CN110177114A - The recognition methods of network security threats index, unit and computer readable storage medium - Google Patents
The recognition methods of network security threats index, unit and computer readable storage medium Download PDFInfo
- Publication number
- CN110177114A CN110177114A CN201910493265.2A CN201910493265A CN110177114A CN 110177114 A CN110177114 A CN 110177114A CN 201910493265 A CN201910493265 A CN 201910493265A CN 110177114 A CN110177114 A CN 110177114A
- Authority
- CN
- China
- Prior art keywords
- network security
- layer
- security threats
- network
- information service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/049—Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
Disclose a kind of network security threats index recognition methods, comprising: obtain network information service;And it is directed at least two network security threats indexs, the network information service is identified, to obtain the recognition result of at least two network security threats index, wherein, the at least two network security threats index is divided at least two groups in advance, it is adapted to respectively different identification methods in advance for described at least two groups, and wherein, the different identification method includes the identification method based on machine learning model.Also disclose a kind of network security threats index identification unit and computer readable storage medium.
Description
Technical field
This application involves network security, more particularly, to the recognition methods of network security threats index, unit with
And computer readable storage medium.
Background technique
Threaten information, be certain evidential knowledge according to the definition of Gartner, including context, mechanism, mark,
Meaning and the suggestion being able to carry out, it is related that these knowledge and assets face existing or in the air threat or harm, can use
Informational support is provided to the response or processing decision that threaten or endanger in assets relative subject.Most of described threat feelings in the industry
Report may be considered the threat information of narrow sense, main contents be for identification with detection network security threats index
(Indicators of Compromise, IOC), such as file Hash, IP address, domain name, herein by such threat information
Referred to as network security threats information.Network information service refers to network security threats information and non-network security threat information, may be only
With network security threats information, or may only have non-network security threat information, or possible the two has.From may be simultaneously
It is one that network security threats information is extracted in network information service with network security threats information and non-network security threat information
The time-consuming and laborious work of part.In addition, including threat information in network security threats information, for analyzing to identify network security prestige
It coerces index (Indicators of Compromise, IOC), threatens information bank etc. for subsequent use for example to be formed.Network
Security threat information is broadly divided into two major classes according to source: internal network security threatens information and external network security threat feelings
Report.It is mostly to be collected, handled by analysis system internal data that internal network security, which threatens information, external network security threat
Information is derived mainly from shared or payment the network security threats information that enterprise and/or community provide.In view of internal network security
The closure and particularity of information are threatened, internal network security is not used when verifying network security threats index generally and threatens feelings
Report.In network safety filed, to full-mesh network, perception plays a very important role external network security threat information safely, but outer
Portion's network security threats information data amount is huge, is difficult to identify one by one by artificial mode, time-consuming and laborious and there may be leakages
Report, wrong report.
Summary of the invention
The embodiment provides the recognition methods of network security threats index, unit and computer-readable
Storage medium at least is partially solved problem mentioned above.
According to the first aspect of the invention, a kind of network security threats index recognition methods is provided, comprising: obtain network feelings
Report;And at least two network security threats indexs are directed to, the network information service is identified, to obtain described at least two
The recognition result of network security threats index, wherein at least two network security threats index is divided at least in advance
Two groups are adapted to respectively different identification methods for described at least two groups in advance, and wherein, the different identification side
Formula includes the identification method based on machine learning model.
According to one embodiment, further comprise in the identification foregoing description method: utilizing preconfigured engineering
Disaggregated model is practised, the network information service is categorized into network security threats information or non-network security threat information;And it filters out
Non-network security threat information in the network information service.
According to one embodiment, wherein the preconfigured machine learning classification model include embeding layer, convolutional layer,
Maximum pond layer and full articulamentum, and wherein, the classification further comprises: obtaining the text of the network information service and input
The embeding layer is encoded to distributed expression;By the distributed expression input convolutional layer, to extract the network feelings
The feature of the text of report;The feature input maximum pond layer will be extracted with extracting the corresponding maximum value of each feature
The corresponding maximum value splicing of each feature, the output as the maximum pond layer;The output of the maximum pond layer is defeated
Enter the full articulamentum, the output based on the full articulamentum obtains the result of the classification.
According to one embodiment, the method, the classification and it is described filter out after further comprise: using matching in advance
The machine learning judgment models set, judgement are classified as whether the network information service of the network security threats information is effective network
Security threat information;And filter out the non-effective network security threats information in the network information service.
According to one embodiment, wherein the machine learning judgment models include embeding layer and random forest layer, and its
In, the judgement includes: that would be classified as the text input of the network information service of the network security threats information to the embeding layer,
To be encoded to distributed indicate;And the distributed expression is input to random forest layer, according to described random gloomy
The output judgement of woods layer is classified as whether the network information service of the network security threats information is effective network security threats feelings
Report.
According to one embodiment, wherein the different identification method further include: the identification method based on dictionary, wherein
Word in the network information service is matched with the word in the dictionary pre-established, it will matched word conduct identification knot
Fruit;It is incited somebody to action with rule-based identification method wherein being parsed using pre-set rule to the text of the network information service
Meet the content of the rule as recognition result.
According to one embodiment, the method further includes: show the recognition result;And it is receiving for institute
In the case where the corrigendum instruction for stating recognition result, the recognition result is corrected.
According to one embodiment, wherein the display recognition result includes: to show the identification by web page
As a result.
According to one embodiment, wherein first group in described at least two groups include following type network security prestige
It coerces index: influencing area and platform, and the wherein net identify include: for any class in described first group
Network security threat index identifies the network information service using the identification method based on dictionary, wherein the knowledge based on dictionary
Other mode is to match the word in the network information service with the word in the dictionary pre-established, will matched word conduct
Recognition result.
According to one embodiment, wherein second group in described at least two groups include following type network security prestige
Coerce index: basic data file, registration table, service and the startup item of program, and wherein it is described carry out identification include: for institute
The network security threats index for stating any class in second group, using rule-based identification method to the network information service into
Row identification, wherein rule-based identification method is to be parsed using pre-set rule to the network information service, will accord with
The content of the rule is closed as recognition result.
According to one embodiment, wherein the third group in described at least two groups includes the network security prestige of following type
Coerce index: wooden horse family threatens tissue, threat object, threatens gimmick, loophole use, file Hash, IP address, domain name, file
Information, URL(Uniform Resource Locator), mutual exclusion lock and mailbox, and wherein it is described carry out identification include: in the third group
Any kind of network security threats index knows the network information service using the identification method based on machine learning model
Not.
According to one embodiment, the method further includes: the recognition result is statisticallyd analyze, to obtain the network
Relevance between the type of security threat index;And/or it is based on the recognition result, it is alert to export network security threats to user
It accuses.
According to one embodiment, wherein the acquisition network information service include: by crawler technology crawl outside source with
Obtain network information service.
According to one embodiment, the method further includes: it is using based on machine learning mould in the recognition result
In the case that the identification method of type identifies, the machine learning model is carried out using the recognition result corrected further
Training;And/or it in the case where the recognition result is identified using identification method based on dictionary, utilizes and is corrected
Recognition result is updated dictionary, wherein the identification method based on dictionary be by the network information service word with pre-establish
Dictionary in word matched, will matched word as recognition result.
According to one embodiment, wherein the machine learning model includes the first embeding layer, the second embeding layer, first layer
The two-way long short-term memory layer of two-way long short-term memory layer, the second layer, Feedforward Neural Networks network layers and optimization layer;And it wherein, utilizes
It includes: to input the next stage element of the word of the network information service that the machine learning model, which carries out identification to the network information service,
First embeding layer is indicated with being encoded to the distribution of the next stage element;By the distributed table of the next stage element
Show the input two-way long short-term memory layer of first layer, obtains the output of the two-way long short-term memory layer of the first layer;It will be described
The word of network information service inputs second embeding layer, and to be encoded to, the distribution of predicate is indicated;By the two-way length of the first layer
The output of short-term memory layer inputs the two-way long short-term memory layer of the second layer after indicating splicing with the distributed of institute's predicate, obtains
The output of the two-way long short-term memory layer of the second layer;The output of the two-way long short-term memory layer of the second layer is input to one
The Feedforward Neural Networks network layers of hidden layer obtain the probability in word with each network security threats index;And by the probability
The optimization layer is inputted, obtained output is the network security threats index in the network information service.
According to the second aspect of the invention, a kind of network security threats index identification equipment is provided, comprising: getter,
It is configured to obtain network information service;And identifier, it is configured at least two network security threats indexs, to described
Network information service is identified, to obtain the recognition result of at least two network security threats index, wherein described at least two
Kind network security threats index is divided at least two groups in advance, is adapted in advance for described at least two groups respectively different
Identification method, and wherein, the different identification method includes the identification method based on machine learning model.
According to the third aspect of the invention we, a kind of network security threats index identification device is provided, comprising: processor;
And memory, it is configured to be stored with computer executable instructions on it, described instruction is worked as to be executed in the processor
When, so that the method that the processor realizes above-mentioned first aspect and its any embodiment.
According to the fourth aspect of the invention, a kind of computer readable storage medium is provided, which is characterized in that the calculating
Instruction is stored in machine readable storage medium storing program for executing, when described instruction is run on computers, so that computer realization is above-mentioned
The method of first aspect and its any embodiment.
Manual identified is avoided using the identification method of automated network security threat mark according to above-described embodiment
Take time and effort.Since we carry out the network security threats mark at least two types that needs identify according to identification method
Grouping, by the identification method based on machine learning model corresponding with different grouping, the identification method based on dictionary and is based on
The identification method of rule identifies, as such, the characteristics of different types of network security threats index can be utilized and advantageously into
Row identification, avoids the limitation using single identification method, for example, rule-based identification method is to some species of network
Security threat index (such as attack tissue) be it is invalid, can not effectively identify, and instead based on the knowledge of machine learning model
Other mode can then efficiently identify, and solve the problems, such as to fail to report to a certain extent and report by mistake.For example, by the friendship with WEB page
Mutually, machine learning model can constantly receive front end feedback as a result, to constantly training, optimize the machine learning model,
To be continuously improved, dictionary also can constantly be updated for the identification accuracy of machine learning model, this is also to a certain extent
It solves the problems, such as to fail to report and report by mistake.In addition, the machine learning model used can identify the feature of context, so as to distinguish report
The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent again.In reality
It applies in example, using preconfigured machine learning classification model, the network information service is classified, to be divided into network security prestige
Side of body information and non-network security threat information simultaneously remove non-network security threat information, can further liberate manpower, are not necessarily to people
Work screening, so as to be flexibly applied to various information sources.In a further embodiment, preconfigured engineering is utilized
Judgment models are practised, judgement is classified as whether the network information service of the network security threats information is effective network security threats feelings
Report, and the non-effective network security threats information in the network information service is further removed, it can further help to improve knowledge
Other efficiency.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 illustrates the flow charts of network security threats index recognition methods according to an embodiment of the present invention.
Fig. 2 illustrates a topology example of machine learning model according to an embodiment of the present invention.
Fig. 3 illustrates a structure and processing example for machine learning classification model according to an embodiment of the present invention.
Fig. 4 illustrates a structure and processing example for machine learning judgment models according to an embodiment of the present invention.
Fig. 5 illustrates an output example of machine learning model according to an embodiment of the present invention.
Fig. 6 a illustrates a display interface of recognition result according to an embodiment of the present invention.
Fig. 6 b illustrates another display interface of recognition result according to an embodiment of the present invention.
Fig. 7 illustrates the block diagram of the equipment according to an embodiment of the present invention for the identification of network security threats index.
Fig. 8 illustrates hardware implementation environment schematic diagram according to an embodiment of the present invention.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with attached drawing to the application embodiment party
Formula is described in further detail.
Network security threats information referred to herein refers to comprising threat information, for identifying to identify network security
Threaten the information of index (IOC).Herein referred network information service refers to network security threats information and non-network security threat feelings
Report, may only have network security threats information, or may only have non-network security threat information, or possible the two has.
Network security threats index referred to herein refers to the proof data of potential rogue activity in mark system or network.
Fig. 1 illustrates the flow charts of network security threats index recognition methods according to an embodiment of the present invention.It may be noted that with
What the sequencing of lower description did not represent step itself executes sequence, these steps can with any reasonable sequence successively or
Person is performed simultaneously, except non-post must be premised on previous step on the execution of step.Network security according to an embodiment of the present invention
Index recognition methods is threatened to start from step 101.Wherein, crawler skill can be passed through in one example by obtaining network information service
Art crawls external network security threat information source to obtain network information service.The external network security threat information source is generally selected from net
Network threatens intelligence sharing platform, the network information service shared on e.g. website www.freebuf.com.Certainly, show at another
In example, which may also be doped with non-network security threat information.
Then in step 106, at least two network security threats indexs, using the identification method being adapted in advance to institute
It states network information service to be identified, to obtain the recognition result of at least two network security threats index.Wherein, it is described at least
Two kinds of network security threats indexs are divided at least two groups in advance, are adapted in advance for described at least two groups respectively different
Identification method have chosen the network security threats index of 18 types in one example, be respectively: wooden horse family, threaten
Tissue, threat object influence area, threaten gimmick, loophole, platform, file Hash, IP address, domain name, the file information, the whole world
Resource localizer, the basic data file of program, mutual exclusion lock, registration table, service, startup item and mailbox.Wooden horse family is for example
Trickbot, jasperloader, artradownloader, bulehero etc..Threaten tissue for example have APT10, it is climing spirit flower,
The tissue that the initiations such as muddywater threaten.Threat object for example has the mesh of the threats such as financial department, government organs, educational institution
Mark.It influences area and refers to the geographic range for threatening and influencing.Gimmick is threatened as the term suggests threatening used means, such as
Distributed denial of service (DDoS:Distributed Denial of Service), attacker is by means of client/server skill
Art, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets, to exponentially mention
The power of high Denial of Service attack.It threatens gimmick there are also vulnerability exploit, inveigle file, malious email, Windows
A kind of command-line shell program of PowerShell(and script environment), phishing (Phishing) etc..Wherein phishing is
Refer to that swindler oneself will usually disguise oneself as the believable brand such as the Internet bank, online retailer and credit card company, utilizes deception
The Email of property and the Web site of forgery carry out network fraud, and lamb often reveals the private data of oneself,
Such as credit number, bank card account, identification card number content.Loophole refers to utilized loophole, such as CVE(Common
Vulnerabilities & Exposures, public loophole and exposure) number be CVE-2017-8464, CVE-2019-2725,
The loophole of CVE-2017-12615, CVE-2017-10271, CVE-2017-5638, CNVD-2018-24942 etc..Platform refers to prestige
Coerce the platform being directed to, such as windows, linux, Mac OS etc..File Hash (i.e. Hash) is called file signature, in file which
Be afraid of that a bit is changed, file Hash will be different, therefore can be used for distinguishing different files, and more commonly used file is breathed out
Uncommon algorithm has MD5 and SHA-1, and lower section lists 12 file Hash on the right of Fig. 6 b.IP address such as 65.182.100.42,
81.88.24.211,103.219.22.63 etc..Domain name is for example:
breed.wanttobea.com、
zzi.aircargox.com、
nono.littlebodiesbigsouls.com、
tribunaledinapoli.recsinc.com、
tribunaledinapoli.prepperpillbox.com、
tribunaledinapoli.lowellunderwood.com、
Tribunaledinapoli.rntman.com etc..
The file information such as kernel.dll, winserv.exe, rundll32.exe, rtegre.exe,
Wprgxyeqd79.exe etc..URL(Uniform Resource Locator) (URL) is for example:
http://planasolutions.com/wordpress/wp-content/nq3sqe-x875-tt/、
http://mattheweidem.com/ikn0owm-g991-syvw/、
Http:// irose.com/lpo7qje-wg556-pnv/ etc..
The basic data file (PDB, Program Data Base) of program is for example:
C:\Users\CN_ide\Desktop\TSSL_v3.2.7_BypassSymantec_20180528\TClient\
Release\FakeRun.pdb、
D:\Soft\DevelopedCode_Last\yty2.0\Release\C++\Setup.pdb、
C:\users\803\documents\visualstudio2010\Projects\helpdll\Release\
Helpdll.pdb etc..Mutual exclusion lock such as { 531511FA-190D-5D85-8A4A-279F2F592CC7 } etc..Registration table is for example:
Software\Microsoft\Office\12.0\Word\Resiliency\DisabledItems、
Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems、
Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery、
Software Microsoft Office 11.0 Word Resiliency DisabledItems etc..Startup item is for example
Memory optimizer.lnk, SLVjiAEwaK.url, SMTPLoader.lnk etc..Service such as ndisproxy-mn,
Wmmvsvc, SCardPrv etc..Mailbox is for example: ijuqodisunovib98@o2.pl, sayanwalsworth96@
protonmail.com、abbschevis@protonmail.com、cottleakela@protonmail.com、
aperywsqaroci@o2.pl、asuxidoruraep1999@o2.pl、couwetizotofo@o2.pl、
Dharmaparrack@protonmail.co etc..
In one example, the network security threats index of above-mentioned 18 types has been partitioned into three groups, and each group pre-
It is first adapted to a kind of identification method, the identification method being adapted in advance for three groups is different.Wherein include influence for first group
Area and platform, second group includes basic data file, registration table, service and startup item, and third group includes remaining, i.e. wooden horse
Family threatens tissue, threat object, threatens gimmick, loophole, file Hash, IP address, domain name, the file information, global resources fixed
Position device, mutual exclusion lock and mailbox.The foundation of division group is exactly identification method, for above-mentioned first group, in step 1061, using being based on
The identification method of dictionary identifies that, for above-mentioned second group, in step 1062, utilization is rule-based to the network information service
Identification method identifies the network information service, for above-mentioned third group, in step 1063, using based on machine learning model
Identification method the network information service is identified.
Identification method based on dictionary is directly to the word in all words in network information service full text and the dictionary pre-established
It is matched, dictionary includes the dictionary of platform and the dictionary for influencing area, can pass through disclosed network security threats index
Data source and obtain, naturally it is also possible to it is artificial to establish or modification.For the two types, due to platform and area is influenced relatively
Stablize, can enumerate, is suitble to be identified by the way of dictionary.The dictionary of platform for example including " Linux ", " Windows " etc.,
The dictionary in area is influenced for example including " China ", " US ", " Japan " etc., and certain dictionary also may include corresponding Chinese or it
The language of its country).What can be matched is identified as corresponding network security information index, such as platform or influence ground
Area.
Rule-based identification method using pre-defined rule (such as identification basic data file rule, identification registration table
Rule, the rule of identification service and the rule for identifying startup item) to being parsed in the full text of network information service, will meet described
The content of rule is as recognition result, such as basic data file, registration table, service or startup item, the regular ratio of these types
It is relatively fixed, it is changed without being regularly maintained.Such as the rule of identification basic data file can be expressed for example with regular expression are as follows:
r'\b([A-Za-z0-9-_\.]+\.(pdb))\b'
Wherein r'' use ' ' native character string is drawn, which is ended up with .pdb, can be upper and lower case letter and institute before .pdb
The symbol enumerated any one or it is more than one, b indicate boundary.The regular expression is common to a variety of programmed environments, or
Lesser modification may be needed for certain specific environments.
Machine learning model in identification method based on machine learning model can use a variety of different structures.Fig. 2
Illustrate a topology example of machine learning model according to an embodiment of the present invention.The machine learning model includes first embedding
Enter the two-way long short-term memory layer of layer, the second embeding layer, first layer, the two-way long short-term memory layer of the second layer, Feedforward Neural Networks network layers
And optimization layer.Each two-way long short-term memory layer of layer by type be long short-term memory (LSTM) Recognition with Recurrent Neural Network (RNN,
Recurrent Neural Network) element composition.The network information service is identified using the machine learning model
Including once operating.The next stage element of the word of the network information service is inputted into first embeding layer, be encoded to it is described under
The distributed of level element indicates;Distributed by the next stage element indicates to input the two-way long short-term memory of first layer
Layer, obtains the output of the two-way long short-term memory layer of the first layer;The word of the network information service is inputted into second embeding layer,
To be encoded to, the distribution of predicate is indicated;By the output and the distribution of institute's predicate of the two-way long short-term memory layer of the first layer
The two-way long short-term memory layer of the second layer is inputted after indicating splicing, obtains the output of the two-way long short-term memory layer of the second layer;It will
The two-way long short-term memory layer of the second layer is input to the Feedforward Neural Networks network layers with a hidden layer, obtains in word
Probability with each network security threats index;And the probability is inputted into the optimization layer, obtained output is described
Network security threats index in network information service.Referring to fig. 2, X is inputtedijIt is word Xi(wherein i=1 ..., n, j=1 ..., symbol
Number XiIn number of characters) in next stage element, such as morpheme (prefix or suffix), root, word XiFrom network feelings to be identified
Report, Vc is that the next stage element of word indicates the mapping of (term vector) to its distribution, in this as the first embeding layer, XijBy Vc
The two-way long short-term memory layer of first layer is inputted after mapping.VTIt is word Xi(wherein i=1 ..., n, j=1 ..., symbol XiIn
Number of characters) arrive its distributed mapping for indicating (i.e. term vector), hereon referred to as the second embeding layer.The two-way long short-term memory of first layer
The output of layer and word XiBy VTMapping after output splicing obtain ei(wherein i=1 ... ..., n), as the two-way length of the second layer
When remember layer input, then obtain the output d of the two-way long short-term memory layer of the second layeri(wherein i=1 ... ..., n), by tool
There is the feedforward neural network of a hidden layer, obtains probability vector ai(wherein i=1 ... ..., n), anT-th of element be n-th
Word has the probability of t-th of IOC.With aiTo input, and then obtain output yi(wherein i=1 ... ..., n), that is, in the word identified
Network security threats index, such as in aiIn with maximum probability IOC.In one example, training dataset derives from
The text of 200 APT (Advanced Persistent Threats, the advanced duration threaten) report manually marked.It will instruction
White silk data set is inputted in machine learning model shown in Fig. 2 after pretreatment (such as spcial character replacement, segmentation etc.) and is carried out
Training can be used to the identification of network security threats index after the completion of training.After tested, the net of machine learning model identification
(F1 score is a kind of index for being used to measure two disaggregated model accuracy in statistics to the F1 score of network security threat index.
It has combined the accuracy rate and recall rate of disaggregated model.F1 score can be regarded as one kind of model accuracy rate and recall rate
Weighted average, its maximum value is 1, and minimum value is 0) 0.9 or so.
It should be noted that a variety of different identification methods may relate to the matching or input of text, it is not meant to network information service
It must be the form of text, be also possible to the forms such as other any forms, such as picture, audio, they can for example turn
Chemical conversion text is matched or is inputted.
The more flexible identification suitable for various targets of identification method based on machine learning model, for rule-based and
The network security threats index type that the identification method of dictionary cannot all identify well, or great effort is needed to go to tie up
Protect dictionary or rule, it is more suitable with the identification method based on machine learning model.
Present inventors have realized that the different characteristics of different types of network security threats index and with it is word-based
The adaptability of the identification method in library, rule or machine learning model, thus by the way of above-mentioned packet adaption, compared to ignoring
The single identification method of the different characteristics of different types of network security threats index or the blindly identification method of multiplicity, can
More efficiently and accurately carry out the identification of network security threats index.
Optionally, after step 101, before step 1061-1063, also in a step 102, it is contemplated that the network of acquisition
There are non-network security threat information in information, using preconfigured machine learning classification model, the net that step 101 is obtained
Network classification of information filters out the network at network security threats information or non-network security threat information, and in step 103
Non-network security threat information in information.Manpower can be further liberated in this way, artificial screening is not necessarily to, so as to flexibly fit
For various information sources.Preconfigured machine learning classification model and processing example are for example as shown in Figure 3.In Fig. 3, in advance
The machine learning classification model 300 first configured includes embeding layer 301, convolutional layer 302, maximum pond layer 303 and full articulamentum
304.The classification includes: to obtain the text of the network information service first and input the embeding layer 301, is encoded to point
Cloth indicates, then by the distributed expression input convolutional layer 302, to extract the feature of the text of the network information service, and
Afterwards by the feature input maximum pond layer 303, to extract the corresponding maximum value of each feature, and by each spy of extraction
Corresponding maximum value splicing is levied, the output as the maximum pond layer.The output of the maximum pond layer is finally inputted into institute
State full articulamentum 304, so that it may which the output based on the full articulamentum obtains the result of the classification.The machine learning classification
Model can use such as title and keyword of 10,000 network security threats information and 10,000 non-network security threat information
It is trained.
Optionally, after step 103, before step 1061-1063, also at step 104, preconfigured machine is utilized
Device judgment of learning model, judgement are classified as whether the network information service of the network security threats information is effective network security prestige
Information is coerced, such as there are such case, a same word has different meanings, so that it is net sometimes under different context
Network security threat index and be not sometimes, that is, it is non-effective network security threats information.By such judgement, just
The non-effective network security threats information in the network information service can be filtered out in step 105.Preconfigured engineering
Practise judgment models and processing example for example, as shown in figure 4.In Fig. 4, the machine learning judgment models 400 include embeding layer
401 and random forest layer 402.The judgement includes: firstly, would be classified as the network information service of the network security threats information
Text input is encoded to distributed expression to the embeding layer 401, is then input to the distributed expression random
Forest layer 402 is classified as the network information service of the network security threats information with the output judgement according to the random forest layer
It whether is effective network security threats information.By these steps, can further help to improve recognition efficiency.The machine
Judgment of learning model can be trained using the 2000 network security threats information manually marked, wherein 800 are effective
Network security threats information, 1200 are invalid network security threats information.
It should be noted that the text of the network information service obtained herein can be various language, it in one example, can be to it
Distinguished according to language, with corresponding different language train come machine learning classification model, machine learning judge mould
The machine learning model of type and for identification IOC handle them.
According to above-described embodiment as it can be seen that identification method whether based on dictionary, rule or machine learning model, is
The identification method of automated network security threat mark, avoids taking time and effort for manual identified.Since we are to needing to know
The network security threats mark of other at least two type is grouped according to identification method, passes through base corresponding with different grouping
Identification method in machine learning model, the identification method based on dictionary and rule-based identification method identify, as such, energy
It is enough advantageously identified, is avoided using single identification method using the characteristics of different types of network security threats mark
Limitation, for example, rule-based identification method is to some species of network security threats mark (such as attack tissue)
Invalid, it can not effectively identify, and instead the identification method based on machine learning model can then efficiently identify, certain journey
It solves the problems, such as to fail to report and report by mistake on degree.The machine learning model of use can identify the feature of context, so as to distinguish report
The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent.Implementing
In example, using preconfigured machine learning classification model, the network information service is classified, to be divided into network security threats
Information and non-network security threat information simultaneously remove non-network security threat information, can further liberate manpower, without artificial
Screening, so as to be flexibly applied to various information sources.In a further embodiment, preconfigured machine learning is utilized
Judgment models, judgement are classified as whether the network information service of the network security threats information is effective network security threats feelings
Report, and the non-effective network security threats information in the network information service is further removed, it can further help to improve knowledge
Other efficiency.
Fig. 5 illustrates an output example of machine learning model according to an embodiment of the present invention.It is trained using above-mentioned
Model shown in Fig. 2 the network information service for example obtained from www.freebuf.com is identified, obtain shown in fig. 5
Output, wherein first is classified as the word in network information service, such as 194.70.136, last column is be identified as network security prestige
Index, such as B-IP are coerced, that is, refers to IP address, B-DOMAIN refers to domain name, and B-FILEHASH refers to file Hash.
Optionally, in step 107, the recognition result of the network security threats index of at least two type is shown.Institute
Stating display can be shown by web page.Fig. 6 a illustrates a display of recognition result according to an embodiment of the present invention
Interface, it illustrates multiple items related with the network information service identified.Wherein first row GUID is the network information service obtained
Unique identification, secondary series are its titles, and third column are the mark states to the network information service, and the 4th column are operators, the 5th column
It is that the network information service crawls the time;6th column are the artificial verification time.
Fig. 6 b illustrates another display interface of recognition result according to an embodiment of the present invention.It illustrates be able to carry out
It is artificial to verify and the operation interface of modification, it, can will before artificial verify wherein right side is the network security threats index that need to be marked
The recognition result of step 106 is loaded into the corresponding network security threats index in right side, by referring in corresponding network security threat
Click is put on, the recognition result that can be loaded with show or hide can increase recognition result manually, delete, search
And modification.There is a big text box in left side, wherein the original text of network information service is presented, wherein selectable text can be shown.
Optional step 108, feelings of the computer in the corrigendum instruction for the recognition result received are discussed below
Under condition, such as instruction received from user by user interface, the recognition result is corrected.For example, when needing some
It when composer of ci poetry's work is labeled as a certain network security threats index, needs manually to choose the word, then clicks " mark " button above,
Then the type for the network security threats index to be marked is selected in the menu then shown.It is, of course, also possible to similar
Mode is modified or is deleted in a manual manner by means of other menus or button, such mark, modification or delete can be
It is embodied in the respective field of right side.After artificial mark finishes, " saving modification " button is clicked.In one example, the preservation is not
It only local saves, can also be submitted to server preservation.This completes the corrigendums of the recognition result to step 106.Fig. 6 b
Shown in there are also with lower button in interface: " resetting " button is abandoned all artificial marks and modification, is reset in step 106
Automatic recognition result;" deleting all marks " button, i.e. all marks in deletion current network information, including automatically mark
Note and artificial mark.Certainly can also have other buttons assist the recognition result to computer to be increased manually, delete,
It searches and modifies.
The result for the corrigendum that step 108 obtains can feed back computer, be optimized with identifying to it, be based particularly on
The identification of machine learning model and identification based on dictionary.It therefore optionally, is to utilize in the recognition result in step 109
In the case that identification method based on machine learning model identifies, using the result corrected in step 108 to described
Machine learning model is further trained;It and/or in the recognition result is identified using the identification method based on dictionary
In the case where out, dictionary is updated using the result corrected in step 108.
By the interaction with such as WEB page, machine learning model can constantly receive front end feedback as a result, to
It constantly trains, optimize the machine learning model, to be continuously improved, dictionary can also obtain the identification accuracy of machine learning model
Continuous to update, this also solves the problems, such as to fail to report and report by mistake to a certain extent.
Whether the knot for the corrigendum that the recognition result identified by computer or step 108 that step 106 obtains obtain
Fruit can be used as basis to export network security threats warning to user, be also used as further analyzing, such as network peace
The statistical analysis of relevance between the full type for threatening index, such as some attack tissue, it commonly uses any attacking ways, attack
Which what object of attack, what malicious IP addresses used, domain name as the md5 of file Hash be, domain registrar whom's
What etc. mailbox be, these information associations can be got up, and facilitates other application, such as more based on these associated information
The identification of associated IOC is realized fastly.Therefore optionally, in step 110, recognition result is analyzed, to obtain the network security
Threaten the relevance between the type of index.And optionally, in step 111, it is based on the recognition result, exports network to user
Security threat warning.
The process can be periodically executed, to continue to optimize.For example, newly-increased network information service (step 101) is crawled daily, it can
After processing of the selection of land by classifying, judging and filtering out (step 102-105), automatic identification (step 106) is carried out, step is passed through
Rapid 107 and 108 receive it is artificial verify, the optimization (step 109) of the result of corrigendum mode for identification so recycles, favorably
In the reliability that automatic identification is continuously improved, grow with each passing hour.
Fig. 7 illustrates the block diagram of network security threats index identification equipment according to an embodiment of the present invention.The equipment includes
Getter 701 and identifier 702.Wherein getter 701 is configured to obtain network information service, in one example, getter 701
External network security threat information source is crawled by crawler technology to obtain network information service.The external network security threat information source
It is generally selected from Cyberthreat intelligence sharing platform, the network information service shared on e.g. website www.freebuf.com.Certainly,
In another example, which may also be doped with non-network security threat information.Identifier 702 is configured to be directed to
At least two network security threats indexs, identify the network information service, to obtain at least two network securitys prestige
Coerce the recognition result of index.Wherein, at least two network security threats index is divided at least two groups in advance, for
Described at least two groups are adapted to respectively different identification methods in advance.The network security threats index of above-mentioned at least two type and
Its example being grouped, and example --- the identification method, rule-based knowledge based on dictionary of the corresponding identification method being adapted to
Other mode and the identification method based on machine learning algorithm, can be referring specifically to the corresponding description in previous step 106, herein
It repeats no more.The identification method based on dictionary is realized with dictionary identifier 7021 respectively in Fig. 7, with the realization of regular identifier 7022
Rule-based identification method realizes the identification method based on machine learning model with machine learning model identifier 7023.
Optionally, network security threats index identification equipment can also include man-machine interface 703, wherein further comprising defeated
Enter unit 7031 and output unit 7032, output unit 7032 shows the identification of the network security threats index of at least two types
As a result;Input unit 7032 is indicated in response to the corrigendum for the recognition result received, is carried out to the recognition result
Corrigendum.The result of corrigendum can feed back identifier 702, be optimized with identifying to it, and especially machine learning model identifies
Device 7023 and dictionary identifier 7021.The mode of optimization refers to the description of previous step 109, and details are not described herein.
Optionally, network security threats index identification equipment can also include classifier 704 and the first stripper 705, divide
Class device 704 is configured for before identifying to the network information service: preconfigured machine learning classification model is utilized,
The network information service is categorized into network security threats information or non-network security threat information, then by the first stripper 705
Filter out the non-network security threat information in the network information service.Further explanation about classifier may refer to previous step
102 description.
Optionally, network security threats index identification equipment can also include determining device 706 and the second stripper 707, sentence
Disconnected device 706 is configured for after the classification with described filter out: utilizing preconfigured machine learning judgment models, judgement
Whether the network information service for being classified as the network security threats information is effective network security threats information;And it filters out described
Non-effective network security threats information in network information service.Further explanation about determining device 706 may refer to walk above
Rapid 104 description.
Fig. 8 illustrates hardware implementation environment schematic diagram according to an embodiment of the present invention.Referring to Fig. 8, in implementation of the invention
In mode, network security threats index identification device 800 includes processor 804, including hardware elements 810.Processor 804
It can for example including one or more digital signal processors (DSP), general purpose microprocessor, specific integrated circuit (ASIC), scene
The one or more processors such as programmed logic array (PLA) (FPGA) or other equivalent integrated or discrete logic.As made herein
Term " processor " can refer to above structure or be adapted for carrying out in any other structures of technology described herein
Any one.In addition, in certain aspects, functionalities described herein, which may be provided in, is configured for use in network security threats index
In the specialized hardware and/or software module of identification, or it is incorporated in knockdown hardware and/or software module.Also, can by institute
The technology of stating is fully implemented in one or more circuits or logic element.Method in the disclosure can be in various assemblies, module
Or it is realized in unit, but be not necessarily required to realize by different hardware unit.But as described above, various assemblies, module or
Unit can be combined or be combined by the set of interoperability hardware cell (comprising one or more processors as described above) suitable soft
Part and/or firmware provide.
In one or more examples, technical solution described in above combination Fig. 1-Fig. 7 can be with hardware, software, firmware
Or any combination thereof implement.If implemented in software, then function can be used as one or more instructions or code is stored in meter
It transmits on calculation machine readable medium or via computer-readable medium 806, and is executed by hardware based processor.It is computer-readable
Medium 806 may include the computer readable storage medium corresponding to the tangible medium such as data storage medium, or comprising promoting
Computer program is for example transmitted to the communication media of any medium at another place according to communication protocol from one.By this method, it counts
Calculation machine readable medium 806 may generally correspond to the tangible computer readable storage medium of (1) non-transitory, or (2) such as signal
Or the communication medias such as carrier wave.Data storage medium can be that can be read by one or more computers or one or more processors
To retrieve for implementing the instruction of technology described in the disclosure, any usable medium of code and/or data structure.Computer
Program product may include computer-readable medium 806.
For example it and not limits, such computer readable storage medium may include RAM, ROM, EEPROM, CD_ROM
The memories such as other CDs, magnetic disk storage or other magnetic storages, flash memory or can be used to instruct or data
Any other memory 812 that the form of structure stores wanted program code and can be read by computer.Moreover, will properly appoint
What connection is referred to as computer-readable medium 806.For example, if ordered using coaxial cable, fiber optic cables, twisted pair, number
Family line (DSL) or the wireless technology such as infrared ray, radio and microwave refer to from the transmission of website, server or other remote sources
It enables, then coaxial cable, fiber optic cables, twisted pair, DSL or the wireless technology such as infrared ray, radio and microwave are contained in Jie
In the definition of matter.It is to be appreciated, however, that computer readable storage medium and data storage medium do not include connection, carrier wave, signal or
Other transient mediums, but it is directed to non-instantaneous tangible media.As used herein, disk and CD include compact disk
(CD), laser-optical disk, optical compact disks, digital versatile disc (DVD), floppy disc and Blu-ray Disc, wherein disk is usually with magnetic
Property mode regenerates data, and usage of CD -ROM laser regenerates data optically.Combination of the above should also be included in computer can
In the range of reading medium 806.
Network security threats index identification device 800 can also include the I/O interface and other function for being used for transmission data
Energy 814.Network security threats index identification device 800 may include in different devices, such as mobile phone, intelligence electricity
Words, plate, laptop computer, desktop computer, game console, mobile unit, such as TV, player etc household electric have a high regard for
What can network or receive in other ways the device of information, and here is illustrated computer 816, mobile device 818 and other dresses
Set 820.Each of these configurations include the equipment that can have general different construction and ability, and therefore can basis
One or more Configuration network security threat index identification devices 800 in distinct device classification.Furthermore technology of the invention is also
It can entirely or partly be realized on " cloud " 822 by using distributed system, such as by platform 824 as described below.
Cloud 822 includes and/or representative is used for the platform 824 of resource 826.The hardware of 824 abstract cloud 822 of platform is (for example, clothes
Be engaged in device) and software resource bottom function.Resource 826 may include executing calculating on far from the server for calculating equipment 802
The application and/or data that can be used when machine processing.Resource 826 can also include by internet and/or passing through such as honeycomb
Or the service that the subscriber network of Wi-Fi network provides.
Platform 824 can be connect with abstract resource and function with that will calculate equipment 802 with other calculating equipment.Platform 824 is also
It can be used for the classification of abstract resource to provide the corresponding water of the demand for the resource 826 realized via platform 824 encountered
Flat classification.Therefore, in interconnection equipment embodiment, the realization of functions described herein can be distributed in whole system.Example
Such as, function can be realized partly on calculating equipment 802 and through the platform 824 of the function of abstract cloud 822.
Manual identified is avoided using the identification method of automated network security threat mark according to above-described embodiment
Take time and effort.Since we divide the network security threats mark for multiple types that needs identify according to identification method
Group, by the identification method based on machine learning model corresponding with different grouping, the identification method based on dictionary and based on rule
Identification method then identifies, as such, can advantageously carry out using the characteristics of different types of network security threats index
Identification avoids the limitation using single identification method, for example, rule-based identification method pacifies some species of network
Threat index (such as attack tissue) is invalid entirely, can not effectively be identified, and instead based on the identification of machine learning model
Mode can then efficiently identify, and solve the problems, such as to fail to report to a certain extent and report by mistake.For example, by the friendship with WEB page
Mutually, machine learning model can constantly receive front end feedback as a result, to constantly training, optimize the machine learning model,
To be continuously improved, dictionary also can constantly be updated for the identification accuracy of machine learning model, this is also to a certain extent
It solves the problems, such as to fail to report and report by mistake.In addition, the machine learning model used can identify the feature of context, so as to distinguish report
The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent again.
It is to be appreciated that the statements such as " first " that occurs in the disclosure, " second " do not represent the elder generation of instruction importance or step
Afterwards, it is only for distinguishing.Method and step is being not particularly illustrated or (execution of i.e. one step need to be with another without precedence constraint
Premised on the implementing result of one step) in the case where, the execution that the description of method and step does not represent them successively is successive, is retouched
The method and step stated can be executed with possible, reasonable sequence.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or
Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are wanted by right
It asks and points out.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.
Claims (15)
1. a kind of network security threats index recognition methods, comprising:
Obtain network information service;And
For at least two network security threats indexs, the network information service is known using the identification method being adapted in advance
Not, to obtain the recognition result of at least two network security threats index,
Wherein, at least two network security threats index is divided at least two groups in advance, for described at least two
Group is adapted to respectively different identification methods in advance, and
Wherein, the different identification method includes the identification method based on machine learning model.
2. the method as described in claim 1 further comprises before identifying to the network information service:
Using preconfigured machine learning classification model, the network information service is categorized into network security threats information or non-net
Network security threat information;And
Filter out the non-network security threat information in the network information service.
3. method according to claim 2,
Wherein, the preconfigured machine learning classification model includes embeding layer, convolutional layer, maximum pond layer and full connection
Layer, and
Wherein, the classification further comprises:
It obtains the text of the network information service and inputs the embeding layer, be encoded to distributed expression;
By the distributed expression input convolutional layer, to extract the feature of the text of the network information service;
By the feature input maximum pond layer, to extract the corresponding maximum value of each feature, by each feature of extraction
Corresponding maximum value splicing, the output as the maximum pond layer;
The output of the maximum pond layer is inputted into the full articulamentum, the output based on the full articulamentum obtains the classification
Result.
4. method according to claim 2 further comprises after the classification and described filter out:
Using preconfigured machine learning judgment models, the network information service that judgement is classified as the network security threats information is
No is effective network security threats information;And
Filter out the non-effective network security threats information in the network information service;Wherein, the machine learning judgment models packet
Embeding layer and random forest layer are included, and
Wherein, it is described judgement include:
The text input of the network information service of the network security threats information be would be classified as to the embeding layer, be encoded to
Distribution indicates;And
The distributed expression is input to random forest layer, it is described to be classified as according to the output of random forest layer judgement
Whether the network information service of network security threats information is effective network security threats information.
5. such as method of any of claims 1-4, wherein the different identification method further include:
Identification method based on dictionary, wherein by the word progress in the word in the network information service and the dictionary pre-established
Match, will matched word as recognition result;With
Rule-based identification method, wherein the text of the network information service is parsed using pre-set rule, it will
Meet the content of the rule as recognition result.
6. further comprising such as method of any of claims 1-4:
The recognition result is shown by web page;And
In the case where receiving the corrigendum instruction for the recognition result, the recognition result is corrected.
7. such as method of any of claims 1-4,
Wherein, first group in described at least two groups includes the network security threats index of following type: influencing area peace
Platform, and
The wherein network security threats index identify include: for any class in described first group, utilizes base
The network information service is identified in the identification method of dictionary, wherein the identification method based on dictionary is by the network information service
In word matched with the word in the dictionary pre-established, will matched word as recognition result.
8. such as method of any of claims 1-4,
Wherein, second group in described at least two groups includes the network security threats index of following type: the basic number of program
According to file, registration table, service and startup item, and
The wherein network security threats index identify include: for any class in described second group, utilizes base
The network information service is identified in the identification method of rule, wherein rule-based identification method is using pre-set
Rule parses the network information service, will meet the content of the rule as recognition result.
9. such as method of any of claims 1-4,
Wherein, the third group in described at least two groups includes the network security threats index of following type: wooden horse family threatens
Tissue, threat object, threaten gimmick, loophole use, file Hash, IP address, domain name, the file information, URL(Uniform Resource Locator),
Mutual exclusion lock and mailbox, and
The wherein network security threats index identify include: for any class in the third group, utilizes base
The network information service is identified in the identification method of machine learning model.
10. further comprising such as method of any of claims 1-4:
The recognition result is statisticallyd analyze, to obtain the relevance between the type of the network security threats index;And/or
Based on the recognition result, network security threats warning is exported.
11. method as claimed in claim 6, further comprising:
In the case where the recognition result is identified using the identification method based on machine learning model, using being corrected
Recognition result the machine learning model is further trained;And/or
In the case where the recognition result is identified using the identification method based on dictionary, corrected identification knot is utilized
Fruit is updated dictionary, wherein the identification method based on dictionary is by the word in the network information service and the dictionary pre-established
In word matched, will matched word as recognition result.
12. such as method of any of claims 1-4, wherein the machine learning model includes the first embeding layer, the
The two-way long short-term memory layer of two embeding layers, first layer, the two-way long short-term memory layer of the second layer, Feedforward Neural Networks network layers and optimization
Layer;And
Wherein, carrying out identification to the network information service using the machine learning model includes:
The next stage element of the word of the network information service is inputted into first embeding layer, to be encoded to the next stage element
Distribution indicates;
Distributed by the next stage element indicates the input two-way long short-term memory layer of first layer, obtains the first layer
The output of two-way long short-term memory layer;
The word of the network information service is inputted into second embeding layer, the distribution of predicate indicates to be encoded to;
It indicates the output of the two-way long short-term memory layer of the first layer and the distributed of institute's predicate to input described second after splicing
The two-way long short-term memory layer of layer, obtains the output of the two-way long short-term memory layer of the second layer;
The two-way long short-term memory layer of the second layer is input to the Feedforward Neural Networks network layers with a hidden layer, is obtained
Into word with the probability of each network security threats index;And
The probability is inputted into the optimization layer, obtained output is the network security threats index in the network information service.
13. a kind of network security threats index identifies equipment, comprising:
Getter is configured to obtain network information service;And
Identifier is configured to identify the network information service at least two network security threats indexs, to obtain
To the recognition result of at least two network security threats index,
Wherein, at least two network security threats index is divided at least two groups in advance, for described at least two
Group is adapted to respectively different identification methods in advance, and
Wherein, the different identification method includes the identification method based on machine learning model.
14. a kind of network security threats index identification device, comprising:
Processor;And
Memory is configured as being stored with computer executable instructions on it, and described instruction is worked as to be held in the processor
When row, so that the processor realizes such as method of any of claims 1-12.
15. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium,
When described instruction is run on computers, so that the computer realizes such as side of any of claims 1-12
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910493265.2A CN110177114B (en) | 2019-06-06 | 2019-06-06 | Network security threat indicator identification method, equipment, device and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910493265.2A CN110177114B (en) | 2019-06-06 | 2019-06-06 | Network security threat indicator identification method, equipment, device and computer readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110177114A true CN110177114A (en) | 2019-08-27 |
CN110177114B CN110177114B (en) | 2021-07-13 |
Family
ID=67697183
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910493265.2A Active CN110177114B (en) | 2019-06-06 | 2019-06-06 | Network security threat indicator identification method, equipment, device and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110177114B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110730164A (en) * | 2019-09-18 | 2020-01-24 | 平安科技(深圳)有限公司 | Safety early warning method, related equipment and computer readable storage medium |
CN111447215A (en) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | Data detection method, device and storage medium |
CN111581355A (en) * | 2020-05-13 | 2020-08-25 | 杭州安恒信息技术股份有限公司 | Method, device and computer storage medium for detecting subject of threat intelligence |
CN112019519A (en) * | 2020-08-06 | 2020-12-01 | 杭州安恒信息技术股份有限公司 | Method and device for detecting threat degree of network security information and electronic device |
CN112087451A (en) * | 2020-09-09 | 2020-12-15 | 杭州安恒信息技术股份有限公司 | Network security protection method, device, equipment and readable storage medium |
CN112995204A (en) * | 2021-04-09 | 2021-06-18 | 厦门市美亚柏科信息股份有限公司 | Method, device, equipment and storage medium for safely reading Protonmail encrypted mail |
CN113282759A (en) * | 2021-04-23 | 2021-08-20 | 国网辽宁省电力有限公司电力科学研究院 | Network security knowledge graph generation method based on threat information |
CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
CN114513336A (en) * | 2022-01-18 | 2022-05-17 | 国家广播电视总局广播电视规划院 | Network security platform construction method based on threat intelligence and intelligent identification algorithm |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107391684A (en) * | 2017-07-24 | 2017-11-24 | 深信服科技股份有限公司 | A kind of method and system for threatening information generation |
CN107391598A (en) * | 2017-06-30 | 2017-11-24 | 北京航空航天大学 | One kind threatens information automatic generation method and system |
US10250621B1 (en) * | 2016-11-17 | 2019-04-02 | EMC IP Holding Company LLC | Automatic extraction of indicators of compromise from multiple data sources accessible over a network |
-
2019
- 2019-06-06 CN CN201910493265.2A patent/CN110177114B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10250621B1 (en) * | 2016-11-17 | 2019-04-02 | EMC IP Holding Company LLC | Automatic extraction of indicators of compromise from multiple data sources accessible over a network |
CN107391598A (en) * | 2017-06-30 | 2017-11-24 | 北京航空航天大学 | One kind threatens information automatic generation method and system |
CN107391684A (en) * | 2017-07-24 | 2017-11-24 | 深信服科技股份有限公司 | A kind of method and system for threatening information generation |
Non-Patent Citations (1)
Title |
---|
徐文韬: "面向威胁情报的攻击指示器自动生成", 《通信技术》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110730164A (en) * | 2019-09-18 | 2020-01-24 | 平安科技(深圳)有限公司 | Safety early warning method, related equipment and computer readable storage medium |
CN110730164B (en) * | 2019-09-18 | 2022-09-16 | 平安科技(深圳)有限公司 | Safety early warning method, related equipment and computer readable storage medium |
CN111447215A (en) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | Data detection method, device and storage medium |
CN111581355A (en) * | 2020-05-13 | 2020-08-25 | 杭州安恒信息技术股份有限公司 | Method, device and computer storage medium for detecting subject of threat intelligence |
CN112019519A (en) * | 2020-08-06 | 2020-12-01 | 杭州安恒信息技术股份有限公司 | Method and device for detecting threat degree of network security information and electronic device |
CN112087451A (en) * | 2020-09-09 | 2020-12-15 | 杭州安恒信息技术股份有限公司 | Network security protection method, device, equipment and readable storage medium |
CN112995204B (en) * | 2021-04-09 | 2022-07-08 | 厦门市美亚柏科信息股份有限公司 | Method, device, equipment and storage medium for safely reading Protonmail encrypted mail |
CN112995204A (en) * | 2021-04-09 | 2021-06-18 | 厦门市美亚柏科信息股份有限公司 | Method, device, equipment and storage medium for safely reading Protonmail encrypted mail |
CN113282759A (en) * | 2021-04-23 | 2021-08-20 | 国网辽宁省电力有限公司电力科学研究院 | Network security knowledge graph generation method based on threat information |
CN113282759B (en) * | 2021-04-23 | 2024-02-20 | 国网辽宁省电力有限公司电力科学研究院 | Threat information-based network security knowledge graph generation method |
CN113472788A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Threat awareness method, system, equipment and computer readable storage medium |
CN113472788B (en) * | 2021-06-30 | 2023-09-08 | 深信服科技股份有限公司 | Threat perception method, threat perception system, threat perception equipment and computer-readable storage medium |
CN114513336A (en) * | 2022-01-18 | 2022-05-17 | 国家广播电视总局广播电视规划院 | Network security platform construction method based on threat intelligence and intelligent identification algorithm |
Also Published As
Publication number | Publication date |
---|---|
CN110177114B (en) | 2021-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110177114A (en) | The recognition methods of network security threats index, unit and computer readable storage medium | |
Ho et al. | Detecting and characterizing lateral phishing at scale | |
Kintis et al. | Hiding in plain sight: A longitudinal study of combosquatting abuse | |
CN109510815B (en) | Multi-level phishing website detection method and system based on supervised learning | |
CN103559235B (en) | A kind of online social networks malicious web pages detection recognition methods | |
US9846780B2 (en) | Automated vulnerability intelligence generation and application | |
US20180191754A1 (en) | Suspicious message processing and incident response | |
CA2840992C (en) | Syntactical fingerprinting | |
CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
CN108092962A (en) | A kind of malice URL detection method and device | |
Vasek et al. | Hacking is not random: a case-control study of webserver-compromise risk | |
Wardman et al. | High-performance content-based phishing attack detection | |
CN111104579A (en) | Identification method and device for public network assets and storage medium | |
CN109104421B (en) | Website content tampering detection method, device, equipment and readable storage medium | |
CN109074454A (en) | Malware is grouped automatically based on artefact | |
CN104158828B (en) | The method and system of suspicious fishing webpage are identified based on cloud content rule base | |
Manyumwa et al. | Towards fighting cybercrime: Malicious url attack type detection using multiclass classification | |
Sánchez-Paniagua et al. | Phishing websites detection using a novel multipurpose dataset and web technologies features | |
Priya et al. | Detection of phishing websites using C4. 5 data mining algorithm | |
Acharya et al. | Detecting malware, malicious URLs and virus using machine learning and signature matching | |
Pejić-Bach et al. | A Bibliometric Analysis of Phishing in the Big Data Era: High Focus on Algorithms and Low Focus on People | |
CN115001763B (en) | Phishing website attack detection method and device, electronic equipment and storage medium | |
US20230112092A1 (en) | Detecting visual similarity between dns fully qualified domain names | |
Wardman et al. | New tackle to catch a phisher | |
KR101893029B1 (en) | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |