CN110489611B - Intelligent clue analysis method and system - Google Patents

Intelligent clue analysis method and system Download PDF

Info

Publication number
CN110489611B
CN110489611B CN201910787650.8A CN201910787650A CN110489611B CN 110489611 B CN110489611 B CN 110489611B CN 201910787650 A CN201910787650 A CN 201910787650A CN 110489611 B CN110489611 B CN 110489611B
Authority
CN
China
Prior art keywords
case
clue
preliminary
preset
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910787650.8A
Other languages
Chinese (zh)
Other versions
CN110489611A (en
Inventor
罗琪
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201910787650.8A priority Critical patent/CN110489611B/en
Publication of CN110489611A publication Critical patent/CN110489611A/en
Application granted granted Critical
Publication of CN110489611B publication Critical patent/CN110489611B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/26Government or public services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Educational Administration (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Development Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides an intelligent clue analysis method and system, relating to the technical field of network space security, comprising the following steps: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule base; matching the alarm data with at least one preset rule to obtain target alarm data; processing the target alarm data to obtain a preliminary clue; judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clues are extended to a case clue library of the case to obtain case clues of case updating. The target alarm data, the preliminary clues and the case clues in the invention improve the richness of the clues and greatly solve the problems of manpower and time, thereby reducing the difficulty of investigating, investigating and analyzing the clues.

Description

一种智能的线索分析方法及系统An intelligent clue analysis method and system

技术领域technical field

本发明涉及网络空间安全技术领域,尤其是涉及一种智能的线索分析方法及系统。The invention relates to the technical field of network space security, in particular to an intelligent clue analysis method and system.

背景技术Background technique

随着我国信息化程度的不断提高,涉及计算机信息领域的犯罪现象越来越多,给人们造成的影响越来越大。而大批量的告警数据,难以快速的人工找出共同点,难以短时间内侦查调查案件。With the continuous improvement of our country's informatization level, there are more and more crimes involving the field of computer information, which have a greater impact on people. However, with a large amount of alarm data, it is difficult to quickly find common points manually, and it is difficult to detect and investigate cases in a short time.

根据现有的APT、SOC等采集工具已经能采集到大批量的告警数据,并且已具有一些分析模型,例如DGA分析、WEBSHELL分析、针对性WEB攻击探测分析等,利用这些分析模型的规则,将告警数据分别聚合出关联攻击关系(简称为初步线索)。但是这些初步线索过于分散,并不能直接应用案件中,还需要人工进行分析考证是否为同一案件。According to the existing APT, SOC and other collection tools, a large amount of alarm data can be collected, and some analysis models, such as DGA analysis, WEBSHELL analysis, targeted WEB attack detection analysis, etc., are used to analyze the rules of these models. The alarm data are respectively aggregated to generate associated attack relationships (referred to as preliminary clues). However, these preliminary clues are too scattered to be directly applied to the case, and manual analysis is required to verify whether it is the same case.

现有技术中的大量数据比对、分析都是通过人工,费时费力,查找周期相对较长,在查找的时间内,黑客可能再次犯案,给其他人造成经济损失或是不便。A large amount of data comparison and analysis in the prior art is done manually, which is time-consuming and labor-intensive, and the search cycle is relatively long. During the search time, hackers may commit crimes again, causing economic losses or inconvenience to others.

发明内容Contents of the invention

本发明的目的在于提供一种智能的线索分析方法及系统,以提高线索的丰富性,极大解决了人力与时间问题,从而降低了侦查调查分析线索的难度。The purpose of the present invention is to provide an intelligent clue analysis method and system to increase the richness of clues, greatly solve the problem of manpower and time, thereby reducing the difficulty of investigation and analysis of clues.

本发明提供的一种智能的线索分析方法,其中,包括:从告警库中提取第三方平台提供的告警数据;从规则库中提取至少一条预设规则;将所述告警数据与所述至少一条预设规则进行匹配,得到目标告警数据;对所述目标告警数据进行处理,得到初步线索;基于预设线索匹配规则判断预设案件库中是否存在与所述初步线索对应的案件;若存在,则查看所述案件的案件状态;若所述案件状态为进行中,则将所述初步线索扩线至所述案件的案件线索库中,得到所述案件更新的案件线索。An intelligent clue analysis method provided by the present invention includes: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule library; combining the alarm data with the at least one Matching preset rules to obtain target alarm data; processing the target alarm data to obtain preliminary clues; judging whether there is a case corresponding to the preliminary clues in the preset case database based on preset clue matching rules; if so, Then check the case status of the case; if the case status is in progress, expand the preliminary clue to the case clue database of the case to obtain the updated case clue of the case.

进一步的,方法还包括:若不存在,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中;或,若所述案件状态为已侦破或遗弃,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中。Further, the method further includes: if it does not exist, generating a case corresponding to the preliminary clue in the preset case database, and expanding the preliminary clue as a case clue into the case clue database of the case or, if the state of the case is detected or abandoned, then generate a case corresponding to the preliminary clue in the preset case database, and expand the preliminary clue as a case clue to the case of the case in the clue library.

进一步的,方法包括:所述初步线索由至少一条攻击链组成,其中,每条攻击链由至少一个所述目标告警数据确定。Further, the method includes: the preliminary clue is composed of at least one attack chain, wherein each attack chain is determined by at least one target alarm data.

进一步的,所述第三方平台包括SOC、APT、G01中的一种或多种。Further, the third-party platform includes one or more of SOC, APT, and G01.

本发明提供的一种智能的线索分析系统,其中,包括:第一提取模块、第二提取模块、初步线索模块和案件线索模块;所述第一提取模块,用于从告警库中提取第三方平台提供的告警数据;所述第二提取模块,用于从规则库中提取至少一条预设规则;所述初步线索模块与所述第一提取模块、所述第二提取模块分别建立连接,用于将所述告警数据与所述至少一条预设规则进行匹配,得到目标告警数据;还用于对所述目标告警数据进行处理,得到初步线索;所述案件线索模块,用于基于预设线索匹配规则判断预设案件库中是否存在与所述初步线索对应的案件;若存在,则查看所述案件的案件状态;若所述案件状态为进行中,则将所述初步线索扩线至所述案件的案件线索库中,得到所述案件更新的案件线索。An intelligent clue analysis system provided by the present invention includes: a first extraction module, a second extraction module, a preliminary clue module and a case clue module; the first extraction module is used to extract third-party The alarm data provided by the platform; the second extraction module is used to extract at least one preset rule from the rule base; the preliminary clue module establishes connections with the first extraction module and the second extraction module respectively, and uses Matching the alarm data with the at least one preset rule to obtain target alarm data; processing the target alarm data to obtain preliminary clues; the case clue module is used to The matching rule judges whether there is a case corresponding to the preliminary clue in the preset case database; if it exists, check the case status of the case; if the case status is in progress, extend the preliminary clue to all In the case clue storehouse of the above-mentioned case, obtain the case clue of described case update.

进一步的,所述预设规则包括固定规则和自定义规则,所述规则库包括固定规则库和自定义规则库;所述固定规则库,用于存储所述固定规则;所述自定义规则库,用于存储所述自定义规则。Further, the preset rules include fixed rules and custom rules, and the rule base includes a fixed rule base and a custom rule base; the fixed rule base is used to store the fixed rules; the custom rule base , which stores the custom rule.

进一步的,所述固定规则包括:DGA分析、WEBSHELL分析、C&C远程回连分析、针对性WEB攻击探测分析、SMB远程溢出攻击事件、一句话WEB后门爆破、SSH暴力破解、RDP暴力破解、FTP暴力破解中的一种或多种。Further, the fixed rules include: DGA analysis, WEBSHELL analysis, C&C remote connection analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking, FTP brute force One or more of cracks.

进一步的,所述自定义规则包括以下一种或几种字段:规则名称、生效起止时间、设备类型、威胁类型、数据来源、使用场景、攻击源配置和攻击目标配置。Further, the custom rule includes one or more of the following fields: rule name, effective start and end time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.

进一步的,所述攻击源配置包括:攻击源、是否情报匹配、是否特征相似度判断、攻击阈值、攻击特征中的一种或多种。Further, the attack source configuration includes: one or more of attack source, intelligence matching, feature similarity judgment, attack threshold, and attack feature.

进一步的,所述攻击目标配置包括:攻击目标、是否情报匹配、攻击目标域名、攻击次数阈值、攻击目标行业中的一种或多种。Further, the attack target configuration includes: one or more of the attack target, whether intelligence matches, attack target domain name, attack times threshold, and attack target industry.

本发明提供的一种智能的线索分析方法及系统,包括:从告警库中提取第三方平台提供的告警数据;从规则库中提取至少一条预设规则;将告警数据与至少一条预设规则进行匹配,得到目标告警数据;对目标告警数据进行处理,得到初步线索;基于预设线索匹配规则判断预设案件库中是否存在与初步线索对应的案件;若存在,则查看案件的案件状态;若案件状态为进行中,则将初步线索扩线至案件的案件线索库中,得到案件更新的案件线索。本发明中的目标告警数据、初步线索和案件线索提高了线索的丰富性,将已有的告警数据分析成初步线索,再将初步线索自动转为高级可用的案件线索,极大解决了人力与时间问题,从而降低了侦查调查分析线索的难度。An intelligent clue analysis method and system provided by the present invention includes: extracting the alarm data provided by the third-party platform from the alarm library; extracting at least one preset rule from the rule library; combining the alarm data with at least one preset rule Match to obtain the target alarm data; process the target alarm data to obtain preliminary clues; judge whether there is a case corresponding to the preliminary clue in the preset case database based on the preset clue matching rules; if there is, check the case status of the case; if If the case status is in progress, the preliminary clues are expanded to the case clue database of the case to obtain updated case clues. The target alarm data, preliminary clues and case clues in the present invention improve the richness of clues, analyze the existing alarm data into preliminary clues, and then automatically convert preliminary clues into high-level available case clues, which greatly solves the problem of manpower and The problem of time, thus reducing the difficulty of investigation and analysis of clues.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the specific implementation or description of the prior art. Obviously, the accompanying drawings in the following description The drawings show some implementations of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.

图1为本发明实施例提供的一种智能的线索分析方法的流程图;Fig. 1 is a flow chart of an intelligent clue analysis method provided by an embodiment of the present invention;

图2为本发明实施例提供的初步线索图;Fig. 2 is the preliminary clue diagram provided by the embodiment of the present invention;

图3为本发明实施例提供的案件线索图;Fig. 3 is the clue diagram of the case provided by the embodiment of the present invention;

图4为本发明实施例提供的另一种智能的线索分析方法的流程图;FIG. 4 is a flowchart of another intelligent clue analysis method provided by an embodiment of the present invention;

图5为本发明实施例提供的一种智能的线索分析系统的结构示意图。FIG. 5 is a schematic structural diagram of an intelligent clue analysis system provided by an embodiment of the present invention.

图标:icon:

11-第一提取模块;12-第二提取模块;13-初步线索模块;14-案件线索模块。11-first extraction module; 12-second extraction module; 13-preliminary clue module; 14-case clue module.

具体实施方式detailed description

下面将结合实施例对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions of the present invention will be clearly and completely described below in conjunction with the embodiments. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

现有技术中的大量数据比对、分析都是通过人工,费时费力,查找周期相对较长,在查找的时间内,黑客可能再次犯案,给其他人造成经济损失或是不便。基于此,本发明实施例提供的一种智能的线索分析方法及系统可以通过目标告警数据、初步线索和案件线索提高线索的丰富性,其中,将已有的告警数据分析成初步线索,再将初步线索自动转为高级可用的案件线索,极大解决了人力与时间问题,从而降低了侦查调查分析线索的难度。A large amount of data comparison and analysis in the prior art is done manually, which is time-consuming and labor-intensive, and the search cycle is relatively long. During the search time, hackers may commit crimes again, causing economic losses or inconvenience to others. Based on this, an intelligent clue analysis method and system provided by the embodiments of the present invention can improve the richness of clues through target alarm data, preliminary clues and case clues, wherein the existing alarm data is analyzed into preliminary clues, and then the Preliminary clues are automatically converted into high-level and available case clues, which greatly solves the problem of manpower and time, thereby reducing the difficulty of investigation and analysis of clues.

为便于对本实施例进行理解,首先对本发明实施例所公开的一种智能的线索分析方法进行详细介绍。In order to facilitate the understanding of this embodiment, an intelligent clue analysis method disclosed in the embodiment of the present invention is first introduced in detail.

实施例一:Embodiment one:

参照图1,本发明实施例提供一种智能的线索分析方法,其中,方法包括以下步骤:Referring to FIG. 1, an embodiment of the present invention provides an intelligent clue analysis method, wherein the method includes the following steps:

步骤S101,从告警库中提取第三方平台提供的告警数据。Step S101, extract the alarm data provided by the third-party platform from the alarm library.

在本发明实施例中,第三方平台包括SOC、APT、G01中的一种或多种。APT可以指高级持续性威胁,本质为针对性攻击。APT利用先进的攻击手段对攻击目标进行长期持续性网络攻击,APT的攻击形式相对于其他攻击形式更为高级和先进,其高级性主要体现在APT在发动攻击之前需要对攻击目标的业务流程和目标系统进行精确的收集。第三方平台提供的告警数据可以对应不同的案件,例如:第1-10条告警数据对应案件A,第11-15条告警数据对应案件B,第16-100条告警数据对应案件C。In the embodiment of the present invention, the third-party platform includes one or more of SOC, APT, and G01. APT can refer to advanced persistent threats, which are targeted attacks in essence. APT uses advanced attack methods to carry out long-term continuous network attacks on attack targets. Compared with other attack forms, APT’s attack forms are more advanced and advanced. Target system for precise collection. The alarm data provided by the third-party platform can correspond to different cases. For example, the alarm data of Article 1-10 corresponds to Case A, the alarm data of Article 11-15 corresponds to Case B, and the alarm data of Article 16-100 corresponds to Case C.

步骤S102,从规则库中提取至少一条预设规则;Step S102, extracting at least one preset rule from the rule base;

在本发明实施例中,预设规则包括固定规则和自定义规则,其中,固定规则包括但不限于:DGA分析、WEBSHELL分析、C&C远程回连分析、针对性WEB攻击探测分析、SMB远程溢出攻击事件、一句话WEB后门爆破、SSH暴力破解、RDP暴力破解、FTP暴力破解。自定义规则可以自定义方式增加,其中,自定义规则具有多个字段,自定义规则的字段包括但不限于:规则名称、生效起止时间、设备类型、威胁类型、数据来源、使用场景、攻击源配置和攻击目标配置。In the embodiment of the present invention, the preset rules include fixed rules and custom rules, wherein the fixed rules include but are not limited to: DGA analysis, WEBSHELL analysis, C&C remote connection analysis, targeted WEB attack detection analysis, SMB remote overflow attack Events, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking, FTP brute force cracking. Custom rules can be added in a custom way, where a custom rule has multiple fields, and the fields of a custom rule include but are not limited to: rule name, effective start and end time, device type, threat type, data source, usage scenario, attack source configuration and attack target configuration.

步骤S103,将告警数据与至少一条预设规则进行匹配,得到目标告警数据;Step S103, matching the alarm data with at least one preset rule to obtain target alarm data;

在本发明实施例中,告警数据包括与预设规则能匹配上的目标告警数据和与预设规则无关的无效告警数据。需要注意的是,目标告警数据为匹配成功的数据,是有效的告警数据。本发明实施例可以通过手动、人工筛选与至少一条预设规则匹配的告警数据,也可以通过具有Python分析的第三方服务软件或平台实现匹配,在此不再赘述。In the embodiment of the present invention, the alarm data includes target alarm data matching the preset rules and invalid alarm data irrelevant to the preset rules. It should be noted that the target alarm data is data that matches successfully and is valid alarm data. In the embodiment of the present invention, the alarm data matching at least one preset rule can be manually and manually screened, or the matching can be realized through a third-party service software or platform with Python analysis, which will not be repeated here.

步骤S104,对目标告警数据进行处理,得到初步线索;Step S104, processing the target alarm data to obtain preliminary clues;

本实施例中的处理包括聚类分析,即目标告警数据在经过聚类分析后,自动转化为一个案件的初步线索。聚类分析是指对目标告警数据进行分门别类,将初步线索具体化,得到与同一案件相关联的初步线索,其中,初步线索的个数可以为0。参照图2,本实施例提供了初步线索对应的初步线索图,初步线索图中显示了3个攻击目标和1个攻击源,攻击源到任一攻击目标之间的信息为一条攻击链,攻击链由多个告警数据组成。因此,初步线索由至少一条攻击链组成,其中,每条攻击链由至少一个目标告警数据确定。每条攻击链上的目标告警数据具有相同或类似的特征。The processing in this embodiment includes cluster analysis, that is, the target alarm data is automatically converted into preliminary clues of a case after cluster analysis. Cluster analysis refers to classifying the target alarm data, concretizing the preliminary clues, and obtaining preliminary clues associated with the same case. The number of preliminary clues can be 0. Referring to Fig. 2, the present embodiment provides a preliminary clue diagram corresponding to preliminary clues. The preliminary clue diagram shows 3 attack targets and 1 attack source. The information between the attack source and any attack target is an attack chain. A chain consists of multiple alarm data. Therefore, the preliminary clue consists of at least one attack chain, wherein each attack chain is determined by at least one target alarm data. The target alert data on each attack chain has the same or similar characteristics.

步骤S105,基于预设线索匹配规则判断预设案件库中是否存在与初步线索对应的案件。Step S105, based on the preset clue matching rule, it is judged whether there is a case corresponding to the preliminary clue in the preset case database.

在本发明实施例中,预设线索匹配规则包括但不限于:单位资产的IP地址、网站信息和单位信息。预设案件库中的案件由本实施例的线索分析方法进行建立,详情见本实施例的步骤S107和步骤S109。预设案件库可以为空集,具体的,本实施例的线索分析方法在初次运行时,之前从未进行过立案,因此预设案件库中不存在任何的案件。随着本实施例的各个步骤顺序执行,可以进行不断的立案操作,因此预设案件库也可以包含多个案件。本实施例对预设案件库可以存储的案件个数不作任何限制。另外,本实施例还可以将预设案件库中的案件显示在客户端,以使相关人员对预设案件库中的案件进行处理,上述处理包括但不限于:修改案件状态、删除案件和对案件进行等级划分。In the embodiment of the present invention, the preset clue matching rules include but not limited to: IP address of unit assets, website information and unit information. The cases in the preset case database are established by the clue analysis method of this embodiment, see step S107 and step S109 of this embodiment for details. The default case database can be an empty set. Specifically, when the clue analysis method in this embodiment is run for the first time, no case has been filed before, so there is no case in the default case database. With the sequential execution of each step in this embodiment, continuous case filing operations can be performed, so the preset case database can also contain multiple cases. In this embodiment, there is no limitation on the number of cases that can be stored in the preset case database. In addition, this embodiment can also display the cases in the default case database on the client, so that relevant personnel can process the cases in the preset case database. Cases are graded.

步骤S106,若存在,则查看案件的案件状态。Step S106, if it exists, check the case status of the case.

在本发明实施例中,预设案件库中所有的案件均具有各自的案件状态,案件状态包括但不限于进行中,已侦破和遗弃。其中,进行中又称之为立案中。In the embodiment of the present invention, all the cases in the default case database have their own case status, and the case status includes but not limited to ongoing, detected and abandoned. Among them, in progress is also referred to as filing a case.

步骤S108,若案件状态为进行中,则将初步线索扩线至案件的案件线索库中,得到案件更新的案件线索。Step S108, if the case status is in progress, expand the preliminary clues to the case clue database of the case to obtain updated case clues.

在本发明实施例中,将具有同一单位资产的IP地址的初步线索和案件进行关联,然后将上述案件在案件线索库中已存在的案件线索和初步线索共同构成案件更新的案件线索。在实际应用中,通过匹配攻击目标的IP地址与攻击源的IP地址,确认初步线索是否为同一案件,将同一案件在同一单位下的网站攻击组成为案件线索。案件线索以公司或部门为一个单位,同一单位下的每个网站可以涉及多个初步线索,一个初步线索可以涉及多个网站。参照图3,案件线索对应案件线索图,案件线索与初步线索相比,更加真实、有效。In the embodiment of the present invention, the preliminary clues with the IP address of the same unit asset are associated with the case, and then the existing case clues and preliminary clues of the above-mentioned case in the case clue database together form the updated case clues. In practical applications, by matching the IP address of the attack target and the IP address of the attack source, it is confirmed whether the preliminary clues are the same case, and the website attacks of the same case under the same unit are grouped into case clues. A company or department is regarded as a unit for case clues, and each website under the same unit can involve multiple preliminary clues, and one preliminary clue can involve multiple websites. Referring to Figure 3, the case clues correspond to the case clue diagram, and the case clues are more real and effective than the preliminary clues.

本发明实施例提供的一种智能的线索分析方法,包括:从告警库中提取第三方平台提供的告警数据;从规则库中提取至少一条预设规则;将告警数据与至少一条预设规则进行匹配,得到目标告警数据;对目标告警数据进行处理,得到初步线索;基于预设线索匹配规则判断预设案件库中是否存在与初步线索对应的案件;若存在,则查看案件的案件状态;若案件状态为进行中,则将初步线索扩线至案件的案件线索库中,得到案件更新的案件线索。本发明实施例中的目标告警数据、初步线索和案件线索提高了线索的丰富性,将已有的告警数据分析成初步线索,再将初步线索自动转为高级可用的案件线索,极大解决了人力与时间问题,从而降低了侦查调查分析线索的难度。An intelligent clue analysis method provided by an embodiment of the present invention includes: extracting the alarm data provided by the third-party platform from the alarm library; extracting at least one preset rule from the rule library; comparing the alarm data with at least one preset rule Match to obtain the target alarm data; process the target alarm data to obtain preliminary clues; judge whether there is a case corresponding to the preliminary clue in the preset case database based on the preset clue matching rules; if there is, check the case status of the case; if If the case status is in progress, the preliminary clues are expanded to the case clue database of the case to obtain updated case clues. The target alarm data, preliminary clues and case clues in the embodiment of the present invention increase the richness of clues, analyze the existing alarm data into preliminary clues, and then automatically convert the preliminary clues into high-level available case clues, which greatly solves the problem Manpower and time issues, thus reducing the difficulty of investigation and analysis of clues.

在本发明实施例中,参照图4,方法还包括以下步骤:In an embodiment of the present invention, referring to FIG. 4, the method further includes the following steps:

步骤S107,若不存在,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中。Step S107, if it does not exist, generate a case corresponding to the preliminary clue in the preset case database, and expand the preliminary clue as a case clue into the case clue database of the case.

在本发明实施例中,若与初步线索对应的案件在预设案件库中不存在,则自动在预设案件库中生成与初步线索对应的案件,该案件为新添加的案件。另外,可以将初步线索作为该案件的案件线索显示在客户端,以使相关人员判断是否立案,以及对该案件的案件状态进行确认等操作。In the embodiment of the present invention, if the case corresponding to the preliminary clue does not exist in the preset case database, a case corresponding to the preliminary clue is automatically generated in the preset case database, and the case is a newly added case. In addition, the preliminary clue can be displayed on the client terminal as the case clue of the case, so that relevant personnel can judge whether to open the case, and confirm the case status of the case.

步骤S109,若所述案件状态为已侦破或遗弃,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中。Step S109, if the state of the case is solved or abandoned, generate a case corresponding to the preliminary clue in the preset case database, and expand the preliminary clue as a case clue to the case of the case in the clue library.

在本发明实施例中,每个案件均具有一个案件状态,案件存在与否以及案件存在时的案件状态均决定了对与案件匹配的初步线索的具体操作。例如,案件存在且案件状态处于正在进行中或立案中,则初步线索自动扩线到该案件已有的案件线索中,构成新的案件线索,且新的案件线索显示在客户端,以使相关人员对案件的案件状态进行重新确认;当案件存在且案件状态为已侦破或遗弃时,则初步线索对该案件起不到作用,可以自动生成新的案件,并将新的案件显示在客户端,以使相关人员对新的案件是否立案以及对应的状态进行确认。In the embodiment of the present invention, each case has a case status, and whether the case exists or not and the case status when the case exists both determine the specific operation on the preliminary clues matching the case. For example, if a case exists and the case status is in progress or on file, the preliminary clues will be automatically expanded to the existing case clues of the case to form a new case clue, and the new case clue will be displayed on the client, so that relevant The personnel reconfirms the case status of the case; when the case exists and the case status is detected or abandoned, the preliminary clues will not be effective for the case, and a new case can be automatically generated and displayed on the client , so that relevant personnel can confirm whether the new case is filed and the corresponding status.

比如多个FTP的告警数据可以匹配FTP暴力破解规则,生成FTP暴力破解初步线索,通过预设线索匹配规则生成某网站的FTP暴力破解攻击案件线索,同时某网站属于某单位,若该单位已有该网站或其他网站的FTP暴力破解案件线索,则FTP暴力破解初步线索自动扩线至某单位暴力破解案件线索中,显示到客户端以使相关人员进行确认操作,确认事件是否真实有效,是否立案。For example, multiple FTP alarm data can match FTP brute-force cracking rules to generate preliminary FTP brute-force cracking clues, and generate FTP brute-force cracking attack case clues for a website through preset clue matching rules. FTP brute-force cracking case clues on this website or other websites, the initial clues of FTP brute-force cracking cases will be automatically expanded to a certain unit’s brute-force cracking case clues, and displayed on the client to enable relevant personnel to confirm whether the incident is true and valid, and whether the case is filed .

在进行扩线时,若某个案件已存在的案件线索涉及到的初步线索有5条攻击链,当再次发生与案件有关的攻击时,将新发生的攻击链通过生成初步线索最终加入到已存在的案件线索中,而不是新建一个案件线索,即只要案件没有结束,案件线索就会不断积累攻击链,使得案件线索更为准确。实时的扩线可以极大的提高了案件线索的实时有效性,降低了侦查调查分析线索的难度。When expanding the line, if there are 5 initial clues involved in the existing case clues of a certain case, there are 5 attack chains. In the existing case clues, instead of creating a new case clue, that is, as long as the case is not over, the case clues will continue to accumulate attack chains, making the case clues more accurate. Real-time line expansion can greatly improve the real-time effectiveness of case clues and reduce the difficulty of investigation and analysis of clues.

本发明实施例可以提高线索的准确性和丰富性,更快速的得出线索,减少人力投入,减少分析时间。因此,本发明实施例可以帮助单位、网站尽早知晓攻击,避免损失或帮助警方侦查调查案件。The embodiments of the present invention can improve the accuracy and richness of clues, obtain clues more quickly, reduce manpower input, and reduce analysis time. Therefore, the embodiment of the present invention can help units and websites know the attack as early as possible, avoid losses or help the police to investigate cases.

实施例二:Embodiment two:

参照图5,本发明实施例提供一种智能的线索分析系统,其中,包括:第一提取模块11、第二提取模块12、初步线索模块13和案件线索模块14;Referring to Fig. 5, an embodiment of the present invention provides an intelligent clue analysis system, which includes: a first extraction module 11, a second extraction module 12, a preliminary clue module 13 and a case clue module 14;

第一提取模块11,用于从告警库中提取第三方平台提供的告警数据;The first extraction module 11 is used to extract the alarm data provided by the third-party platform from the alarm library;

第二提取模块12,用于从规则库中提取至少一条预设规则;The second extraction module 12 is used to extract at least one preset rule from the rule base;

初步线索模块13与第一提取模块11、第二提取模块12分别建立连接,用于将告警数据与至少一条预设规则进行匹配,得到目标告警数据;还用于对目标告警数据进行处理,得到初步线索;The preliminary clue module 13 establishes connections with the first extraction module 11 and the second extraction module 12 respectively, and is used to match the alarm data with at least one preset rule to obtain the target alarm data; it is also used to process the target alarm data to obtain preliminary leads;

案件线索模块14,用于基于预设线索匹配规则判断预设案件库中是否存在与初步线索对应的案件;若存在,则查看案件的案件状态;若案件状态为进行中,则将初步线索扩线至案件的案件线索库中,得到案件更新的案件线索。The case lead module 14 is used to judge whether there is a case corresponding to the preliminary lead in the preset case storehouse based on the preset lead matching rule; if it exists, then check the case status of the case; Link to the case clue database of the case to obtain the updated case clues of the case.

在本发明实施例中,本实施例提供的智能的线索分析系统在获取APT等告警数据的基础上,匹配规则库中的各种预设规则,最终分析出各种案件线索。本实施例自动将多个目标告警数据聚合分析为初步线索,再由初步线索构成一个案件的案件线索,便于侦查工作。In the embodiment of the present invention, the intelligent clue analysis system provided by this embodiment matches various preset rules in the rule base on the basis of obtaining alarm data such as APT, and finally analyzes various case clues. In this embodiment, multiple target alarm data are automatically aggregated and analyzed into preliminary clues, and then a case clue of a case is formed from the preliminary clues, which is convenient for investigation work.

本发明提供的一种智能的线索分析系统,包括:第一提取模块11、第二提取模块12、初步线索模块13和案件线索模块14;第一提取模块11,用于从告警库中提取第三方平台提供的告警数据;第二提取模块12,用于从规则库中提取至少一条预设规则;初步线索模块13与第一提取模块11、第二提取模块12分别建立连接,用于将告警数据与至少一条预设规则进行匹配,得到目标告警数据;还用于对目标告警数据进行处理,得到初步线索;案件线索模块14,用于基于预设线索匹配规则判断预设案件库中是否存在与初步线索对应的案件;若存在,则查看案件的案件状态;若案件状态为进行中,则将初步线索扩线至案件的案件线索库中,得到案件更新的案件线索。本发明实施例中的目标告警数据、初步线索和案件线索提高了线索的丰富性,将已有的告警数据分析成初步线索,再将初步线索自动转为高级可用的案件线索,极大解决了人力与时间问题,从而降低了侦查调查分析线索的难度。A kind of intelligent clue analysis system provided by the present invention comprises: a first extraction module 11, a second extraction module 12, a preliminary clue module 13 and a case clue module 14; the first extraction module 11 is used to extract the first The alarm data provided by the three-party platform; the second extraction module 12 is used to extract at least one preset rule from the rule base; the preliminary clue module 13 is connected with the first extraction module 11 and the second extraction module 12 respectively, and is used for alarming The data is matched with at least one preset rule to obtain the target alarm data; it is also used to process the target alarm data to obtain preliminary clues; the case clue module 14 is used to judge whether there is The case corresponding to the preliminary clue; if it exists, check the case status of the case; if the case status is in progress, expand the preliminary clue to the case clue database of the case to obtain the updated case clue. The target alarm data, preliminary clues and case clues in the embodiment of the present invention increase the richness of clues, analyze the existing alarm data into preliminary clues, and then automatically convert the preliminary clues into high-level available case clues, which greatly solves the problem Manpower and time issues, thus reducing the difficulty of investigation and analysis of clues.

进一步的,智能的线索分析系统还包括:Further, the intelligent clue analysis system also includes:

第一生成模块,若不存在,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中;The first generation module, if it does not exist, generates a case corresponding to the preliminary clue in the preset case database, and expands the preliminary clue as a case clue into the case clue database of the case;

或,or,

第二生成模块,若所述案件状态为已侦破或遗弃,则在所述预设案件库中生成与所述初步线索对应的案件,并将所述初步线索作为案件线索扩线至所述案件的案件线索库中。The second generation module, if the state of the case is detected or abandoned, then generate a case corresponding to the preliminary clue in the preset case database, and expand the preliminary clue as a case clue to the case in the case clue database.

进一步的,预设规则包括固定规则和自定义规则,规则库包括固定规则库和自定义规则库;Further, the preset rules include fixed rules and custom rules, and the rule base includes fixed rule bases and custom rule bases;

在本发明实施例中,固定规则库,用于存储固定规则;自定义规则库,用于存储自定义规则。In the embodiment of the present invention, the fixed rule base is used to store fixed rules; the custom rule base is used to store custom rules.

进一步的,固定规则包括:DGA分析、WEBSHELL分析、C&C远程回连分析、针对性WEB攻击探测分析、SMB远程溢出攻击事件、一句话WEB后门爆破、SSH暴力破解、RDP暴力破解、FTP暴力破解中的一种或多种。Further, the fixed rules include: DGA analysis, WEBSHELL analysis, C&C remote connection analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking, FTP brute force cracking one or more of .

进一步的,自定义规则包括以下一种或几种字段:规则名称、生效起止时间、设备类型、威胁类型、数据来源、使用场景、攻击源配置和攻击目标配置。Further, the custom rule includes one or more of the following fields: rule name, effective start and end time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.

进一步的,攻击源配置包括:攻击源、是否情报匹配、是否特征相似度判断、攻击阈值、攻击特征中的一种或多种。Further, the configuration of the attack source includes: one or more of the attack source, whether intelligence matches, whether feature similarity judgment, attack threshold, and attack feature.

进一步的,攻击目标配置包括:攻击目标、是否情报匹配、攻击目标域名、攻击次数阈值、攻击目标行业中的一种或多种。Further, the configuration of the attack target includes: one or more of the attack target, whether the intelligence matches, the domain name of the attack target, the threshold of attack times, and the industry of the attack target.

附图中的流程图和框图显示了根据本发明的多个实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

另外,在本发明实施例的描述中,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。In addition, in the description of the embodiments of the present invention, unless otherwise specified and limited, the terms "installation", "connection" and "connection" should be interpreted in a broad sense, for example, it can be a fixed connection or a detachable connection , or integrally connected; may be mechanically connected, may also be electrically connected; may be directly connected, may also be indirectly connected through an intermediary, and may be internal communication between two components. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention in specific situations.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

本发明实施例所提供的智能的线索分析方法的计算机程序产品,包括存储了程序代码的计算机可读存储介质,所述程序代码包括的指令可用于执行前面方法实施例中所述的方法,具体实现可参见方法实施例,在此不再赘述。The computer program product of the intelligent clue analysis method provided by the embodiments of the present invention includes a computer-readable storage medium storing program codes, and the instructions included in the program codes can be used to execute the methods described in the foregoing method embodiments, specifically For implementation, reference may be made to the method embodiments, which will not be repeated here.

在本发明的描述中,需要说明的是,术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer" etc. The indicated orientation or positional relationship is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the referred device or element must have a specific orientation, or in a specific orientation. construction and operation, therefore, should not be construed as limiting the invention. In addition, the terms "first", "second", and "third" are used for descriptive purposes only, and should not be construed as indicating or implying relative importance.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (9)

1. An intelligent cue analysis method, comprising:
extracting alarm data provided by a third-party platform from an alarm library;
extracting at least one preset rule from a rule base;
matching the alarm data with the at least one preset rule to obtain target alarm data; the target alarm data is alarm data successfully matched with the at least one preset rule;
processing the target alarm data to obtain a preliminary clue; the preliminary clue consists of at least one attack chain, wherein each attack chain is determined by at least one target alarm data; the information between the attack source and any attack target is an attack chain;
judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; the preset clue matching rule comprises the following steps: IP address, website information and unit information of the unit assets;
if the situation exists, the preliminary clue is used as a case clue of the case and is displayed on a client, so that related personnel can view the case state of the case through the client and carry out confirmation operation on the case state of the case;
if the case state is in progress, the preliminary clues are expanded to a case clue library of the case to obtain case clues updated by the case;
the step of expanding the preliminary clue to a case clue library of the case to obtain the case clue of the case update comprises the following steps: associating the preliminary clue with the case, and then combining the existing case clue of the case in the case clue library with the preliminary clue to form a case clue for updating the case;
the method further comprises the following steps:
displaying the cases in the preset case library on the client, so that the related personnel can process the cases in the preset case library through the client; wherein, processing the case in the preset case library at least comprises: modifying the case state and/or deleting the case and/or grading the case.
2. The method of claim 1, further comprising:
if not, generating a case corresponding to the preliminary clue in the preset case library, and extending the preliminary clue serving as a case clue to a case clue library of the case;
or the like, or, alternatively,
and if the case state is detected or abandoned, generating a case corresponding to the preliminary clue in the preset case library, and using the preliminary clue as a case clue to expand the case clue to the case clue library of the case.
3. The cue analysis method of claim 1 wherein the third party platform comprises one or more of SOC, APT, G01.
4. An intelligent cue analysis system, comprising: the system comprises a first extraction module, a second extraction module, a preliminary clue module and a case clue module;
the first extraction module is used for extracting the alarm data provided by the third-party platform from the alarm library;
the second extraction module is used for extracting at least one preset rule from the rule base;
the preliminary clue module is respectively connected with the first extraction module and the second extraction module and is used for matching the alarm data with the at least one preset rule to obtain target alarm data; the target alarm data is alarm data successfully matched with the at least one preset rule; the system is also used for processing the target alarm data to obtain a preliminary clue; the preliminary clue consists of at least one attack chain, wherein each attack chain is determined by at least one target alarm data; the information between the attack source and any attack target is an attack chain;
the case clue module is used for judging whether cases corresponding to the preliminary clues exist in a preset case library or not based on a preset clue matching rule; if the case exists, the preliminary clue is used as a case clue of the case and is displayed on a client side, so that related personnel can view the case state of the case through the client side and carry out confirmation operation on the case state of the case; if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain a case clue of the case update; the preset clue matching rule comprises the following steps: IP address, website information and unit information of the unit asset;
the case thread module is further configured to: associating the preliminary clue with the case, and then combining the existing case clue of the case in the case clue library with the preliminary clue to form a case clue for updating the case;
the case thread module is further configured to: displaying the cases in the preset case library on the client, so that related personnel can process the cases in the preset case library through the client; wherein, processing the cases in the preset case library at least comprises: modifying the case status and/or deleting the case and/or grading the case.
5. The cue analysis system of claim 4 wherein the pre-set rules comprise fixed rules and custom rules, and wherein the rule base comprises a fixed rule base and a custom rule base;
the fixed rule base is used for storing the fixed rules;
and the custom rule base is used for storing the custom rule.
6. The cue analysis system of claim 5 wherein the fixed rule comprises: DGA analysis, WEBSHELL analysis, C & C remote loop analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking and FTP brute force cracking.
7. The cue analysis system of claim 5 wherein the custom rule comprises one or more of the following fields: rule name, effective start-stop time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.
8. The cue analysis system of claim 7 wherein the attack source configuration comprises: attack source, whether intelligence is matched, whether feature similarity is judged, attack threshold and attack features.
9. The cue analysis system of claim 8 wherein the attack target configuration comprises: attack target, whether intelligence is matched, attack target domain name, attack frequency threshold and one or more of attack target industry.
CN201910787650.8A 2019-08-23 2019-08-23 Intelligent clue analysis method and system Active CN110489611B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910787650.8A CN110489611B (en) 2019-08-23 2019-08-23 Intelligent clue analysis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910787650.8A CN110489611B (en) 2019-08-23 2019-08-23 Intelligent clue analysis method and system

Publications (2)

Publication Number Publication Date
CN110489611A CN110489611A (en) 2019-11-22
CN110489611B true CN110489611B (en) 2022-12-30

Family

ID=68553909

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910787650.8A Active CN110489611B (en) 2019-08-23 2019-08-23 Intelligent clue analysis method and system

Country Status (1)

Country Link
CN (1) CN110489611B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111369417A (en) * 2020-03-05 2020-07-03 青岛海信网络科技股份有限公司 Case clue obtaining method and device based on technical and tactical model

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2882159A1 (en) * 2013-12-06 2015-06-10 Cyberlytic Limited Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2882159A1 (en) * 2013-12-06 2015-06-10 Cyberlytic Limited Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于告警属性聚类的攻击场景关联规则挖掘方法研究;陈兴蜀 等;《工程科学与技术》;20190531;第51卷(第03期);全文 *

Also Published As

Publication number Publication date
CN110489611A (en) 2019-11-22

Similar Documents

Publication Publication Date Title
KR101568224B1 (en) Analysis device and method for software security
US9967265B1 (en) Detecting malicious online activities using event stream processing over a graph database
CN106375331B (en) Attack organization mining method and device
CN110688456A (en) Vulnerability knowledge base construction method based on knowledge graph
JP6058246B2 (en) Information processing apparatus, information processing method, and program
CN106411921A (en) Multi-step attack prediction method based on cause-and-effect Byesian network
CN111125694B (en) Threat information analysis method and system based on ant colony algorithm
CN112287340B (en) Evidence obtaining and tracing method and device for terminal attack and computer equipment
CN116566674A (en) Automated penetration testing method, system, electronic device and storage medium
CN102790706A (en) Safety analyzing method and device of mass events
CN113064932A (en) Network situation assessment method based on data mining
CN111310195A (en) Security vulnerability management method, device, system, equipment and storage medium
CN113139192A (en) Third-party library security risk analysis method and system based on knowledge graph
CN113239365B (en) Vulnerability repairing method based on knowledge graph
CN107483410A (en) Network security management method and device
CN108171054A (en) The detection method and system of a kind of malicious code for social deception
CN104063669A (en) Method for monitoring file integrity in real time
CN102982048A (en) Method and device for assessing junk information mining rule
CN118611982A (en) A continuous mining detection method for APT attack process based on causal graph alignment analysis
CN116389148B (en) Network security situation prediction system based on artificial intelligence
CN110489611B (en) Intelligent clue analysis method and system
CN113872959A (en) Risk asset grade judgment and dynamic degradation method, device and equipment
CN112751863B (en) Attack behavior analysis method and device
CN118761068B (en) Vulnerability management method and system based on adaptive architecture of host security platform
CN114584391A (en) Method, device, equipment and storage medium for generating abnormal flow processing strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20191122

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043365

Denomination of invention: An intelligent clue analysis method and system

Granted publication date: 20221230

License type: Common License

Record date: 20241231