, third information and the 4th information are stored in another and locally threaten information bank etc..
The local generation method for threatening information bank provided in this embodiment, terminal can pass through description Intranet facility information
First information, the second information for describing the request of Intranet to outer net and/or description outer net are attacked the third information of information and/or are retouched
The 4th information for stating Intranet attack information obtains Intranet facility information, the threat information for detecting accessing outer network from inner network, extranet access
The threat information for threatening information, Intranet access Intranet of Intranet, it is apparent that classification explicitly is carried out to threat information, so that
User can detect completely disparate networks with clearer, improve and threaten information bank to detect network security using local
Efficiency.
Referring to Fig. 5, fifth embodiment of the invention provides a kind of local generation method for threatening information bank, implements based on the 4th
, after step S410 further include:
Step S510 detects the description information of Intranet equipment, extracts the non-conformance description information of Intranet equipment;
Terminal detects the description information of Intranet equipment, and non-conformance description letter is extracted out of all Intranet equipment description information
Breath.Specifically, the description information of terminal detection Intranet equipment, judges whether the network behavior data of corresponding Intranet equipment are different
Often, the non-conformance description information of the Intranet equipment of network behavior data exception is extracted.For example, being asked if certain Intranet device IP initiates DNS
Ask, and be subject to WAF attack, then extract the Intranet device IP and describe each Intranet equipment history fall, loophole situations such as
Information.Wherein, Intranet device IP and describe each Intranet equipment history fall, loophole situations such as information be non-conformance description
Information.
Step S520 stores non-conformance description information to generate the electronic health record of each Intranet equipment.
Specifically, terminal storage non-conformance description information generates the electronic health record of the first information.Electronic health record includes each Intranet
All non-conformance description information of the equipment in historical time.Terminal can carry out pair non-conformance description information according to Intranet device IP
The classification record answered.In the present embodiment, terminal by the electronic health record be stored in the first information institute local threaten in information bank.
In one of the embodiments, after step S520 further include: output electronic health record.
The electronic health record can be exported to display screen and is shown by terminal, for user's reading.
The local generation method for threatening information bank provided in this embodiment, by generating electronic health record, so that user can be with
The history non-conformance description information for obtaining Intranet equipment makes user become apparent from the historical risk situation for directly grasping Intranet equipment,
So as to carry out the operation such as Situation Awareness using electronic health record, local internet security is enhanced.
Referring to Fig. 6, sixth embodiment of the invention provides a kind of local generation method for threatening information bank, implements based on first
Example, the method also includes:
Step S610 will be in network data and local threat information bank when detecting the network data of Intranet equipment
Information is threatened to be compared;
Step S620 updates the security log according to comparison result.
The network data of the Intranet equipment is data to be tested, is produced by the network behavior data of the local network equipment
It is raw.Terminal can threaten information bank to carry out network security detection to network data according to local, obtain the safe shape of network data
State.Specifically, network data is threatened the threat information in information bank to be compared by terminal with local, obtains the peace of network data
Total state.Specifically, terminal judges in network data with the presence or absence of the local threat information threatened in information bank, and if it exists, then
Update security log.Wherein, updated security log includes the description of network data abnormality.In short, network data
Safe condition include abnormality and normal condition, when terminal determines there is the local prestige threatened in information bank in network data
When coercing information, abnormality is set by the safe condition of current network data, and update security log.
The local generation method for threatening information bank provided in this embodiment, by the way that network data is threatened information bank with local
It is compared, security log is updated, so as to detect the network safe state of the local network equipment and be recorded in peace
It is obtained in full-time will for user.
Referring to Fig. 7, the embodiment of the present invention also proposes that a kind of local generating means for threatening information bank, described device include:
Module 710 is obtained, for obtaining local security log;
Information extraction module 720 is threatened, extraction threatens for classifying from the security log according to network behavior data
Information;
Generation module 730, for generating local threat information bank according to the threat information.
Further, information extraction module 720 is threatened to be also used to obtain the corresponding network behavior data of all kinds of threat information;
All kinds of threat information is extracted from the security log according to the network behavior data.
Further, description request from Intranet to outer net the second information, description outer net attack information third information and
The combination of at least one of the 4th three kinds of information of information of Intranet attack information, and the first feelings of description Intranet facility information are described
Report.
Further, it threatens information extraction module 720 to be also used to detect the security log, is mentioned from the security log
The description information is recorded as the first information by the description information for taking Intranet equipment;Detect the security log, analysis Intranet to
The request that outer net issues, extracts the abnormal access information of Intranet, the abnormal access information of Intranet is recorded as the second information;With/
Or the detection security log, the extranet information of analysis access Intranet extract the abnormal access information of outer net, by the exception of outer net
Access information is recorded as third information;And/or the detection security log, the abnormal of Intranet equipment of analysis access Intranet are visited
It asks information, the abnormal access information is recorded as the 4th information.
Further, it threatens information extraction module 720 to be also used to detect the description information of the Intranet equipment, extracts Intranet
The non-conformance description information of equipment;The non-conformance description information is stored to generate the electronic health record of each Intranet equipment.
Further, the local generating means for threatening information bank further include local threat information bank application module, are used
In when detecting the network data of Intranet equipment, the network data and the local are threatened into the threat information in information bank
It is compared;The security log is updated according to comparison result.
The embodiment of the present invention also proposes a kind of local generation system for threatening information bank, the system comprises: memory, place
Reason device and the local generation program for threatening information bank that is stored on the memory and can run on a processor, the local
Following operation is realized when the generation program of information bank being threatened to be executed by processor: obtaining security log;According to network behavior data
Classification, which is extracted, from the security log threatens information;Local threat information bank is generated according to the threat information.Preferably, institute
It states security log and is stored in local.
Further, following operation is also realized when the local generation program for threatening information bank is executed by processor: being obtained
Take the corresponding network behavior data of all kinds of threat information;It is extracted from the security log according to the network behavior data all kinds of
The threat information.
Further, description request from Intranet to outer net the second information, description outer net attack information third information and
The combination of at least one of the 4th three kinds of information of information of Intranet attack information, and the first feelings of description Intranet facility information are described
Report.
Further, following operation: inspection is also realized when the local generation program for threatening information bank is executed by processor
The security log is surveyed, the description information of Intranet equipment is extracted from the security log, the description information is recorded as the
One information;The security log is detected, the abnormal access information of Intranet is extracted in the request that analysis Intranet is issued to outer net, will be interior
The abnormal access information of net is recorded as the second information;And/or the detection security log, the extranet information of analysis access Intranet,
The abnormal access information for extracting outer net, is recorded as third information for the abnormal access information of outer net;And/or the detection safe day
Will, the abnormal access information of the Intranet equipment of analysis access Intranet, is recorded as the 4th information for the abnormal access information.
Further, following operation: inspection is also realized when the local generation program for threatening information bank is executed by processor
The description information of the Intranet equipment is surveyed, the non-conformance description information of Intranet equipment is extracted;The non-conformance description information is stored with life
At the electronic health record of each Intranet equipment.
Further, following operation is also realized when the local generation program for threatening information bank is executed by processor:
When detecting the network data of Intranet equipment, the network data and the local threat information threatened in information bank are carried out
It compares;The security log is updated according to comparison result.
The embodiment of the present invention also proposes a kind of storage medium, and the local life for threatening information bank is stored on the storage medium
At program, the local generation program for threatening information bank realizes following operation when being executed by processor: obtaining local safety
Log;Extraction of being classified from the security log according to network behavior data threatens information;This is generated according to the threat information
Ground threatens information bank.
Further, following operation is also realized when the local generation program for threatening information bank is executed by processor: being obtained
Take the corresponding network behavior data of all kinds of threat information;It is extracted from the security log according to the network behavior data all kinds of
The threat information.
Further, description request from Intranet to outer net the second information, description outer net attack information third information and
The combination of at least one of the 4th three kinds of information of information of Intranet attack information, and the first feelings of description Intranet facility information are described
Report.
Further, following operation: inspection is also realized when the local generation program for threatening information bank is executed by processor
The security log is surveyed, the description information of Intranet equipment is extracted from the security log, the description information is recorded as the
One information;The security log is detected, the abnormal access information of Intranet is extracted in the request that analysis Intranet is issued to outer net, will be interior
The abnormal access information of net is recorded as the second information;And/or the detection security log, the extranet information of analysis access Intranet,
The abnormal access information for extracting outer net, is recorded as third information for the abnormal access information of outer net;And/or the detection safe day
Will, the abnormal access information of the Intranet equipment of analysis access Intranet, is recorded as the 4th information for the abnormal access information.
Further, following operation: inspection is also realized when the local generation program for threatening information bank is executed by processor
The description information of the Intranet equipment is surveyed, the non-conformance description information of Intranet equipment is extracted;The non-conformance description information is stored with life
At the electronic health record of each Intranet equipment.
Further, following operation is also realized when the local generation program for threatening information bank is executed by processor:
When detecting the network data of Intranet equipment, the network data and the local threat information threatened in information bank are carried out
It compares;The security log is updated according to comparison result.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in one as described above
In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone,
Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of local generation method for threatening information bank, which is characterized in that the described method comprises the following steps:
Obtain local security log;
Extraction of being classified from the security log according to network behavior data threatens information;
Local threat information bank is generated according to the threat information.
2. the local generation method for threatening information bank as described in claim 1, which is characterized in that described according to network behavior number
Include: according to the step of threat information is extracted in classification from the security log
Obtain the corresponding network behavior data of all kinds of threat information;
All kinds of threat information is extracted from the security log according to the network behavior data.
3. the as claimed in claim 2 local generation method for threatening information bank, which is characterized in that the threat information includes:
Second information of the request of Intranet to outer net, the third information of description outer net attack information and description Intranet attack information are described
The combination of at least one of 4th three kinds of information of information, and the first information of description Intranet facility information.
4. the local generation method for threatening information bank as claimed in claim 3, which is characterized in that described according to the network row
The step of extracting all kinds of threat information from the security log for data include:
The security log is detected, the description information of Intranet equipment is extracted from the security log, the description information is remembered
Record is the first information;
The security log is detected, the request that analysis Intranet is issued to outer net extracts the abnormal access information of Intranet, by Intranet
Abnormal access information is recorded as the second information;And/or
The security log is detected, the extranet information of analysis access Intranet extracts the abnormal access information of outer net, by the different of outer net
Normal access information is recorded as third information;And/or
The security log is detected, the abnormal access information of the Intranet equipment of analysis access Intranet believes the abnormal access
Breath is recorded as the 4th information.
5. the local generation method for threatening information bank as claimed in claim 4, which is characterized in that the detection safe day
The step of will extracts the description information of Intranet equipment from the security log, the description information is recorded as the first information
Later, further includes:
The description information of the Intranet equipment is detected, the non-conformance description information of Intranet equipment is extracted;
The non-conformance description information is stored to generate the electronic health record of each Intranet equipment.
6. the local generation method for threatening information bank as described in claim 1, which is characterized in that the local threat information bank
Generation method further include:
When detecting the network data by the network behavior generation of Intranet equipment, by the network data and the local threat
Threat information in information bank is compared;
The security log is updated according to comparison result.
7. a kind of local generating means for threatening information bank, which is characterized in that described device includes:
Module is obtained, for obtaining local security log;
Information extraction module is threatened, extraction threatens information for classifying from the security log according to network behavior data;
Generation module, for generating local threat information bank according to the threat information.
8. the local generating means for threatening information bank as claimed in claim 7, which is characterized in that threaten information extraction module also
For obtaining the corresponding network behavior data of all kinds of threat information;It is mentioned from the security log according to the network behavior data
Take all kinds of threat information.
9. a kind of local generation system for threatening information bank, which is characterized in that the system comprises: memory and processor, institute
It states memory and is stored with the local generation program for threatening information bank, the local generation program for threatening information bank is by the processing
It is realized when device executes such as the step of the local generation method for threatening information bank described in any one of claims 1 to 6.
10. a kind of storage medium, which is characterized in that the local generation program for threatening information bank is stored on the storage medium,
The local generation program for threatening information bank realizes such as described in any one of claims 1 to 6 when being executed by processor
Ground threatens the step of generation method of information bank.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910071066.2A CN109862003B (en) | 2019-01-24 | 2019-01-24 | Method, device, system and storage medium for generating local threat intelligence library |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910071066.2A CN109862003B (en) | 2019-01-24 | 2019-01-24 | Method, device, system and storage medium for generating local threat intelligence library |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109862003A true CN109862003A (en) | 2019-06-07 |
| CN109862003B CN109862003B (en) | 2022-02-22 |
Family
ID=66896069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910071066.2A Active CN109862003B (en) | 2019-01-24 | 2019-01-24 | Method, device, system and storage medium for generating local threat intelligence library |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109862003B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111641611A (en) * | 2020-05-20 | 2020-09-08 | 深信服科技股份有限公司 | Data processing method, device and system and computer storage medium |
| CN111858782A (en) * | 2020-07-07 | 2020-10-30 | Oppo(重庆)智能科技有限公司 | Database construction method, device, medium and equipment based on information security |
| CN112434894A (en) * | 2019-08-23 | 2021-03-02 | 上海哔哩哔哩科技有限公司 | Real-time risk control method, computer equipment and readable storage medium |
| CN112749390A (en) * | 2020-12-28 | 2021-05-04 | 深信服科技股份有限公司 | Virus detection method, device, equipment and computer readable storage medium |
| CN113098852A (en) * | 2021-03-25 | 2021-07-09 | 绿盟科技集团股份有限公司 | Log processing method and device |
| CN113300997A (en) * | 2020-02-21 | 2021-08-24 | 中国电信股份有限公司 | Multi-dimensional network equipment evaluation method and device and computer readable storage medium |
| CN113627698A (en) * | 2020-05-07 | 2021-11-09 | 中国电信股份有限公司 | Threat information processing method, device and storage medium |
| CN113992436A (en) * | 2021-12-27 | 2022-01-28 | 北京微步在线科技有限公司 | Local information generating method, device, equipment and storage medium |
| CN114531253A (en) * | 2020-10-30 | 2022-05-24 | 深信服科技股份有限公司 | Threat information generation method, equipment, system and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888459A (en) * | 2014-03-25 | 2014-06-25 | 深信服网络科技(深圳)有限公司 | Method and device for detecting intranet intrusion of network |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| CN106055981A (en) * | 2016-06-03 | 2016-10-26 | 北京奇虎科技有限公司 | Method and device for generating threat intelligence |
| US9641544B1 (en) * | 2015-09-18 | 2017-05-02 | Palo Alto Networks, Inc. | Automated insider threat prevention |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
| US10178119B1 (en) * | 2016-03-30 | 2019-01-08 | Amazon Technologies, Inc. | Correlating threat information across multiple levels of distributed computing systems |
-
2019
- 2019-01-24 CN CN201910071066.2A patent/CN109862003B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888459A (en) * | 2014-03-25 | 2014-06-25 | 深信服网络科技(深圳)有限公司 | Method and device for detecting intranet intrusion of network |
| US9641544B1 (en) * | 2015-09-18 | 2017-05-02 | Palo Alto Networks, Inc. | Automated insider threat prevention |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| US10178119B1 (en) * | 2016-03-30 | 2019-01-08 | Amazon Technologies, Inc. | Correlating threat information across multiple levels of distributed computing systems |
| CN106055981A (en) * | 2016-06-03 | 2016-10-26 | 北京奇虎科技有限公司 | Method and device for generating threat intelligence |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
Non-Patent Citations (1)
| Title |
|---|
| 李超,周瑛: "大数据环境下的威胁情报分析", 《情报杂志》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112434894A (en) * | 2019-08-23 | 2021-03-02 | 上海哔哩哔哩科技有限公司 | Real-time risk control method, computer equipment and readable storage medium |
| CN113300997A (en) * | 2020-02-21 | 2021-08-24 | 中国电信股份有限公司 | Multi-dimensional network equipment evaluation method and device and computer readable storage medium |
| CN113627698A (en) * | 2020-05-07 | 2021-11-09 | 中国电信股份有限公司 | Threat information processing method, device and storage medium |
| CN111641611A (en) * | 2020-05-20 | 2020-09-08 | 深信服科技股份有限公司 | Data processing method, device and system and computer storage medium |
| CN111858782A (en) * | 2020-07-07 | 2020-10-30 | Oppo(重庆)智能科技有限公司 | Database construction method, device, medium and equipment based on information security |
| CN114531253A (en) * | 2020-10-30 | 2022-05-24 | 深信服科技股份有限公司 | Threat information generation method, equipment, system and storage medium |
| CN112749390A (en) * | 2020-12-28 | 2021-05-04 | 深信服科技股份有限公司 | Virus detection method, device, equipment and computer readable storage medium |
| CN113098852A (en) * | 2021-03-25 | 2021-07-09 | 绿盟科技集团股份有限公司 | Log processing method and device |
| CN113098852B (en) * | 2021-03-25 | 2022-11-22 | 绿盟科技集团股份有限公司 | Log processing method and device |
| CN113992436A (en) * | 2021-12-27 | 2022-01-28 | 北京微步在线科技有限公司 | Local information generating method, device, equipment and storage medium |
| CN113992436B (en) * | 2021-12-27 | 2022-03-01 | 北京微步在线科技有限公司 | Local information generating method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109862003B (en) | 2022-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109862003A (en) | Local generation method, device, system and the storage medium for threatening information bank | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| EP3800856B1 (en) | A cyber security appliance for a cloud infrastructure | |
| EP3716110B1 (en) | Computer-security event clustering and violation detection | |
| Gassais et al. | Multi-level host-based intrusion detection system for Internet of things | |
| EP3716111B1 (en) | Computer-security violation detection using coordinate vectors | |
| CN103593609B (en) | Trustworthy behavior recognition method and device | |
| Nguyen et al. | A heuristics approach to mine behavioural data logs in mobile malware detection system | |
| CN105678193B (en) | A kind of anti-tamper treating method and apparatus | |
| Sahar et al. | Deep learning approach-based network intrusion detection system for fog-assisted iot | |
| US20210157909A1 (en) | Sample data generation apparatus, sample data generation method, and computer readable medium | |
| Anumol | Use of machine learning algorithms with SIEM for attack prediction | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| US20240056475A1 (en) | Techniques for detecting living-off-the-land binary attacks | |
| CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
| Ravi et al. | A robust intrusion detection system using machine learning techniques for MANET | |
| Kabanda | Performance of machine learning and other artificial intelligence paradigms in cybersecurity | |
| Sallay et al. | Intrusion detection alert management for high‐speed networks: current researches and applications | |
| Shahin et al. | Implementation of a novel fully convolutional network approach to detect and classify cyber-attacks on IoT devices in smart manufacturing systems | |
| Chauhan et al. | Comparative analysis and research issues in classification techniques for intrusion detection | |
| CN111181756B (en) | Domain name security judgment method, device, equipment and medium | |
| Mukesh et al. | Real-time framework for malware detection using machine learning technique | |
| Molcer et al. | Machine learning based network intrusion detection system for internet of things cybersecurity | |
| Nguyen et al. | Towards an attention-based threat detection system for iot networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |