CN110198303A - Threaten the generation method and device, storage medium, electronic device of information - Google Patents
Threaten the generation method and device, storage medium, electronic device of information Download PDFInfo
- Publication number
- CN110198303A CN110198303A CN201910345207.5A CN201910345207A CN110198303A CN 110198303 A CN110198303 A CN 110198303A CN 201910345207 A CN201910345207 A CN 201910345207A CN 110198303 A CN110198303 A CN 110198303A
- Authority
- CN
- China
- Prior art keywords
- information
- sample
- common feature
- malice
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000003860 storage Methods 0.000 title claims abstract description 22
- 238000003556 assay Methods 0.000 claims abstract description 13
- 238000004458 analytical method Methods 0.000 claims description 22
- 230000003542 behavioural effect Effects 0.000 claims description 19
- 230000015654 memory Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 230000006399 behavior Effects 0.000 claims description 10
- 238000005520 cutting process Methods 0.000 claims description 8
- 230000008676 import Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 8
- 238000004519 manufacturing process Methods 0.000 abstract description 7
- 244000035744 Hura crepitans Species 0.000 description 17
- 230000008569 process Effects 0.000 description 11
- 230000003068 static effect Effects 0.000 description 9
- 238000001514 detection method Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003752 improving hair Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Signal Processing (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of generation methods and device, storage medium, electronic device for threatening information, wherein this method comprises: from the multiple malice samples of business system acquisition;Homogeneous assays are carried out to the multiple malice sample, determine the common feature of every group of malice sample;The threat information that advanced duration threatens APT attack is generated according to the common feature.Through the invention, the technical issues of threat information inefficiency of production APT attack in the related technology is solved.
Description
Technical field
The present invention relates to network safety fileds, in particular to a kind of generation method and device, storage for threatening information
Medium, electronic device.
Background technique
Network attack is the attack that hacker or viral wooden horse etc. initiate electronic equipment, gives user by steal files etc.
Bring massive losses.
When threatening (Advanced Persistent Threat, APT) clique to be tracked discovery advanced duration,
The attacks such as main malicious file, fishing mail according in Internet communication carry out context relation analysis.Attacker utilizes malice
Program carries out invasion control to network and information system, achievees the purpose that steal sensitive data and destruction system and network environment,
It is in urgent need to be improved to the malice pattern detection rate and batch quantity analysis ability propagated in enterprise network.
In the related technology, in computer safety field, network attack becomes more and more specialized and specific aim at present.Face
To such attack, often lack the entirety understanding to the attack, and it is defendd to be also to fight separately, not
Form a good defense system.For example APT (advanced duration threat) is attacked or " shake net " virus, this attack is that have
Purpose and targetedly only just has aggressiveness to specific industry or certain goal systems.And work as currently without scheme
These attacks can obtain threat information when a small range occurs in advance, and in a wide range of interior progress early warning and defence.
The defence of network attack is caused to lag.
For the above problem present in the relevant technologies, at present it is not yet found that the solution of effect.
Summary of the invention
The embodiment of the invention provides a kind of generation methods and device, storage medium, electronic device for threatening information.
According to one embodiment of present invention, a kind of generation method for threatening information is provided, comprising: adopt from operation system
Collect multiple malice samples;Homogeneous assays are carried out to the multiple malice sample, determine the common feature of every group of malice sample;According to
The common feature generates the threat information that advanced duration threatens APT attack.
Optionally, homogeneous assays are carried out to the multiple malice sample, determines the common feature of every group of malice sample, wrapped
It includes: classifying to the known sample in the multiple malice sample, and to the unknown sample in the multiple malice sample
It is clustered;Every group of sample after labeled bracketing or cluster, and record the behavioural information of every group of sample;By identical behavioural information
It is determined as the common feature of every group of malice sample.
Optionally, to the unknown sample in the multiple malice sample carry out cluster include: using K mean cluster algorithm by
Cutting is carried out according to the object properties of unknown sample, wherein the object properties include: hash value, compilation time, characteristic character
String, imports table Hash imphash, derivative list at file type, wherein the feature string includes at least one of:
Program data library file PDB, domain name, IP address, uniform resource position mark URL, the derivative list include: for compression text
Listed files in part, for the non-transplantable structural information list for executing body PE class;Calculate the object of each unknown sample
The distance between attribute value and each cluster centre distribute to each unknown sample apart from nearest cluster centre, wherein every
A cluster centre is one group.
It optionally, include: by the behavior by the common feature that identical behavioural information is determined as every group of malice sample
Message Digest 5 MD5 value in information reversely searches IP address;By the execution of each class behavior executed in the IP address
Main body is determined as an attack source of APT attack.
It optionally, include: determining according to correlation rule is preset according to the threat information that the common feature generates APT attack
The contextual information of the common feature;Identify at least one following information according to the contextual information: APT organizes body
Part, capture index IOC information, tactics technology program TTP information;It is generated according to the information related to the common feature
Threat information.
Optionally, described after generating the threat information that advanced duration threatens APT to attack according to the common feature
Method further include: mark the IP information of the malice sample;After the IP information is associated with the threat information, it is added and threatens
In information bank.
According to another embodiment of the invention, a kind of generating means for threatening information are provided, comprising: acquisition module,
For from the multiple malice samples of business system acquisition;Analysis module, for carrying out homogeneous assays to the multiple malice sample, really
The common feature of fixed every group of malice sample;Generation module threatens APT to attack for generating advanced duration according to the common feature
The threat information hit.
Optionally, the analysis module includes: grouped element, for the known sample in the multiple malice sample into
Row classification, and the unknown sample in the multiple malice sample is clustered;Recording unit is used for labeled bracketing or cluster
Every group of sample afterwards, and record the behavioural information of every group of sample;Determination unit, for identical behavioural information to be determined as every group
The common feature of malice sample.
Optionally, the grouped element includes: cutting subelement, for using K mean cluster algorithm according to unknown sample
Object properties carry out cutting, wherein the object properties include: hash value, compilation time, feature string, file type,
Import table Hash imphash, derivative list, wherein the feature string includes at least one of: program data library text
Part PDB, domain name, IP address, uniform resource position mark URL, the derivative list include: for the file column in compressed file
Table, for the non-transplantable structural information list for executing body PE class;Subelement is distributed, for calculating pair of each unknown sample
As the distance between attribute value and each cluster centre, each unknown sample is distributed to apart from nearest cluster centre, wherein
Each cluster centre is one group.
Optionally, the determination unit includes: lookup subelement, for being calculated by the eap-message digest in the behavioural information
Method MD5 value reversely searches IP address;Determine subelement, the executing subject of each class behavior for will execute in the IP address
It is determined as an attack source of APT attack.
Optionally, the generation module comprises determining that unit, for determining the common feature according to default correlation rule
Contextual information;Recognition unit, for identifying at least one following information according to the contextual information: APT is organized
Identity captures index IOC information, tactics technology program TTP information;Generation unit, for according to the information generate with
The relevant threat information of the common feature.
Optionally, described device further include: mark module, for being generated in the generation module according to the common feature
After advanced duration threatens the threat information of APT attack, the IP information of the malice sample is marked;Adding module, being used for will
After the IP information is associated with the threat information, it is added and threatens in information bank.
According to still another embodiment of the invention, a kind of storage medium is additionally provided, meter is stored in the storage medium
Calculation machine program, wherein the computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
According to still another embodiment of the invention, a kind of electronic device, including memory and processor are additionally provided, it is described
Computer program is stored in memory, the processor is arranged to run the computer program to execute any of the above-described
Step in embodiment of the method.
Through the invention, from the multiple malice samples of business system acquisition, then the multiple malice sample is carried out homologous
Analysis, determines the common feature of every group of malice sample, finally generates advanced duration according to the common feature and threatens APT attack
Threat information, solve in the related technology production APT attack threat information inefficiency the technical issues of.Improve discovery
The ability of unknown IOC greatly improves OA operation analysis personnel to the analysis tracing and positioning ability of malice sample, chases after to Security Officer
The identity information of track APT attacker has great help.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware block diagram of the generation server of threat information of the embodiment of the present invention;
Fig. 2 is a kind of flow chart of generation method for threatening information according to an embodiment of the present invention;
Fig. 3 is the complete service logic figure of the embodiment of the present invention;
Fig. 4 is the business process map of the embodiment of the present invention;
Fig. 5 is the structural block diagram of the generating means according to an embodiment of the present invention for threatening information.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only
The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people
Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection
It encloses.It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can be mutual group
It closes.
It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
Embodiment of the method provided by the embodiment of the present application one can execute in server or similar arithmetic unit.
For running on the server, Fig. 1 is a kind of hardware configuration frame of the generation server of threat information of the embodiment of the present invention
Figure.As shown in Figure 1, server 10 may include that (processor 102 can for one or more (only showing one in Fig. 1) processors 102
To include but is not limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.) and depositing for storing data
Reservoir 104, optionally, above-mentioned server can also include the transmission device 106 and input-output equipment for communication function
108.It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, not to the structure of above-mentioned server
It causes to limit.For example, server 10 may also include than shown in Fig. 1 more perhaps less component or have with shown in Fig. 1
Different configurations.
Memory 104 can be used for storing computer program, for example, the software program and module of application software, such as this hair
One of bright embodiment threatens the corresponding computer program of generation method of information, and processor 102 is stored in by operation
Computer program in reservoir 104 realizes above-mentioned method thereby executing various function application and data processing.Storage
Device 104 may include high speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device,
Flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise relative to processing
The remotely located memory of device 102, these remote memories can pass through network connection to server 10.The example of above-mentioned network
Including but not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of server 10 provide.In an example, transmitting device 106 includes a network adapter
(Network Interface Controller, referred to as NIC), can be connected by base station with other network equipments so as to
It is communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, referred to as RF)
Module is used to wirelessly be communicated with internet.
A kind of generation method for threatening information is provided in the present embodiment, and Fig. 2 is one kind according to an embodiment of the present invention
The flow chart for threatening the generation method of information, as shown in Fig. 2, the process includes the following steps:
Step S202, from the multiple malice samples of business system acquisition;
The malice sample of the present embodiment is using loophole existing for network or hardware entities and safety defect to network system
Hardware, software and its code of the attack of the data progress in system of system, software, program, file etc..
After obtaining malice sample, the file type of malice sample or the equipment class of the operation malice sample are also detected
Type, wherein file type includes publicly-owned file, and malice sample is sent to by privately owned file when malice sample is publicly-owned file
Malice sample is sent to privately owned cloud server or sheet when malice sample is privately owned file by common cloud server
Ground server, on the other hand, device type be designated environment equipment (such as government bodies, the confidentiality such as financial structure compared with
The equipment of strong unit) when, malice sample is sent to privately owned cloud server or local server, is logical in device type
When with the equipment of environment, malice sample is sent to common cloud server.
Step S204 carries out homogeneous assays to the multiple malice sample, determines the common feature of every group of malice sample;
Step S206 generates the threat information that advanced duration threatens APT attack according to the common feature.The present embodiment
APT attack threat information include APT organizational information, member identities' information and APT attack means, range, the time,
The information such as object.
Through the above steps, from the multiple malice samples of business system acquisition, then the multiple malice sample is carried out same
Source analysis, determines the common feature of every group of malice sample, finally generates advanced duration according to the common feature and APT is threatened to attack
The threat information hit solves the technical issues of threat information inefficiency of production APT attack in the related technology.Improve hair
The ability of existing unknown IOC, greatly improves OA operation analysis personnel to the analysis tracing and positioning ability of malice sample, to Security Officer
The identity information of tracking APT attacker has great help.
In an embodiment of the present embodiment, homogeneous assays are carried out to the multiple malice sample, determine every group of evil
The common feature of meaning sample, comprising:
S11 classifies to the known sample in the multiple malice sample, and in the multiple malice sample
Unknown sample is clustered;
Optionally, to the unknown sample in the multiple malice sample carry out cluster include: using K mean cluster algorithm by
Cutting is carried out according to the object properties of unknown sample, wherein the object properties include: hash value, compilation time, characteristic character
String, imports table Hash imphash, derivative list at file type, wherein the feature string includes at least one of:
Program data library file PDB, domain name, IP address, uniform resource position mark URL, the derivative list include: for compression text
Listed files in part, for the non-transplantable structural information list for executing body PE class;Calculate the object of each unknown sample
The distance between attribute value and each cluster centre distribute to each unknown sample apart from nearest cluster centre, wherein every
A cluster centre is one group.
Every group of sample after S12, labeled bracketing or cluster, and record the behavioural information of every group of sample;
By malice sample homogeneous assays, sample is classified, cluster and unknown sample label, record each sample
Behavioural information, shown and grouping information and stored by taxonomic clustering, sample it is homologous to may be apt, it is also possible to
The black production duplex structure of certain apt+.
The taxonomic clustering of the present embodiment is the process of a machine learning, by the taxonomic clustering algorithm in machine learning,
If K-means algorithm is classified sample automatically, the attribute of object is carried out cutting, such as following classes of information 1.hash;
2. compilation time;3. feature string: pdb, domain name, ip, url;4. file type;5.imphash;6. derivative list is (right
Listed files in compressed file, the structural information list for non-PE class);7. detecting label;8. known attack source label;
After information above is carried out taxonomic clustering, is classified automatically by algorithm, find the total characteristic of the file information.Due to sample itself
Operation has the relevant DNA attribute of many systems, needs to exclude, and otherwise influences grouping accuracy.It can be by newfound information data
Secondary production generates new threat information IOC information again.
Identical behavioural information is determined as the common feature of every group of malice sample by S13.
It optionally, include: by the behavior by the common feature that identical behavioural information is determined as every group of malice sample
Message Digest 5 MD5 value in information reversely searches IP address;By the execution of each class behavior executed in the IP address
Main body is determined as an attack source of APT attack.
Information association is done based on chart database, there will be the data of common feature to be marked, is such as found by the way that a md5 is counter
One IP, that had the MD5 of each class behavior that may be judged as an attack source on this IP.
In an embodiment of the present embodiment, include: according to the threat information that the common feature generates APT attack
The contextual information of the common feature is determined according to default correlation rule;Following information letter is identified according to the contextual information
At least one breath: APT organizational identities capture index IOC information, tactics technology program TTP information;It is raw according to the information
At threat information relevant to the common feature.
Optionally, it after generating the threat information that advanced duration threatens APT to attack according to the common feature, also wraps
It includes: marking the IP information of the malice sample;After the IP information is associated with the threat information, it is added and threatens information bank
In.
By detecting malice sample file, linked character therein is found, IP address, while people are found by sample information
Work intervenes event response, after marking Miscellaneous Documents sample and IP information, does secondary production to information and is put in storage, be added and threaten information bank
In.
A kind of APT analysis method based on malice sample of the present embodiment is related to field of computer information security.It is whole and
Speech by providing the fallacious message of a kind of pair of mass file extraction, and extracts related ATP and organizes IOC (Indicators of
Compromise captures indicator, captures index or invasion index) and TTP (Tactics, Techniques, and
Procedures, means technical process) maintenance of information (such as by the IOC indication information feature extraction to each inquiry, carried out
Marking, Metadata Extraction processing, while related APT organizational information and associated context information are extracted, while recording tactics, war
The relevant informations such as skill), at the same to mail sample, malicious file sample carry out metadata extraction management, provide malice sample and
The specimen discerning and result of malious email information are shown.The IP and attack process information for recording affected user simultaneously, will attack
Activity and contextual information are recorded in data storing platform, are associated analysis to the interaction of paper sample.By the method,
Attack analysis and the operation that APT clique is carried out to malice sample, reach the discovery to attack source and keep track, and the device is by sample
The efficiency of this analysis and operation greatly improves.
In a complete embodiment of the present embodiment, including following functions module, it is respectively as follows: network according to timing
Collector, static sandbox, dynamic sandbox, height confrontation sandbox cluster, information matching module, event response module.
Network collector: sample input is docked by automation mode, such as delivering mail attachment, original document is criticized
Amount automation is delivered, and sandbox interface is uploaded to;
Static sandbox: static detection is carried out to sample file first by static sandbox, matches malicious file static rule.
By extraction document metadata carry out acquisition of information, including filename, file type, file type matching degree, file size,
MD5 (Message Digest 5, Message-Digest Algorithm), SHA (Secure Hash Algorithm, secure hash
Algorithm) 1, SHA256, SHA512, SSDeep etc..Pass through OWL (Ontology Wed Language, online Ontology Language) simultaneously
Static engine rule, carries out the detection and screening of file;
Dynamic sandbox: simulation Dynamic Execution, screenshot when analyzing Host behavior and obtaining network behavior and operation grab simultaneously
Network flow and sample;
Height confrontation sandbox cluster: storage mass data and each testing result information, while being stored including file type data, institute
There are sandbox result relevant historical data and file type data storage in the cluster;
Information matching module: sandbox detection module matches IOC as a result, after associated context, obtains family's information and visit
Malice domain name and history the parsing address asked, the family's information and APT clique that can more accurately navigate to malice sample are closed
Connection analysis.Such as by inquiring some malice sample in sandbox, association threatens information and WHOIS, and (one kind is used to inquiry field
The transport protocol of the information such as the IP and the owner of name) historical information, the relevant all information of this document can be given;
Event response module: statistics and disposition present analysis sample as a result, provide case management and event correlation simultaneously,
Secondary production under the real-time update of each engine and detected rule, for information.
Fig. 3 is the complete service logic figure of the embodiment of the present invention, and Fig. 4 is the business process map of the embodiment of the present invention, comprising:
Flow collection process is responsible for the sample of collection carrying out automation collection and batch is delivered, predominantly flow collection
Device and sample collecting device;
Sandbox testing process: it is divided into static detection sandbox and dynamic detection sandbox.Sandbox cluster is fought by height, use is quiet
State OWL filtering extracts engine and carries out text semantic analysis and screening, wherein static OWL rule is based on semantic and file member letter
Breath carries out Detection and Extraction to text data, and OWL engine can identify file type, extracts corresponding member according to various file types
Information data, for example, PE (PortableExecutable, i.e., transplantable execution body) how many section, whether have signature, label
What, PDB (Program Database File, program data library file) path name be, is delivered to corresponding static and dynamic
Among sandbox;
Data storage and responding process: the APT family information association and case for being responsible for sandbox are put in storage, and produce new feelings
Report.
Optionally, the executing subject of above-mentioned steps can be the one or more clients of connection or the cloud service of server
Device or local server etc., client can be mobile terminal, PC etc., but not limited to this.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing
The part that technology contributes can be embodied in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
A kind of generating means for threatening information are additionally provided in the present embodiment, can be server, and the device is for real
Existing above-described embodiment and preferred embodiment, the descriptions that have already been made will not be repeated.As used below, term " module "
The combination of the software and/or hardware of predetermined function may be implemented.Although device described in following embodiment is preferably with software
It realizes, but the realization of the combination of hardware or software and hardware is also that may and be contemplated.
Fig. 5 is the structural block diagram of the generating means according to an embodiment of the present invention for threatening information, can be applied in server
In, as shown in figure 5, the device includes: acquisition module 50, analysis module 52, generation module 54, wherein
Acquisition module 50 is used for from the multiple malice samples of business system acquisition;
Analysis module 52 determines the general character of every group of malice sample for carrying out homogeneous assays to the multiple malice sample
Feature;
Generation module 54, for generating the threat information that advanced duration threatens APT attack according to the common feature.
Optionally, the analysis module includes: grouped element, for the known sample in the multiple malice sample into
Row classification, and the unknown sample in the multiple malice sample is clustered;Recording unit is used for labeled bracketing or cluster
Every group of sample afterwards, and record the behavioural information of every group of sample;Determination unit, for identical behavioural information to be determined as every group
The common feature of malice sample.
Optionally, the grouped element includes: cutting subelement, for using K mean cluster algorithm according to unknown sample
Object properties carry out cutting, wherein the object properties include: hash value, compilation time, feature string, file type,
Import table Hash imphash, derivative list, wherein the feature string includes at least one of: program data library text
Part PDB, domain name, IP address, uniform resource position mark URL, the derivative list include: for the file column in compressed file
Table, for the non-transplantable structural information list for executing body PE class;Subelement is distributed, for calculating pair of each unknown sample
As the distance between attribute value and each cluster centre, each unknown sample is distributed to apart from nearest cluster centre, wherein
Each cluster centre is one group.
Optionally, the determination unit includes: lookup subelement, for being calculated by the eap-message digest in the behavioural information
Method MD5 value reversely searches IP address;Determine subelement, the executing subject of each class behavior for will execute in the IP address
It is determined as an attack source of APT attack.
Optionally, the generation module comprises determining that unit, for determining the common feature according to default correlation rule
Contextual information;Recognition unit, for identifying at least one following information according to the contextual information: APT is organized
Identity captures index IOC information, tactics technology program TTP information;Generation unit, for according to the information generate with
The relevant threat information of the common feature.
Optionally, described device further include: mark module, for being generated in the generation module according to the common feature
After advanced duration threatens the threat information of APT attack, the IP information of the malice sample is marked;Adding module, being used for will
After the IP information is associated with the threat information, it is added and threatens in information bank.
It should be noted that above-mentioned modules can be realized by software or hardware, for the latter, Ke Yitong
Following manner realization is crossed, but not limited to this: above-mentioned module is respectively positioned in same processor;Alternatively, above-mentioned modules are with any
Combined form is located in different processors.
Embodiment 3
The embodiments of the present invention also provide a kind of storage medium, computer program is stored in the storage medium, wherein
The computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
Optionally, in the present embodiment, above-mentioned storage medium can be set to store by executing based on following steps
Calculation machine program:
S1, from the multiple malice samples of business system acquisition;
S2 carries out homogeneous assays to the multiple malice sample, determines the common feature of every group of malice sample;
S3 generates the threat information that advanced duration threatens APT attack according to the common feature.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (Read-
Only Memory, referred to as ROM), it is random access memory (Random Access Memory, referred to as RAM), mobile hard
The various media that can store computer program such as disk, magnetic or disk.
The embodiments of the present invention also provide a kind of electronic device, including memory and processor, stored in the memory
There is computer program, which is arranged to run computer program to execute the step in any of the above-described embodiment of the method
Suddenly.
Optionally, above-mentioned electronic device can also include transmission device and input-output equipment, wherein the transmission device
It is connected with above-mentioned processor, which connects with above-mentioned processor.
Optionally, in the present embodiment, above-mentioned processor can be set to execute following steps by computer program:
S1, from the multiple malice samples of business system acquisition;
S2 carries out homogeneous assays to the multiple malice sample, determines the common feature of every group of malice sample;
S3 generates the threat information that advanced duration threatens APT attack according to the common feature.
Optionally, the specific example in the present embodiment can be with reference to described in above-described embodiment and optional embodiment
Example, details are not described herein for the present embodiment.
Above-mentioned the embodiment of the present application serial number is for illustration only, does not represent the advantages or disadvantages of the embodiments.
In above-described embodiment of the application, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the application whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art
For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered
It is considered as the protection scope of the application.
Claims (10)
1. a kind of generation method for threatening information characterized by comprising
From the multiple malice samples of business system acquisition;
Homogeneous assays are carried out to the multiple malice sample, determine the common feature of every group of malice sample;
The threat information that advanced duration threatens APT attack is generated according to the common feature.
2. being determined the method according to claim 1, wherein carrying out homogeneous assays to the multiple malice sample
The common feature of every group of malice sample, comprising:
Classify to the known sample in the multiple malice sample, and to the unknown sample in the multiple malice sample
It is clustered;
Every group of sample after labeled bracketing or cluster, and record the behavioural information of every group of sample;
Identical behavioural information is determined as to the common feature of every group of malice sample.
3. according to the method described in claim 2, it is characterized in that, gathering to the unknown sample in the multiple malice sample
Class includes:
Cutting is carried out according to the object properties of unknown sample using K mean cluster algorithm, wherein the object properties include:
Hash value, feature string, file type, imports table Hash imphash, derivative list at compilation time, wherein the spy
Levying character string includes at least one of: program data library file PDB, domain name, IP address, uniform resource position mark URL, described
Derivative list includes: to arrange for the listed files in compressed file for the non-transplantable structural information for executing body PE class
Table;
The object attribute values and the distance between each cluster centre for calculating each unknown sample, each unknown sample is distributed to
Apart from nearest cluster centre, wherein each cluster centre is one group.
4. according to the method described in claim 2, it is characterized in that, identical behavioural information is determined as every group of malice sample
Common feature includes:
IP address is reversely searched by the Message Digest 5 MD5 value in the behavioural information;
The executing subject of each class behavior executed in the IP address is determined as to an attack source of APT attack.
5. the method according to claim 1, wherein generating the threat feelings of APT attack according to the common feature
Report includes:
The contextual information of the common feature is determined according to default correlation rule;
Identify at least one following information according to the contextual information: APT organizational identities capture index IOC information, war
Art technical program TTP information;
Threat information relevant to the common feature is generated according to the information.
6. the method according to claim 1, wherein being threatened generating advanced duration according to the common feature
After the threat information of APT attack, the method also includes:
Mark the IP information of the malice sample;
After the IP information is associated with the threat information, it is added and threatens in information bank.
7. a kind of generating means for threatening information characterized by comprising
Acquisition module is used for from the multiple malice samples of business system acquisition;
Analysis module determines the common feature of every group of malice sample for carrying out homogeneous assays to the multiple malice sample;
Generation module, for generating the threat information that advanced duration threatens APT attack according to the common feature.
8. device according to claim 7, which is characterized in that the analysis module includes:
Grouped element, for classifying to the known sample in the multiple malice sample, and to the multiple malice sample
Unknown sample in this is clustered;
Recording unit for every group of sample after labeled bracketing or cluster, and records the behavioural information of every group of sample;
Determination unit, for identical behavioural information to be determined as to the common feature of every group of malice sample.
9. a kind of storage medium, which is characterized in that be stored with computer program in the storage medium, wherein the computer
Program is arranged to perform claim when operation and requires method described in 1 to 6 any one.
10. a kind of electronic device, including memory and processor, which is characterized in that be stored with computer journey in the memory
Sequence, the processor are arranged to run the computer program in method described in perform claim 1 to 6 any one of requirement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910345207.5A CN110198303A (en) | 2019-04-26 | 2019-04-26 | Threaten the generation method and device, storage medium, electronic device of information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910345207.5A CN110198303A (en) | 2019-04-26 | 2019-04-26 | Threaten the generation method and device, storage medium, electronic device of information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110198303A true CN110198303A (en) | 2019-09-03 |
Family
ID=67752232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910345207.5A Pending CN110198303A (en) | 2019-04-26 | 2019-04-26 | Threaten the generation method and device, storage medium, electronic device of information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110198303A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110691080A (en) * | 2019-09-25 | 2020-01-14 | 光通天下网络科技股份有限公司 | Automatic tracing method, device, equipment and medium |
| CN110955893A (en) * | 2019-11-22 | 2020-04-03 | 杭州安恒信息技术股份有限公司 | Malicious file threat analysis platform and malicious file threat analysis method |
| CN111988341A (en) * | 2020-09-10 | 2020-11-24 | 奇安信科技集团股份有限公司 | Data processing method, device, computer system and storage medium |
| CN112087465A (en) * | 2020-09-17 | 2020-12-15 | 北京微步在线科技有限公司 | Method and device for determining threat event based on aggregated information |
| CN112202759A (en) * | 2020-09-28 | 2021-01-08 | 广州大学 | APT attack identification and attribution method, system and storage medium based on homology analysis |
| CN112347474A (en) * | 2020-11-06 | 2021-02-09 | 奇安信科技集团股份有限公司 | Method, device, equipment and storage medium for constructing security threat information |
| CN113014375A (en) * | 2021-03-04 | 2021-06-22 | 华控清交信息科技(北京)有限公司 | Cross-organization processing method, related device and medium for network threat information |
| CN113839954A (en) * | 2021-09-27 | 2021-12-24 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for acquiring threat information |
| CN114238983A (en) * | 2021-12-10 | 2022-03-25 | 安天科技集团股份有限公司 | Threat analysis method, device, equipment and storage medium in confidential environment |
| CN115001868A (en) * | 2022-08-01 | 2022-09-02 | 北京微步在线科技有限公司 | APT attack homologous analysis method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030086541A1 (en) * | 2001-10-23 | 2003-05-08 | Brown Michael Kenneth | Call classifier using automatic speech recognition to separately process speech and tones |
| CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
-
2019
- 2019-04-26 CN CN201910345207.5A patent/CN110198303A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030086541A1 (en) * | 2001-10-23 | 2003-05-08 | Brown Michael Kenneth | Call classifier using automatic speech recognition to separately process speech and tones |
| CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110691080A (en) * | 2019-09-25 | 2020-01-14 | 光通天下网络科技股份有限公司 | Automatic tracing method, device, equipment and medium |
| CN110691080B (en) * | 2019-09-25 | 2022-06-14 | 光通天下网络科技股份有限公司 | Automatic tracing method, device, equipment and medium |
| CN110955893A (en) * | 2019-11-22 | 2020-04-03 | 杭州安恒信息技术股份有限公司 | Malicious file threat analysis platform and malicious file threat analysis method |
| CN111988341A (en) * | 2020-09-10 | 2020-11-24 | 奇安信科技集团股份有限公司 | Data processing method, device, computer system and storage medium |
| CN112087465A (en) * | 2020-09-17 | 2020-12-15 | 北京微步在线科技有限公司 | Method and device for determining threat event based on aggregated information |
| CN112202759A (en) * | 2020-09-28 | 2021-01-08 | 广州大学 | APT attack identification and attribution method, system and storage medium based on homology analysis |
| CN112347474A (en) * | 2020-11-06 | 2021-02-09 | 奇安信科技集团股份有限公司 | Method, device, equipment and storage medium for constructing security threat information |
| CN113014375A (en) * | 2021-03-04 | 2021-06-22 | 华控清交信息科技(北京)有限公司 | Cross-organization processing method, related device and medium for network threat information |
| CN113839954A (en) * | 2021-09-27 | 2021-12-24 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for acquiring threat information |
| CN114238983A (en) * | 2021-12-10 | 2022-03-25 | 安天科技集团股份有限公司 | Threat analysis method, device, equipment and storage medium in confidential environment |
| CN115001868A (en) * | 2022-08-01 | 2022-09-02 | 北京微步在线科技有限公司 | APT attack homologous analysis method and device, electronic equipment and storage medium |
| CN115001868B (en) * | 2022-08-01 | 2022-10-11 | 北京微步在线科技有限公司 | APT attack homologous analysis method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
| US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
| Ektefa et al. | Intrusion detection using data mining techniques | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN110188538A (en) | Using the method and device of sandbox cluster detection data | |
| CN110149319A (en) | The method for tracing and device, storage medium, electronic device of APT tissue | |
| CN104246786A (en) | Field selection for pattern discovery | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN108573146A (en) | A kind of malice URL detection method and device | |
| CN112738040A (en) | Network security threat detection method, system and device based on DNS log | |
| CN110519228B (en) | Method and system for identifying malicious cloud robot in black-production scene | |
| CN117081858B (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
| CN115378619A (en) | Sensitive data access method, electronic equipment and computer readable storage medium | |
| CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
| CN110188537B (en) | Data separation storage method and device, storage medium and electronic device | |
| CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device | |
| Pangsuban et al. | A real-time risk assessment for information system with cicids2017 dataset using machine learning | |
| CN117041070A (en) | Network space mapping node discovery and attribution judging method and device | |
| CN117336033A (en) | Traffic interception method and device, storage medium and electronic equipment | |
| CN116886400A (en) | Malicious domain name detection method, system and medium | |
| CN115296892B (en) | Data information service system | |
| CN116227723A (en) | Asset grading method and device based on feature engine, electronic equipment and medium | |
| Protic et al. | WK-FNN design for detection of anomalies in the computer network traffic | |
| CN113037714A (en) | Network security analysis method based on network big data and block chain financial cloud system | |
| CN113572781A (en) | Method for collecting network security threat information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190903 |
|
| RJ01 | Rejection of invention patent application after publication |