CN110177114A - The recognition methods of network security threats index, unit and computer readable storage medium - Google Patents

The recognition methods of network security threats index, unit and computer readable storage medium Download PDF

Info

Publication number
CN110177114A
CN110177114A CN201910493265.2A CN201910493265A CN110177114A CN 110177114 A CN110177114 A CN 110177114A CN 201910493265 A CN201910493265 A CN 201910493265A CN 110177114 A CN110177114 A CN 110177114A
Authority
CN
China
Prior art keywords
network security
layer
security threats
network
information service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910493265.2A
Other languages
Chinese (zh)
Other versions
CN110177114B (en
Inventor
郭豪
洪春华
梁玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910493265.2A priority Critical patent/CN110177114B/en
Publication of CN110177114A publication Critical patent/CN110177114A/en
Application granted granted Critical
Publication of CN110177114B publication Critical patent/CN110177114B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Computing arrangements based on biological models using neural network models
    • G06N3/04Architectures, e.g. interconnection topology
    • G06N3/0454Architectures, e.g. interconnection topology using a combination of multiple neural nets
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Computing arrangements based on biological models using neural network models
    • G06N3/04Architectures, e.g. interconnection topology
    • G06N3/049Temporal neural nets, e.g. delay elements, oscillating neurons, pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Computing arrangements based on biological models using neural network models
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

Disclose a kind of network security threats index recognition methods, comprising: obtain network information service;And it is directed at least two network security threats indexs, the network information service is identified, to obtain the recognition result of at least two network security threats index, wherein, the at least two network security threats index is divided at least two groups in advance, it is adapted to respectively different identification methods in advance for described at least two groups, and wherein, the different identification method includes the identification method based on machine learning model.Also disclose a kind of network security threats index identification unit and computer readable storage medium.

Description

The recognition methods of network security threats index, unit and computer-readable storage Medium
Technical field
This application involves network security, more particularly, to the recognition methods of network security threats index, unit with And computer readable storage medium.
Background technique
Threaten information, be certain evidential knowledge according to the definition of Gartner, including context, mechanism, mark, Meaning and the suggestion being able to carry out, it is related that these knowledge and assets face existing or in the air threat or harm, can use Informational support is provided to the response or processing decision that threaten or endanger in assets relative subject.Most of described threat feelings in the industry Report may be considered the threat information of narrow sense, main contents be for identification with detection network security threats index (Indicators of Compromise, IOC), such as file Hash, IP address, domain name, herein by such threat information Referred to as network security threats information.Network information service refers to network security threats information and non-network security threat information, may be only With network security threats information, or may only have non-network security threat information, or possible the two has.From may be simultaneously It is one that network security threats information is extracted in network information service with network security threats information and non-network security threat information The time-consuming and laborious work of part.In addition, including threat information in network security threats information, for analyzing to identify network security prestige It coerces index (Indicators of Compromise, IOC), threatens information bank etc. for subsequent use for example to be formed.Network Security threat information is broadly divided into two major classes according to source: internal network security threatens information and external network security threat feelings Report.It is mostly to be collected, handled by analysis system internal data that internal network security, which threatens information, external network security threat Information is derived mainly from shared or payment the network security threats information that enterprise and/or community provide.In view of internal network security The closure and particularity of information are threatened, internal network security is not used when verifying network security threats index generally and threatens feelings Report.In network safety filed, to full-mesh network, perception plays a very important role external network security threat information safely, but outer Portion's network security threats information data amount is huge, is difficult to identify one by one by artificial mode, time-consuming and laborious and there may be leakages Report, wrong report.
Summary of the invention
The embodiment provides the recognition methods of network security threats index, unit and computer-readable Storage medium at least is partially solved problem mentioned above.
According to the first aspect of the invention, a kind of network security threats index recognition methods is provided, comprising: obtain network feelings Report;And at least two network security threats indexs are directed to, the network information service is identified, to obtain described at least two The recognition result of network security threats index, wherein at least two network security threats index is divided at least in advance Two groups are adapted to respectively different identification methods for described at least two groups in advance, and wherein, the different identification side Formula includes the identification method based on machine learning model.
According to one embodiment, further comprise in the identification foregoing description method: utilizing preconfigured engineering Disaggregated model is practised, the network information service is categorized into network security threats information or non-network security threat information;And it filters out Non-network security threat information in the network information service.
According to one embodiment, wherein the preconfigured machine learning classification model include embeding layer, convolutional layer, Maximum pond layer and full articulamentum, and wherein, the classification further comprises: obtaining the text of the network information service and input The embeding layer is encoded to distributed expression;By the distributed expression input convolutional layer, to extract the network feelings The feature of the text of report;The feature input maximum pond layer will be extracted with extracting the corresponding maximum value of each feature The corresponding maximum value splicing of each feature, the output as the maximum pond layer;The output of the maximum pond layer is defeated Enter the full articulamentum, the output based on the full articulamentum obtains the result of the classification.
According to one embodiment, the method, the classification and it is described filter out after further comprise: using matching in advance The machine learning judgment models set, judgement are classified as whether the network information service of the network security threats information is effective network Security threat information;And filter out the non-effective network security threats information in the network information service.
According to one embodiment, wherein the machine learning judgment models include embeding layer and random forest layer, and its In, the judgement includes: that would be classified as the text input of the network information service of the network security threats information to the embeding layer, To be encoded to distributed indicate;And the distributed expression is input to random forest layer, according to described random gloomy The output judgement of woods layer is classified as whether the network information service of the network security threats information is effective network security threats feelings Report.
According to one embodiment, wherein the different identification method further include: the identification method based on dictionary, wherein Word in the network information service is matched with the word in the dictionary pre-established, it will matched word conduct identification knot Fruit;It is incited somebody to action with rule-based identification method wherein being parsed using pre-set rule to the text of the network information service Meet the content of the rule as recognition result.
According to one embodiment, the method further includes: show the recognition result;And it is receiving for institute In the case where the corrigendum instruction for stating recognition result, the recognition result is corrected.
According to one embodiment, wherein the display recognition result includes: to show the identification by web page As a result.
According to one embodiment, wherein first group in described at least two groups include following type network security prestige It coerces index: influencing area and platform, and the wherein net identify include: for any class in described first group Network security threat index identifies the network information service using the identification method based on dictionary, wherein the knowledge based on dictionary Other mode is to match the word in the network information service with the word in the dictionary pre-established, will matched word conduct Recognition result.
According to one embodiment, wherein second group in described at least two groups include following type network security prestige Coerce index: basic data file, registration table, service and the startup item of program, and wherein it is described carry out identification include: for institute The network security threats index for stating any class in second group, using rule-based identification method to the network information service into Row identification, wherein rule-based identification method is to be parsed using pre-set rule to the network information service, will accord with The content of the rule is closed as recognition result.
According to one embodiment, wherein the third group in described at least two groups includes the network security prestige of following type Coerce index: wooden horse family threatens tissue, threat object, threatens gimmick, loophole use, file Hash, IP address, domain name, file Information, URL(Uniform Resource Locator), mutual exclusion lock and mailbox, and wherein it is described carry out identification include: in the third group Any kind of network security threats index knows the network information service using the identification method based on machine learning model Not.
According to one embodiment, the method further includes: the recognition result is statisticallyd analyze, to obtain the network Relevance between the type of security threat index;And/or it is based on the recognition result, it is alert to export network security threats to user It accuses.
According to one embodiment, wherein the acquisition network information service include: by crawler technology crawl outside source with Obtain network information service.
According to one embodiment, the method further includes: it is using based on machine learning mould in the recognition result In the case that the identification method of type identifies, the machine learning model is carried out using the recognition result corrected further Training;And/or it in the case where the recognition result is identified using identification method based on dictionary, utilizes and is corrected Recognition result is updated dictionary, wherein the identification method based on dictionary be by the network information service word with pre-establish Dictionary in word matched, will matched word as recognition result.
According to one embodiment, wherein the machine learning model includes the first embeding layer, the second embeding layer, first layer The two-way long short-term memory layer of two-way long short-term memory layer, the second layer, Feedforward Neural Networks network layers and optimization layer;And it wherein, utilizes It includes: to input the next stage element of the word of the network information service that the machine learning model, which carries out identification to the network information service, First embeding layer is indicated with being encoded to the distribution of the next stage element;By the distributed table of the next stage element Show the input two-way long short-term memory layer of first layer, obtains the output of the two-way long short-term memory layer of the first layer;It will be described The word of network information service inputs second embeding layer, and to be encoded to, the distribution of predicate is indicated;By the two-way length of the first layer The output of short-term memory layer inputs the two-way long short-term memory layer of the second layer after indicating splicing with the distributed of institute's predicate, obtains The output of the two-way long short-term memory layer of the second layer;The output of the two-way long short-term memory layer of the second layer is input to one The Feedforward Neural Networks network layers of hidden layer obtain the probability in word with each network security threats index;And by the probability The optimization layer is inputted, obtained output is the network security threats index in the network information service.
According to the second aspect of the invention, a kind of network security threats index identification equipment is provided, comprising: getter, It is configured to obtain network information service;And identifier, it is configured at least two network security threats indexs, to described Network information service is identified, to obtain the recognition result of at least two network security threats index, wherein described at least two Kind network security threats index is divided at least two groups in advance, is adapted in advance for described at least two groups respectively different Identification method, and wherein, the different identification method includes the identification method based on machine learning model.
According to the third aspect of the invention we, a kind of network security threats index identification device is provided, comprising: processor; And memory, it is configured to be stored with computer executable instructions on it, described instruction is worked as to be executed in the processor When, so that the method that the processor realizes above-mentioned first aspect and its any embodiment.
According to the fourth aspect of the invention, a kind of computer readable storage medium is provided, which is characterized in that the calculating Instruction is stored in machine readable storage medium storing program for executing, when described instruction is run on computers, so that computer realization is above-mentioned The method of first aspect and its any embodiment.
Manual identified is avoided using the identification method of automated network security threat mark according to above-described embodiment Take time and effort.Since we carry out the network security threats mark at least two types that needs identify according to identification method Grouping, by the identification method based on machine learning model corresponding with different grouping, the identification method based on dictionary and is based on The identification method of rule identifies, as such, the characteristics of different types of network security threats index can be utilized and advantageously into Row identification, avoids the limitation using single identification method, for example, rule-based identification method is to some species of network Security threat index (such as attack tissue) be it is invalid, can not effectively identify, and instead based on the knowledge of machine learning model Other mode can then efficiently identify, and solve the problems, such as to fail to report to a certain extent and report by mistake.For example, by the friendship with WEB page Mutually, machine learning model can constantly receive front end feedback as a result, to constantly training, optimize the machine learning model, To be continuously improved, dictionary also can constantly be updated for the identification accuracy of machine learning model, this is also to a certain extent It solves the problems, such as to fail to report and report by mistake.In addition, the machine learning model used can identify the feature of context, so as to distinguish report The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent again.In reality It applies in example, using preconfigured machine learning classification model, the network information service is classified, to be divided into network security prestige Side of body information and non-network security threat information simultaneously remove non-network security threat information, can further liberate manpower, are not necessarily to people Work screening, so as to be flexibly applied to various information sources.In a further embodiment, preconfigured engineering is utilized Judgment models are practised, judgement is classified as whether the network information service of the network security threats information is effective network security threats feelings Report, and the non-effective network security threats information in the network information service is further removed, it can further help to improve knowledge Other efficiency.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 illustrates the flow charts of network security threats index recognition methods according to an embodiment of the present invention.
Fig. 2 illustrates a topology example of machine learning model according to an embodiment of the present invention.
Fig. 3 illustrates a structure and processing example for machine learning classification model according to an embodiment of the present invention.
Fig. 4 illustrates a structure and processing example for machine learning judgment models according to an embodiment of the present invention.
Fig. 5 illustrates an output example of machine learning model according to an embodiment of the present invention.
Fig. 6 a illustrates a display interface of recognition result according to an embodiment of the present invention.
Fig. 6 b illustrates another display interface of recognition result according to an embodiment of the present invention.
Fig. 7 illustrates the block diagram of the equipment according to an embodiment of the present invention for the identification of network security threats index.
Fig. 8 illustrates hardware implementation environment schematic diagram according to an embodiment of the present invention.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with attached drawing to the application embodiment party Formula is described in further detail.
Network security threats information referred to herein refers to comprising threat information, for identifying to identify network security Threaten the information of index (IOC).Herein referred network information service refers to network security threats information and non-network security threat feelings Report, may only have network security threats information, or may only have non-network security threat information, or possible the two has. Network security threats index referred to herein refers to the proof data of potential rogue activity in mark system or network.
Fig. 1 illustrates the flow charts of network security threats index recognition methods according to an embodiment of the present invention.It may be noted that with What the sequencing of lower description did not represent step itself executes sequence, these steps can with any reasonable sequence successively or Person is performed simultaneously, except non-post must be premised on previous step on the execution of step.Network security according to an embodiment of the present invention Index recognition methods is threatened to start from step 101.Wherein, crawler skill can be passed through in one example by obtaining network information service Art crawls external network security threat information source to obtain network information service.The external network security threat information source is generally selected from net Network threatens intelligence sharing platform, the network information service shared on e.g. website www.freebuf.com.Certainly, show at another In example, which may also be doped with non-network security threat information.
Then in step 106, at least two network security threats indexs, using the identification method being adapted in advance to institute It states network information service to be identified, to obtain the recognition result of at least two network security threats index.Wherein, it is described at least Two kinds of network security threats indexs are divided at least two groups in advance, are adapted in advance for described at least two groups respectively different Identification method have chosen the network security threats index of 18 types in one example, be respectively: wooden horse family, threaten Tissue, threat object influence area, threaten gimmick, loophole, platform, file Hash, IP address, domain name, the file information, the whole world Resource localizer, the basic data file of program, mutual exclusion lock, registration table, service, startup item and mailbox.Wooden horse family is for example Trickbot, jasperloader, artradownloader, bulehero etc..Threaten tissue for example have APT10, it is climing spirit flower, The tissue that the initiations such as muddywater threaten.Threat object for example has the mesh of the threats such as financial department, government organs, educational institution Mark.It influences area and refers to the geographic range for threatening and influencing.Gimmick is threatened as the term suggests threatening used means, such as Distributed denial of service (DDoS:Distributed Denial of Service), attacker is by means of client/server skill Art, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets, to exponentially mention The power of high Denial of Service attack.It threatens gimmick there are also vulnerability exploit, inveigle file, malious email, Windows A kind of command-line shell program of PowerShell(and script environment), phishing (Phishing) etc..Wherein phishing is Refer to that swindler oneself will usually disguise oneself as the believable brand such as the Internet bank, online retailer and credit card company, utilizes deception The Email of property and the Web site of forgery carry out network fraud, and lamb often reveals the private data of oneself, Such as credit number, bank card account, identification card number content.Loophole refers to utilized loophole, such as CVE(Common Vulnerabilities & Exposures, public loophole and exposure) number be CVE-2017-8464, CVE-2019-2725, The loophole of CVE-2017-12615, CVE-2017-10271, CVE-2017-5638, CNVD-2018-24942 etc..Platform refers to prestige Coerce the platform being directed to, such as windows, linux, Mac OS etc..File Hash (i.e. Hash) is called file signature, in file which Be afraid of that a bit is changed, file Hash will be different, therefore can be used for distinguishing different files, and more commonly used file is breathed out Uncommon algorithm has MD5 and SHA-1, and lower section lists 12 file Hash on the right of Fig. 6 b.IP address such as 65.182.100.42, 81.88.24.211,103.219.22.63 etc..Domain name is for example:
breed.wanttobea.com、
zzi.aircargox.com、
nono.littlebodiesbigsouls.com、
tribunaledinapoli.recsinc.com、
tribunaledinapoli.prepperpillbox.com、
tribunaledinapoli.lowellunderwood.com、
Tribunaledinapoli.rntman.com etc..
The file information such as kernel.dll, winserv.exe, rundll32.exe, rtegre.exe, Wprgxyeqd79.exe etc..URL(Uniform Resource Locator) (URL) is for example:
http://planasolutions.com/wordpress/wp-content/nq3sqe-x875-tt/、
http://mattheweidem.com/ikn0owm-g991-syvw/、
Http:// irose.com/lpo7qje-wg556-pnv/ etc..
The basic data file (PDB, Program Data Base) of program is for example:
C:\Users\CN_ide\Desktop\TSSL_v3.2.7_BypassSymantec_20180528\TClient\ Release\FakeRun.pdb、
D:\Soft\DevelopedCode_Last\yty2.0\Release\C++\Setup.pdb、
C:\users\803\documents\visualstudio2010\Projects\helpdll\Release\ Helpdll.pdb etc..Mutual exclusion lock such as { 531511FA-190D-5D85-8A4A-279F2F592CC7 } etc..Registration table is for example:
Software\Microsoft\Office\12.0\Word\Resiliency\DisabledItems、
Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems、
Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery、
Software Microsoft Office 11.0 Word Resiliency DisabledItems etc..Startup item is for example Memory optimizer.lnk, SLVjiAEwaK.url, SMTPLoader.lnk etc..Service such as ndisproxy-mn, Wmmvsvc, SCardPrv etc..Mailbox is for example: ijuqodisunovib98@o2.pl, sayanwalsworth96@ protonmail.com、abbschevis@protonmail.com、cottleakela@protonmail.com、 aperywsqaroci@o2.pl、asuxidoruraep1999@o2.pl、couwetizotofo@o2.pl、 Dharmaparrack@protonmail.co etc..
In one example, the network security threats index of above-mentioned 18 types has been partitioned into three groups, and each group pre- It is first adapted to a kind of identification method, the identification method being adapted in advance for three groups is different.Wherein include influence for first group Area and platform, second group includes basic data file, registration table, service and startup item, and third group includes remaining, i.e. wooden horse Family threatens tissue, threat object, threatens gimmick, loophole, file Hash, IP address, domain name, the file information, global resources fixed Position device, mutual exclusion lock and mailbox.The foundation of division group is exactly identification method, for above-mentioned first group, in step 1061, using being based on The identification method of dictionary identifies that, for above-mentioned second group, in step 1062, utilization is rule-based to the network information service Identification method identifies the network information service, for above-mentioned third group, in step 1063, using based on machine learning model Identification method the network information service is identified.
Identification method based on dictionary is directly to the word in all words in network information service full text and the dictionary pre-established It is matched, dictionary includes the dictionary of platform and the dictionary for influencing area, can pass through disclosed network security threats index Data source and obtain, naturally it is also possible to it is artificial to establish or modification.For the two types, due to platform and area is influenced relatively Stablize, can enumerate, is suitble to be identified by the way of dictionary.The dictionary of platform for example including " Linux ", " Windows " etc., The dictionary in area is influenced for example including " China ", " US ", " Japan " etc., and certain dictionary also may include corresponding Chinese or it The language of its country).What can be matched is identified as corresponding network security information index, such as platform or influence ground Area.
Rule-based identification method using pre-defined rule (such as identification basic data file rule, identification registration table Rule, the rule of identification service and the rule for identifying startup item) to being parsed in the full text of network information service, will meet described The content of rule is as recognition result, such as basic data file, registration table, service or startup item, the regular ratio of these types It is relatively fixed, it is changed without being regularly maintained.Such as the rule of identification basic data file can be expressed for example with regular expression are as follows:
r'\b([A-Za-z0-9-_\.]+\.(pdb))\b'
Wherein r'' use ' ' native character string is drawn, which is ended up with .pdb, can be upper and lower case letter and institute before .pdb The symbol enumerated any one or it is more than one, b indicate boundary.The regular expression is common to a variety of programmed environments, or Lesser modification may be needed for certain specific environments.
Machine learning model in identification method based on machine learning model can use a variety of different structures.Fig. 2 Illustrate a topology example of machine learning model according to an embodiment of the present invention.The machine learning model includes first embedding Enter the two-way long short-term memory layer of layer, the second embeding layer, first layer, the two-way long short-term memory layer of the second layer, Feedforward Neural Networks network layers And optimization layer.Each two-way long short-term memory layer of layer by type be long short-term memory (LSTM) Recognition with Recurrent Neural Network (RNN, Recurrent Neural Network) element composition.The network information service is identified using the machine learning model Including once operating.The next stage element of the word of the network information service is inputted into first embeding layer, be encoded to it is described under The distributed of level element indicates;Distributed by the next stage element indicates to input the two-way long short-term memory of first layer Layer, obtains the output of the two-way long short-term memory layer of the first layer;The word of the network information service is inputted into second embeding layer, To be encoded to, the distribution of predicate is indicated;By the output and the distribution of institute's predicate of the two-way long short-term memory layer of the first layer The two-way long short-term memory layer of the second layer is inputted after indicating splicing, obtains the output of the two-way long short-term memory layer of the second layer;It will The two-way long short-term memory layer of the second layer is input to the Feedforward Neural Networks network layers with a hidden layer, obtains in word Probability with each network security threats index;And the probability is inputted into the optimization layer, obtained output is described Network security threats index in network information service.Referring to fig. 2, X is inputtedijIt is word Xi(wherein i=1 ..., n, j=1 ..., symbol Number XiIn number of characters) in next stage element, such as morpheme (prefix or suffix), root, word XiFrom network feelings to be identified Report, Vc is that the next stage element of word indicates the mapping of (term vector) to its distribution, in this as the first embeding layer, XijBy Vc The two-way long short-term memory layer of first layer is inputted after mapping.VTIt is word Xi(wherein i=1 ..., n, j=1 ..., symbol XiIn Number of characters) arrive its distributed mapping for indicating (i.e. term vector), hereon referred to as the second embeding layer.The two-way long short-term memory of first layer The output of layer and word XiBy VTMapping after output splicing obtain ei(wherein i=1 ... ..., n), as the two-way length of the second layer When remember layer input, then obtain the output d of the two-way long short-term memory layer of the second layeri(wherein i=1 ... ..., n), by tool There is the feedforward neural network of a hidden layer, obtains probability vector ai(wherein i=1 ... ..., n), anT-th of element be n-th Word has the probability of t-th of IOC.With aiTo input, and then obtain output yi(wherein i=1 ... ..., n), that is, in the word identified Network security threats index, such as in aiIn with maximum probability IOC.In one example, training dataset derives from The text of 200 APT (Advanced Persistent Threats, the advanced duration threaten) report manually marked.It will instruction White silk data set is inputted in machine learning model shown in Fig. 2 after pretreatment (such as spcial character replacement, segmentation etc.) and is carried out Training can be used to the identification of network security threats index after the completion of training.After tested, the net of machine learning model identification (F1 score is a kind of index for being used to measure two disaggregated model accuracy in statistics to the F1 score of network security threat index. It has combined the accuracy rate and recall rate of disaggregated model.F1 score can be regarded as one kind of model accuracy rate and recall rate Weighted average, its maximum value is 1, and minimum value is 0) 0.9 or so.
It should be noted that a variety of different identification methods may relate to the matching or input of text, it is not meant to network information service It must be the form of text, be also possible to the forms such as other any forms, such as picture, audio, they can for example turn Chemical conversion text is matched or is inputted.
The more flexible identification suitable for various targets of identification method based on machine learning model, for rule-based and The network security threats index type that the identification method of dictionary cannot all identify well, or great effort is needed to go to tie up Protect dictionary or rule, it is more suitable with the identification method based on machine learning model.
Present inventors have realized that the different characteristics of different types of network security threats index and with it is word-based The adaptability of the identification method in library, rule or machine learning model, thus by the way of above-mentioned packet adaption, compared to ignoring The single identification method of the different characteristics of different types of network security threats index or the blindly identification method of multiplicity, can More efficiently and accurately carry out the identification of network security threats index.
Optionally, after step 101, before step 1061-1063, also in a step 102, it is contemplated that the network of acquisition There are non-network security threat information in information, using preconfigured machine learning classification model, the net that step 101 is obtained Network classification of information filters out the network at network security threats information or non-network security threat information, and in step 103 Non-network security threat information in information.Manpower can be further liberated in this way, artificial screening is not necessarily to, so as to flexibly fit For various information sources.Preconfigured machine learning classification model and processing example are for example as shown in Figure 3.In Fig. 3, in advance The machine learning classification model 300 first configured includes embeding layer 301, convolutional layer 302, maximum pond layer 303 and full articulamentum 304.The classification includes: to obtain the text of the network information service first and input the embeding layer 301, is encoded to point Cloth indicates, then by the distributed expression input convolutional layer 302, to extract the feature of the text of the network information service, and Afterwards by the feature input maximum pond layer 303, to extract the corresponding maximum value of each feature, and by each spy of extraction Corresponding maximum value splicing is levied, the output as the maximum pond layer.The output of the maximum pond layer is finally inputted into institute State full articulamentum 304, so that it may which the output based on the full articulamentum obtains the result of the classification.The machine learning classification Model can use such as title and keyword of 10,000 network security threats information and 10,000 non-network security threat information It is trained.
Optionally, after step 103, before step 1061-1063, also at step 104, preconfigured machine is utilized Device judgment of learning model, judgement are classified as whether the network information service of the network security threats information is effective network security prestige Information is coerced, such as there are such case, a same word has different meanings, so that it is net sometimes under different context Network security threat index and be not sometimes, that is, it is non-effective network security threats information.By such judgement, just The non-effective network security threats information in the network information service can be filtered out in step 105.Preconfigured engineering Practise judgment models and processing example for example, as shown in figure 4.In Fig. 4, the machine learning judgment models 400 include embeding layer 401 and random forest layer 402.The judgement includes: firstly, would be classified as the network information service of the network security threats information Text input is encoded to distributed expression to the embeding layer 401, is then input to the distributed expression random Forest layer 402 is classified as the network information service of the network security threats information with the output judgement according to the random forest layer It whether is effective network security threats information.By these steps, can further help to improve recognition efficiency.The machine Judgment of learning model can be trained using the 2000 network security threats information manually marked, wherein 800 are effective Network security threats information, 1200 are invalid network security threats information.
It should be noted that the text of the network information service obtained herein can be various language, it in one example, can be to it Distinguished according to language, with corresponding different language train come machine learning classification model, machine learning judge mould The machine learning model of type and for identification IOC handle them.
According to above-described embodiment as it can be seen that identification method whether based on dictionary, rule or machine learning model, is The identification method of automated network security threat mark, avoids taking time and effort for manual identified.Since we are to needing to know The network security threats mark of other at least two type is grouped according to identification method, passes through base corresponding with different grouping Identification method in machine learning model, the identification method based on dictionary and rule-based identification method identify, as such, energy It is enough advantageously identified, is avoided using single identification method using the characteristics of different types of network security threats mark Limitation, for example, rule-based identification method is to some species of network security threats mark (such as attack tissue) Invalid, it can not effectively identify, and instead the identification method based on machine learning model can then efficiently identify, certain journey It solves the problems, such as to fail to report and report by mistake on degree.The machine learning model of use can identify the feature of context, so as to distinguish report The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent.Implementing In example, using preconfigured machine learning classification model, the network information service is classified, to be divided into network security threats Information and non-network security threat information simultaneously remove non-network security threat information, can further liberate manpower, without artificial Screening, so as to be flexibly applied to various information sources.In a further embodiment, preconfigured machine learning is utilized Judgment models, judgement are classified as whether the network information service of the network security threats information is effective network security threats feelings Report, and the non-effective network security threats information in the network information service is further removed, it can further help to improve knowledge Other efficiency.
Fig. 5 illustrates an output example of machine learning model according to an embodiment of the present invention.It is trained using above-mentioned Model shown in Fig. 2 the network information service for example obtained from www.freebuf.com is identified, obtain shown in fig. 5 Output, wherein first is classified as the word in network information service, such as 194.70.136, last column is be identified as network security prestige Index, such as B-IP are coerced, that is, refers to IP address, B-DOMAIN refers to domain name, and B-FILEHASH refers to file Hash.
Optionally, in step 107, the recognition result of the network security threats index of at least two type is shown.Institute Stating display can be shown by web page.Fig. 6 a illustrates a display of recognition result according to an embodiment of the present invention Interface, it illustrates multiple items related with the network information service identified.Wherein first row GUID is the network information service obtained Unique identification, secondary series are its titles, and third column are the mark states to the network information service, and the 4th column are operators, the 5th column It is that the network information service crawls the time;6th column are the artificial verification time.
Fig. 6 b illustrates another display interface of recognition result according to an embodiment of the present invention.It illustrates be able to carry out It is artificial to verify and the operation interface of modification, it, can will before artificial verify wherein right side is the network security threats index that need to be marked The recognition result of step 106 is loaded into the corresponding network security threats index in right side, by referring in corresponding network security threat Click is put on, the recognition result that can be loaded with show or hide can increase recognition result manually, delete, search And modification.There is a big text box in left side, wherein the original text of network information service is presented, wherein selectable text can be shown.
Optional step 108, feelings of the computer in the corrigendum instruction for the recognition result received are discussed below Under condition, such as instruction received from user by user interface, the recognition result is corrected.For example, when needing some It when composer of ci poetry's work is labeled as a certain network security threats index, needs manually to choose the word, then clicks " mark " button above, Then the type for the network security threats index to be marked is selected in the menu then shown.It is, of course, also possible to similar Mode is modified or is deleted in a manual manner by means of other menus or button, such mark, modification or delete can be It is embodied in the respective field of right side.After artificial mark finishes, " saving modification " button is clicked.In one example, the preservation is not It only local saves, can also be submitted to server preservation.This completes the corrigendums of the recognition result to step 106.Fig. 6 b Shown in there are also with lower button in interface: " resetting " button is abandoned all artificial marks and modification, is reset in step 106 Automatic recognition result;" deleting all marks " button, i.e. all marks in deletion current network information, including automatically mark Note and artificial mark.Certainly can also have other buttons assist the recognition result to computer to be increased manually, delete, It searches and modifies.
The result for the corrigendum that step 108 obtains can feed back computer, be optimized with identifying to it, be based particularly on The identification of machine learning model and identification based on dictionary.It therefore optionally, is to utilize in the recognition result in step 109 In the case that identification method based on machine learning model identifies, using the result corrected in step 108 to described Machine learning model is further trained;It and/or in the recognition result is identified using the identification method based on dictionary In the case where out, dictionary is updated using the result corrected in step 108.
By the interaction with such as WEB page, machine learning model can constantly receive front end feedback as a result, to It constantly trains, optimize the machine learning model, to be continuously improved, dictionary can also obtain the identification accuracy of machine learning model Continuous to update, this also solves the problems, such as to fail to report and report by mistake to a certain extent.
Whether the knot for the corrigendum that the recognition result identified by computer or step 108 that step 106 obtains obtain Fruit can be used as basis to export network security threats warning to user, be also used as further analyzing, such as network peace The statistical analysis of relevance between the full type for threatening index, such as some attack tissue, it commonly uses any attacking ways, attack Which what object of attack, what malicious IP addresses used, domain name as the md5 of file Hash be, domain registrar whom's What etc. mailbox be, these information associations can be got up, and facilitates other application, such as more based on these associated information The identification of associated IOC is realized fastly.Therefore optionally, in step 110, recognition result is analyzed, to obtain the network security Threaten the relevance between the type of index.And optionally, in step 111, it is based on the recognition result, exports network to user Security threat warning.
The process can be periodically executed, to continue to optimize.For example, newly-increased network information service (step 101) is crawled daily, it can After processing of the selection of land by classifying, judging and filtering out (step 102-105), automatic identification (step 106) is carried out, step is passed through Rapid 107 and 108 receive it is artificial verify, the optimization (step 109) of the result of corrigendum mode for identification so recycles, favorably In the reliability that automatic identification is continuously improved, grow with each passing hour.
Fig. 7 illustrates the block diagram of network security threats index identification equipment according to an embodiment of the present invention.The equipment includes Getter 701 and identifier 702.Wherein getter 701 is configured to obtain network information service, in one example, getter 701 External network security threat information source is crawled by crawler technology to obtain network information service.The external network security threat information source It is generally selected from Cyberthreat intelligence sharing platform, the network information service shared on e.g. website www.freebuf.com.Certainly, In another example, which may also be doped with non-network security threat information.Identifier 702 is configured to be directed to At least two network security threats indexs, identify the network information service, to obtain at least two network securitys prestige Coerce the recognition result of index.Wherein, at least two network security threats index is divided at least two groups in advance, for Described at least two groups are adapted to respectively different identification methods in advance.The network security threats index of above-mentioned at least two type and Its example being grouped, and example --- the identification method, rule-based knowledge based on dictionary of the corresponding identification method being adapted to Other mode and the identification method based on machine learning algorithm, can be referring specifically to the corresponding description in previous step 106, herein It repeats no more.The identification method based on dictionary is realized with dictionary identifier 7021 respectively in Fig. 7, with the realization of regular identifier 7022 Rule-based identification method realizes the identification method based on machine learning model with machine learning model identifier 7023.
Optionally, network security threats index identification equipment can also include man-machine interface 703, wherein further comprising defeated Enter unit 7031 and output unit 7032, output unit 7032 shows the identification of the network security threats index of at least two types As a result;Input unit 7032 is indicated in response to the corrigendum for the recognition result received, is carried out to the recognition result Corrigendum.The result of corrigendum can feed back identifier 702, be optimized with identifying to it, and especially machine learning model identifies Device 7023 and dictionary identifier 7021.The mode of optimization refers to the description of previous step 109, and details are not described herein.
Optionally, network security threats index identification equipment can also include classifier 704 and the first stripper 705, divide Class device 704 is configured for before identifying to the network information service: preconfigured machine learning classification model is utilized, The network information service is categorized into network security threats information or non-network security threat information, then by the first stripper 705 Filter out the non-network security threat information in the network information service.Further explanation about classifier may refer to previous step 102 description.
Optionally, network security threats index identification equipment can also include determining device 706 and the second stripper 707, sentence Disconnected device 706 is configured for after the classification with described filter out: utilizing preconfigured machine learning judgment models, judgement Whether the network information service for being classified as the network security threats information is effective network security threats information;And it filters out described Non-effective network security threats information in network information service.Further explanation about determining device 706 may refer to walk above Rapid 104 description.
Fig. 8 illustrates hardware implementation environment schematic diagram according to an embodiment of the present invention.Referring to Fig. 8, in implementation of the invention In mode, network security threats index identification device 800 includes processor 804, including hardware elements 810.Processor 804 It can for example including one or more digital signal processors (DSP), general purpose microprocessor, specific integrated circuit (ASIC), scene The one or more processors such as programmed logic array (PLA) (FPGA) or other equivalent integrated or discrete logic.As made herein Term " processor " can refer to above structure or be adapted for carrying out in any other structures of technology described herein Any one.In addition, in certain aspects, functionalities described herein, which may be provided in, is configured for use in network security threats index In the specialized hardware and/or software module of identification, or it is incorporated in knockdown hardware and/or software module.Also, can by institute The technology of stating is fully implemented in one or more circuits or logic element.Method in the disclosure can be in various assemblies, module Or it is realized in unit, but be not necessarily required to realize by different hardware unit.But as described above, various assemblies, module or Unit can be combined or be combined by the set of interoperability hardware cell (comprising one or more processors as described above) suitable soft Part and/or firmware provide.
In one or more examples, technical solution described in above combination Fig. 1-Fig. 7 can be with hardware, software, firmware Or any combination thereof implement.If implemented in software, then function can be used as one or more instructions or code is stored in meter It transmits on calculation machine readable medium or via computer-readable medium 806, and is executed by hardware based processor.It is computer-readable Medium 806 may include the computer readable storage medium corresponding to the tangible medium such as data storage medium, or comprising promoting Computer program is for example transmitted to the communication media of any medium at another place according to communication protocol from one.By this method, it counts Calculation machine readable medium 806 may generally correspond to the tangible computer readable storage medium of (1) non-transitory, or (2) such as signal Or the communication medias such as carrier wave.Data storage medium can be that can be read by one or more computers or one or more processors To retrieve for implementing the instruction of technology described in the disclosure, any usable medium of code and/or data structure.Computer Program product may include computer-readable medium 806.
For example it and not limits, such computer readable storage medium may include RAM, ROM, EEPROM, CD_ROM The memories such as other CDs, magnetic disk storage or other magnetic storages, flash memory or can be used to instruct or data Any other memory 812 that the form of structure stores wanted program code and can be read by computer.Moreover, will properly appoint What connection is referred to as computer-readable medium 806.For example, if ordered using coaxial cable, fiber optic cables, twisted pair, number Family line (DSL) or the wireless technology such as infrared ray, radio and microwave refer to from the transmission of website, server or other remote sources It enables, then coaxial cable, fiber optic cables, twisted pair, DSL or the wireless technology such as infrared ray, radio and microwave are contained in Jie In the definition of matter.It is to be appreciated, however, that computer readable storage medium and data storage medium do not include connection, carrier wave, signal or Other transient mediums, but it is directed to non-instantaneous tangible media.As used herein, disk and CD include compact disk (CD), laser-optical disk, optical compact disks, digital versatile disc (DVD), floppy disc and Blu-ray Disc, wherein disk is usually with magnetic Property mode regenerates data, and usage of CD -ROM laser regenerates data optically.Combination of the above should also be included in computer can In the range of reading medium 806.
Network security threats index identification device 800 can also include the I/O interface and other function for being used for transmission data Energy 814.Network security threats index identification device 800 may include in different devices, such as mobile phone, intelligence electricity Words, plate, laptop computer, desktop computer, game console, mobile unit, such as TV, player etc household electric have a high regard for What can network or receive in other ways the device of information, and here is illustrated computer 816, mobile device 818 and other dresses Set 820.Each of these configurations include the equipment that can have general different construction and ability, and therefore can basis One or more Configuration network security threat index identification devices 800 in distinct device classification.Furthermore technology of the invention is also It can entirely or partly be realized on " cloud " 822 by using distributed system, such as by platform 824 as described below.
Cloud 822 includes and/or representative is used for the platform 824 of resource 826.The hardware of 824 abstract cloud 822 of platform is (for example, clothes Be engaged in device) and software resource bottom function.Resource 826 may include executing calculating on far from the server for calculating equipment 802 The application and/or data that can be used when machine processing.Resource 826 can also include by internet and/or passing through such as honeycomb Or the service that the subscriber network of Wi-Fi network provides.
Platform 824 can be connect with abstract resource and function with that will calculate equipment 802 with other calculating equipment.Platform 824 is also It can be used for the classification of abstract resource to provide the corresponding water of the demand for the resource 826 realized via platform 824 encountered Flat classification.Therefore, in interconnection equipment embodiment, the realization of functions described herein can be distributed in whole system.Example Such as, function can be realized partly on calculating equipment 802 and through the platform 824 of the function of abstract cloud 822.
Manual identified is avoided using the identification method of automated network security threat mark according to above-described embodiment Take time and effort.Since we divide the network security threats mark for multiple types that needs identify according to identification method Group, by the identification method based on machine learning model corresponding with different grouping, the identification method based on dictionary and based on rule Identification method then identifies, as such, can advantageously carry out using the characteristics of different types of network security threats index Identification avoids the limitation using single identification method, for example, rule-based identification method pacifies some species of network Threat index (such as attack tissue) is invalid entirely, can not effectively be identified, and instead based on the identification of machine learning model Mode can then efficiently identify, and solve the problems, such as to fail to report to a certain extent and report by mistake.For example, by the friendship with WEB page Mutually, machine learning model can constantly receive front end feedback as a result, to constantly training, optimize the machine learning model, To be continuously improved, dictionary also can constantly be updated for the identification accuracy of machine learning model, this is also to a certain extent It solves the problems, such as to fail to report and report by mistake.In addition, the machine learning model used can identify the feature of context, so as to distinguish report The non-malicious network security threats index occurred in announcement, this solves the problems, such as to fail to report and report by mistake to a certain extent again.
It is to be appreciated that the statements such as " first " that occurs in the disclosure, " second " do not represent the elder generation of instruction importance or step Afterwards, it is only for distinguishing.Method and step is being not particularly illustrated or (execution of i.e. one step need to be with another without precedence constraint Premised on the implementing result of one step) in the case where, the execution that the description of method and step does not represent them successively is successive, is retouched The method and step stated can be executed with possible, reasonable sequence.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are wanted by right It asks and points out.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.

Claims (15)

1. a kind of network security threats index recognition methods, comprising:
Obtain network information service;And
For at least two network security threats indexs, the network information service is known using the identification method being adapted in advance Not, to obtain the recognition result of at least two network security threats index,
Wherein, at least two network security threats index is divided at least two groups in advance, for described at least two Group is adapted to respectively different identification methods in advance, and
Wherein, the different identification method includes the identification method based on machine learning model.
2. the method as described in claim 1 further comprises before identifying to the network information service:
Using preconfigured machine learning classification model, the network information service is categorized into network security threats information or non-net Network security threat information;And
Filter out the non-network security threat information in the network information service.
3. method according to claim 2,
Wherein, the preconfigured machine learning classification model includes embeding layer, convolutional layer, maximum pond layer and full connection Layer, and
Wherein, the classification further comprises:
It obtains the text of the network information service and inputs the embeding layer, be encoded to distributed expression;
By the distributed expression input convolutional layer, to extract the feature of the text of the network information service;
By the feature input maximum pond layer, to extract the corresponding maximum value of each feature, by each feature of extraction Corresponding maximum value splicing, the output as the maximum pond layer;
The output of the maximum pond layer is inputted into the full articulamentum, the output based on the full articulamentum obtains the classification Result.
4. method according to claim 2 further comprises after the classification and described filter out:
Using preconfigured machine learning judgment models, the network information service that judgement is classified as the network security threats information is No is effective network security threats information;And
Filter out the non-effective network security threats information in the network information service;Wherein, the machine learning judgment models packet Embeding layer and random forest layer are included, and
Wherein, it is described judgement include:
The text input of the network information service of the network security threats information be would be classified as to the embeding layer, be encoded to Distribution indicates;And
The distributed expression is input to random forest layer, it is described to be classified as according to the output of random forest layer judgement Whether the network information service of network security threats information is effective network security threats information.
5. such as method of any of claims 1-4, wherein the different identification method further include:
Identification method based on dictionary, wherein by the word progress in the word in the network information service and the dictionary pre-established Match, will matched word as recognition result;With
Rule-based identification method, wherein the text of the network information service is parsed using pre-set rule, it will Meet the content of the rule as recognition result.
6. further comprising such as method of any of claims 1-4:
The recognition result is shown by web page;And
In the case where receiving the corrigendum instruction for the recognition result, the recognition result is corrected.
7. such as method of any of claims 1-4,
Wherein, first group in described at least two groups includes the network security threats index of following type: influencing area peace Platform, and
The wherein network security threats index identify include: for any class in described first group, utilizes base The network information service is identified in the identification method of dictionary, wherein the identification method based on dictionary is by the network information service In word matched with the word in the dictionary pre-established, will matched word as recognition result.
8. such as method of any of claims 1-4,
Wherein, second group in described at least two groups includes the network security threats index of following type: the basic number of program According to file, registration table, service and startup item, and
The wherein network security threats index identify include: for any class in described second group, utilizes base The network information service is identified in the identification method of rule, wherein rule-based identification method is using pre-set Rule parses the network information service, will meet the content of the rule as recognition result.
9. such as method of any of claims 1-4,
Wherein, the third group in described at least two groups includes the network security threats index of following type: wooden horse family threatens Tissue, threat object, threaten gimmick, loophole use, file Hash, IP address, domain name, the file information, URL(Uniform Resource Locator), Mutual exclusion lock and mailbox, and
The wherein network security threats index identify include: for any class in the third group, utilizes base The network information service is identified in the identification method of machine learning model.
10. further comprising such as method of any of claims 1-4:
The recognition result is statisticallyd analyze, to obtain the relevance between the type of the network security threats index;And/or
Based on the recognition result, network security threats warning is exported.
11. method as claimed in claim 6, further comprising:
In the case where the recognition result is identified using the identification method based on machine learning model, using being corrected Recognition result the machine learning model is further trained;And/or
In the case where the recognition result is identified using the identification method based on dictionary, corrected identification knot is utilized Fruit is updated dictionary, wherein the identification method based on dictionary is by the word in the network information service and the dictionary pre-established In word matched, will matched word as recognition result.
12. such as method of any of claims 1-4, wherein the machine learning model includes the first embeding layer, the The two-way long short-term memory layer of two embeding layers, first layer, the two-way long short-term memory layer of the second layer, Feedforward Neural Networks network layers and optimization Layer;And
Wherein, carrying out identification to the network information service using the machine learning model includes:
The next stage element of the word of the network information service is inputted into first embeding layer, to be encoded to the next stage element Distribution indicates;
Distributed by the next stage element indicates the input two-way long short-term memory layer of first layer, obtains the first layer The output of two-way long short-term memory layer;
The word of the network information service is inputted into second embeding layer, the distribution of predicate indicates to be encoded to;
It indicates the output of the two-way long short-term memory layer of the first layer and the distributed of institute's predicate to input described second after splicing The two-way long short-term memory layer of layer, obtains the output of the two-way long short-term memory layer of the second layer;
The two-way long short-term memory layer of the second layer is input to the Feedforward Neural Networks network layers with a hidden layer, is obtained Into word with the probability of each network security threats index;And
The probability is inputted into the optimization layer, obtained output is the network security threats index in the network information service.
13. a kind of network security threats index identifies equipment, comprising:
Getter is configured to obtain network information service;And
Identifier is configured to identify the network information service at least two network security threats indexs, to obtain To the recognition result of at least two network security threats index,
Wherein, at least two network security threats index is divided at least two groups in advance, for described at least two Group is adapted to respectively different identification methods in advance, and
Wherein, the different identification method includes the identification method based on machine learning model.
14. a kind of network security threats index identification device, comprising:
Processor;And
Memory is configured as being stored with computer executable instructions on it, and described instruction is worked as to be held in the processor When row, so that the processor realizes such as method of any of claims 1-12.
15. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium, When described instruction is run on computers, so that the computer realizes such as side of any of claims 1-12 Method.
CN201910493265.2A 2019-06-06 2019-06-06 Network security threat indicator identification method, equipment, device and computer readable storage medium Active CN110177114B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910493265.2A CN110177114B (en) 2019-06-06 2019-06-06 Network security threat indicator identification method, equipment, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910493265.2A CN110177114B (en) 2019-06-06 2019-06-06 Network security threat indicator identification method, equipment, device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110177114A true CN110177114A (en) 2019-08-27
CN110177114B CN110177114B (en) 2021-07-13

Family

ID=67697183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910493265.2A Active CN110177114B (en) 2019-06-06 2019-06-06 Network security threat indicator identification method, equipment, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110177114B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110730164A (en) * 2019-09-18 2020-01-24 平安科技(深圳)有限公司 Safety early warning method, related equipment and computer readable storage medium
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN112019519A (en) * 2020-08-06 2020-12-01 杭州安恒信息技术股份有限公司 Method and device for detecting threat degree of network security information and electronic device
CN112087451A (en) * 2020-09-09 2020-12-15 杭州安恒信息技术股份有限公司 Network security protection method, device, equipment and readable storage medium
CN112995204A (en) * 2021-04-09 2021-06-18 厦门市美亚柏科信息股份有限公司 Method, device, equipment and storage medium for safely reading Protonmail encrypted mail
CN113472788A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Threat awareness method, system, equipment and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391684A (en) * 2017-07-24 2017-11-24 深信服科技股份有限公司 A kind of method and system for threatening information generation
CN107391598A (en) * 2017-06-30 2017-11-24 北京航空航天大学 One kind threatens information automatic generation method and system
US10250621B1 (en) * 2016-11-17 2019-04-02 EMC IP Holding Company LLC Automatic extraction of indicators of compromise from multiple data sources accessible over a network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250621B1 (en) * 2016-11-17 2019-04-02 EMC IP Holding Company LLC Automatic extraction of indicators of compromise from multiple data sources accessible over a network
CN107391598A (en) * 2017-06-30 2017-11-24 北京航空航天大学 One kind threatens information automatic generation method and system
CN107391684A (en) * 2017-07-24 2017-11-24 深信服科技股份有限公司 A kind of method and system for threatening information generation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐文韬: "面向威胁情报的攻击指示器自动生成", 《通信技术》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110730164A (en) * 2019-09-18 2020-01-24 平安科技(深圳)有限公司 Safety early warning method, related equipment and computer readable storage medium
CN110730164B (en) * 2019-09-18 2022-09-16 平安科技(深圳)有限公司 Safety early warning method, related equipment and computer readable storage medium
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN112019519A (en) * 2020-08-06 2020-12-01 杭州安恒信息技术股份有限公司 Method and device for detecting threat degree of network security information and electronic device
CN112087451A (en) * 2020-09-09 2020-12-15 杭州安恒信息技术股份有限公司 Network security protection method, device, equipment and readable storage medium
CN112995204A (en) * 2021-04-09 2021-06-18 厦门市美亚柏科信息股份有限公司 Method, device, equipment and storage medium for safely reading Protonmail encrypted mail
CN112995204B (en) * 2021-04-09 2022-07-08 厦门市美亚柏科信息股份有限公司 Method, device, equipment and storage medium for safely reading Protonmail encrypted mail
CN113472788A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Threat awareness method, system, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN110177114B (en) 2021-07-13

Similar Documents

Publication Publication Date Title
CN110177114A (en) The recognition methods of network security threats index, unit and computer readable storage medium
US10375093B1 (en) Suspicious message report processing and threat response
Kintis et al. Hiding in plain sight: A longitudinal study of combosquatting abuse
US10162970B2 (en) Automated intelligence graph construction and countermeasure deployment
CN103559235B (en) A kind of online social networks malicious web pages detection recognition methods
Ho et al. Detecting and characterizing lateral phishing at scale
CN109510815B (en) Multi-level phishing website detection method and system based on supervised learning
CA2840992C (en) Syntactical fingerprinting
CN108092962A (en) A kind of malice URL detection method and device
Patil et al. Malicious URLs detection using decision tree classifiers and majority voting technique
Jiang et al. A deep learning based online malicious URL and DNS detection scheme
Vasek et al. Hacking is not random: a case-control study of webserver-compromise risk
Wardman et al. High-performance content-based phishing attack detection
CN104158828B (en) The method and system of suspicious fishing webpage are identified based on cloud content rule base
CN112131882A (en) Multi-source heterogeneous network security knowledge graph construction method and device
CN109104421B (en) Website content tampering detection method, device, equipment and readable storage medium
CN109074454A (en) Malware is grouped automatically based on artefact
CN111104579A (en) Identification method and device for public network assets and storage medium
Adewole et al. Hybrid rule-based model for phishing URLs detection
McCalley et al. Analysis of back-doored phishing kits
Manyumwa et al. Towards Fighting Cybercrime: Malicious URL Attack Type Detection using Multiclass Classification
Priya et al. Detection of phishing websites using C4. 5 data mining algorithm
Chen et al. Ai@ ntiphish—machine learning mechanisms for cyber-phishing attack
He et al. Malicious domain detection via domain relationship and graph models
EP3699796A1 (en) Message report processing and threat prioritization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant