CN110661795A - Vector-level threat information automatic production and distribution system and method - Google Patents

Vector-level threat information automatic production and distribution system and method Download PDF

Info

Publication number
CN110661795A
CN110661795A CN201910896724.1A CN201910896724A CN110661795A CN 110661795 A CN110661795 A CN 110661795A CN 201910896724 A CN201910896724 A CN 201910896724A CN 110661795 A CN110661795 A CN 110661795A
Authority
CN
China
Prior art keywords
vector
analysis
detection module
threat information
user side
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910896724.1A
Other languages
Chinese (zh)
Inventor
肖新光
张宝富
童志明
何公道
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Antiy Technology Group Co Ltd
Original Assignee
Harbin Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antiy Technology Group Co Ltd filed Critical Harbin Antiy Technology Group Co Ltd
Priority to CN201910896724.1A priority Critical patent/CN110661795A/en
Publication of CN110661795A publication Critical patent/CN110661795A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a vector-level threat information automatic production and distribution system and a method, initial vector-level threat information and a corresponding defense strategy are issued to an analysis cluster at a user side by a manufacturer side, the analysis cluster issues the initial vector-level threat information and the corresponding defense strategy and deploys the information to an endpoint detection module and a flow detection module to endow a network endpoint and flow detection initial safety detection capability, the endpoint detection module and the flow detection module continuously capture suspicious samples and abnormal flow data and upload the suspicious samples and abnormal flow data, the analysis cluster carries out automatic analysis aiming at the uploaded samples to generate the vector-level threat information and the corresponding defense strategy and issues the information to the endpoint detection module and the flow detection module again, a detection analysis base at the user side is continuously enriched and perfected, a perfect network safety defense system aiming at the user environment is finally formed, and the problem that the defense always lags behind network attacks at present is solved, the problem that a perfect network security defense system aiming at the user environment cannot be formed at the user side is solved.

Description

Vector-level threat information automatic production and distribution system and method
Technical Field
The invention relates to the technical field of network security, in particular to a system and a method for automatically producing and distributing vector-level threat information.
Background
The network attack specialty and pertinence are continuously promoted, the attack means is changed to be unreasonable, the network environment of a single enterprise user tends to be isomorphic, and the networks of different clients tend to be heterogeneous.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a system and a method for automatically producing and distributing vector-level threat information, which solve the problems in the prior art that a fast response to an attack cannot be realized, defense always lags behind network attacks, a user is difficult to realize an overall monitoring of an attack event, and a perfect network security defense system for a user environment is formed at the user side.
In a first aspect, an embodiment of the present invention provides an automatic vector-level threat information production and distribution system, including:
the manufacturer side and the user side, the user side includes: the system comprises an analysis cluster, an endpoint detection module and a flow detection module;
the manufacturer side: the system comprises an analysis cluster, a data processing system and a data processing system, wherein the analysis cluster is used for issuing initial vector-level threat intelligence to a user side aiming at a system environment of the user and deploying the initial vector-level threat intelligence to the user side;
analyzing the cluster: the system comprises an endpoint detection module and a flow detection module, wherein the endpoint detection module and the flow detection module are used for receiving and automatically analyzing initial vector threat information sent by a manufacturer side, sending the initial vector threat information to the endpoint detection module and the flow detection module, automatically analyzing suspicious samples and network abnormal flow data uploaded by a user side, generating vector threat information and corresponding defense strategies, and sending the vector threat information and the corresponding defense strategies to the user side;
an endpoint detection module: the system comprises a data acquisition module, a data analysis module and a data analysis module, wherein the data acquisition module is used for receiving the vector threat information sent by the data analysis module and the corresponding defense strategy to execute detection operation, capturing suspicious samples of a user side network endpoint and transmitting the suspicious samples to the data analysis module;
the flow detection module: and the system is used for receiving the vector threat information issued by the analysis cluster and the corresponding defense strategy to execute detection operation, capturing the abnormal flow data of the user side network and uploading the abnormal flow data to the analysis cluster.
Further, the endpoint detection module and the traffic detection module further include: a preprocessing module, configured to preprocess the captured suspicious samples and the network abnormal traffic data, including but not limited to: extracting threat dependence environment and eliminating redundant data segments.
Further, the analysis cluster includes: the system comprises a receiving module, an automatic static analysis module, an automatic dynamic analysis module and an information and strategy issuing module; the receiving module is used for receiving suspicious samples and abnormal flow data uploaded by a user side; the automatic static analysis module is used for carrying out automatic static analysis on the suspicious sample and the abnormal flow data: calibrating the sample according to initial vector-level threat information issued by a manufacturer side and vector-level threat information generated in the previous time, and extracting the vector-level threat information; the automatic dynamic analysis module is used for carrying out automatic dynamic analysis on the suspicious samples and the network abnormal flow data: deploying a corresponding sandbox system according to the suspicious samples uploaded by the user side network endpoint, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information; and the intelligence and strategy issuing module is used for issuing and deploying vector-level threat intelligence and strategies generated by the analysis cluster to the endpoint detection module and the flow detection module.
In a second aspect, an embodiment of the present invention provides an automatic vector-level threat intelligence production and distribution method, including:
s1: a security manufacturer issues initial vector-level threat information and a corresponding defense strategy to a user side according to the system environment of the user, and deploys the initial vector-level threat information to an analysis cluster of the user side;
s2: the analysis cluster continuously issues initial vector threat information issued by a security manufacturer to a user side and a corresponding defense strategy to a user side network endpoint and flow detection equipment;
s3: the end point detection module receives the vector threat information and the corresponding defense strategy issued by the analysis cluster to execute detection operation, captures suspicious samples of the network end point at the user side and uploads the suspicious samples to the analysis cluster, and the flow detection module receives the vector threat information and the corresponding defense strategy issued by the analysis cluster to execute detection operation, captures abnormal flow data of the network at the user side and uploads the abnormal flow data to the analysis cluster;
s4: the analysis cluster receives and automatically analyzes the uploaded suspicious samples and abnormal flow data of the user side network endpoints to generate corresponding vector-level threat information and a corresponding defense strategy;
s5: the analysis cluster issues vector-level threat information generated by previous automatic analysis and a corresponding defense strategy to the endpoint detection module and the flow detection module again, and handles the detected network threat;
s6: and (4) circularly carrying out S3-S5, carrying out deep learning, continuously enriching vector-level threat information and defense strategies at the user side, and further generating a vector-level threat information and defense strategy issuing system aiming at the system environment of the user.
Further, the endpoint detection module captures a suspicious sample of the user-side network endpoint and uploads the suspicious sample to the analysis cluster, and the traffic detection module captures user-side network abnormal traffic data and uploads the abnormal traffic data to the analysis cluster, further comprising: preprocessing the captured suspicious samples and network anomaly traffic data, including but not limited to: extracting threat dependence environment and eliminating redundant data segments.
Further, the analysis cluster receives and automatically analyzes the uploaded suspicious samples and abnormal traffic data of the user side network endpoint, and the analysis cluster comprises: carrying out automatic static analysis on the suspicious sample and the network abnormal flow data: calibrating the sample according to initial vector-level threat information issued by a manufacturer side and vector-level threat information generated in the previous time, and extracting the vector-level threat information; carrying out automatic dynamic analysis on the suspicious sample and the network abnormal flow data: and deploying a corresponding sandbox system according to the suspicious samples uploaded by the network endpoint at the user side, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information.
Further, the calibrating the sample specifically includes: the analysis cluster carries out automatic static analysis on suspicious samples and abnormal flow data of the network endpoint at the user side, fuzzy hash, domain name, IP or digital statistical characteristics in the suspicious samples and the abnormal flow data are extracted to be used as vector-level threat information, and the behavior characteristics, the threat degree, the associated organization information and the adopted specific tool are calibrated according to vector-level threat information contents to establish an attacker portrait, and the attacker portrait is perfected through continuous automatic static analysis.
The invention provides a vector-level threat information automatic production and distribution system and a method, initial vector-level threat information is issued by a manufacturer side and a corresponding defense strategy is deployed to an analysis cluster of a user side, an initial detection analysis library is arranged on the user side, the analysis cluster issues the initial vector-level threat information and the corresponding defense strategy and deploys the information to an endpoint detection module and a flow detection module to endow a network endpoint and flow detection with initial safety detection capability, the endpoint detection module and the flow detection module continuously capture suspicious samples and abnormal flow data and upload the data to the analysis cluster, the analysis cluster carries out automatic analysis on the uploaded samples to generate the vector-level threat information and the corresponding defense strategy and sends the same to the endpoint detection module and the flow detection module again to continuously improve the safety detection capability of the user side, and the detection analysis library of the user side is continuously and perfectly studied in a cyclic and reciprocating depth learning way, finally, a perfect network security defense system aiming at the user environment is formed, when network attack occurs, the user side can detect and alarm in a short time, and timely issues a defense strategy to treat the attack, so that the problems that the rapid response to the attack cannot be realized, the defense lags behind the network attack all the time, the user is difficult to realize the integral monitoring of the attack event, and a perfect network security defense system aiming at the user environment is formed at the user side are solved.
The embodiment of the invention can achieve the following technical effects: the invention can form a perfect network security defense system aiming at the user system environment at the user side, and the system and the method can lead the detection capability of the user side to the threat to tend to be privatization, have uniqueness and pertinence, and when the network threat occurs, the user side can detect and alarm in a short time, and timely issue the defense strategy to deal with the attack.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of an automated vector-level threat information production and distribution system of the present invention;
FIG. 2 is another block diagram of an automated vector-level threat intelligence production and distribution system of the present invention;
FIG. 3 is a flowchart of an embodiment of an automatic vector-level threat intelligence production and distribution method according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to more clearly state the specific embodiments of the present invention, the following terms are to be interpreted:
vector quantity: scanning various information collected by the sample about the sample;
extracting vector-level threat information: the method is characterized in that various valuable information in a sample is obtained, vector-level threat intelligence in the sample is extracted, and the extracted content comprises but is not limited to APT (advanced persistent scheduling) organization specific character strings (mutexes, PDB paths, special component names and the like), IP (Internet protocol) and domain names, statically and dynamically obtained behavior information, file structural information and the like.
In a first aspect, an embodiment of the present invention provides an automatic vector-level threat information production and distribution system, and fig. 1 is a structural diagram of an automatic vector-level threat information production and distribution system of the present invention, including:
a vendor side 1-1 and a user side 1-2, the user side comprising: the system comprises an analysis cluster 1-2-1, an endpoint detection module 1-2-2 and a flow detection module 1-2-3;
manufacturer side 1-1: the system comprises an analysis cluster 1-2-1, a user side and a database, wherein the analysis cluster is used for issuing initial vector-level threat intelligence to the user side aiming at the system environment of the user and deploying the initial vector-level threat intelligence to the analysis cluster 1-2-1 of the user side to endow the user side with initial safety detection capability;
analysis clusters 1-2-1: the system comprises an endpoint detection module 1-2-2 and a flow detection module 1-2-3, a vector level threat information module 1-2-2 and a flow detection module 1-2-3, a flow detection module 1-2 and a flow detection module 1-2-3, wherein the vector level threat information module and the flow detection module 1-2 are used for receiving and automatically analyzing initial vector level threat information sent by a manufacturer side 1-1, automatically analyzing suspicious samples and network abnormal flow data uploaded by a user;
endpoint detection module 1-2-2: the system comprises a data acquisition module, a data analysis module and a data analysis module, wherein the data acquisition module is used for receiving the vector threat information and the corresponding defense strategy issued by the analysis cluster 1-2-1 to execute detection operation, capturing suspicious samples of the user side 1-2 network end points and uploading the suspicious samples to the analysis cluster 1-2-1;
flow detection module 1-2-3: the system is used for receiving the vector threat intelligence issued by the analysis cluster 1-2-1 and the corresponding defense strategy to execute detection operation, capturing the abnormal flow data of the user side 1-2 network and uploading the abnormal flow data to the analysis cluster 1-2-1.
In a second aspect, an embodiment of the present invention provides an automatic vector-level threat information production and distribution system, and fig. 2 is another structural diagram of the automatic vector-level threat information production and distribution system of the present invention, including:
a vendor side 2-1 and a user side 2-2, the user side 2-2 comprising: the system comprises a receiving module 2-2-1, an automatic static analysis module 2-2-2, an automatic dynamic analysis module 2-2-3, an information and strategy issuing module 2-2-4, an endpoint detection module and preprocessing module 2-2-5, and a flow detection module and preprocessing module 2-2-6;
manufacturer-side 2-1: the system is used for issuing initial vector-level threat intelligence to the user side 2-2 aiming at the system environment of the user and deploying the initial vector-level threat intelligence to the user side 2-2 to endow the user side with initial security detection capability;
the receiving module 2-2-1 is used for receiving suspicious samples and network abnormal flow data uploaded by the user side 2-2;
the automatic static analysis module 2-2-2 is used for carrying out automatic static analysis on suspicious samples and network abnormal flow data: calibrating the sample according to the initial vector threat information issued by the manufacturer side 2-1 and the vector threat information generated in the previous time, and extracting the vector threat information;
the automatic dynamic analysis module 2-2-3 is used for carrying out automatic dynamic analysis on suspicious samples and network abnormal flow data: deploying a corresponding sandbox system according to the suspicious samples uploaded by the user side 2-2 network endpoint, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information;
the intelligence and strategy issuing module 2-2-4 is used for issuing and deploying the generated vector-level threat intelligence and strategy to the endpoint detection module 2-2-5 and the flow detection module 2-2-6, and the safety detection capability of the user side 2-2 is improved.
An endpoint detection module and a preprocessing module 2-2-5: the system is used for receiving the vector threat intelligence and the corresponding defense strategy issued by the automatic static analysis module 2-2-2 and the automatic dynamic analysis module 2-2-3 to execute detection operation, capturing the suspicious sample of the user side 2-2 network endpoint and uploading the suspicious sample to the automatic static analysis module 2-2-2 and the automatic dynamic analysis module 2-2-3, and preprocessing the captured suspicious sample and the network abnormal flow data, and comprises but is not limited to: extracting threat dependent environment and eliminating redundant data segments;
a flow detection module and a preprocessing module 2-2-6: the system is used for receiving the vector threat intelligence and the corresponding defense strategy issued by the automatic static analysis module 2-2-2 and the automatic dynamic analysis module 2-2-3 to execute detection operation, capturing the user side 2-2 network abnormal flow data and uploading the data to the automatic static analysis module 2-2-2 and the automatic dynamic analysis module 2-2-3, and preprocessing the captured suspicious sample and the network abnormal flow data, and comprises but is not limited to: extracting threat dependence environment and eliminating redundant data segments.
In a third aspect, an embodiment of the present invention provides an automatic production and distribution method for vector-level threat information, and fig. 3 is a flowchart of an embodiment of an automatic production and distribution method for vector-level threat information, including:
s301: a security manufacturer issues initial vector-level threat information and a corresponding defense strategy to a user side according to the system environment of the user, and deploys the initial vector-level threat information to an analysis cluster of the user side;
s302: the analysis cluster continuously issues initial vector threat information issued by a security manufacturer to a user side and a corresponding defense strategy to a user side network endpoint and flow detection equipment;
s303: the end point detection module receives the vector threat information and the corresponding defense strategy issued by the analysis cluster to execute detection operation, captures suspicious samples of the network end point at the user side and uploads the suspicious samples to the analysis cluster, and the flow detection module receives the vector threat information and the corresponding defense strategy issued by the analysis cluster to execute detection operation, captures abnormal flow data of the network at the user side and uploads the abnormal flow data to the analysis cluster;
s304: the analysis cluster receives and automatically analyzes the uploaded suspicious samples and abnormal flow data of the user side network endpoints to generate corresponding vector-level threat information and a corresponding defense strategy;
s305: the analysis cluster issues vector-level threat information generated by previous automatic analysis and a corresponding defense strategy to the endpoint detection module and the flow detection module again, and handles the detected network threat;
s306: and (6) circularly performing S303-S305, performing deep learning, continuously enriching vector-level threat information and defense strategies at the user side, and further generating a vector-level threat information and defense strategy issuing system aiming at the system environment of the user.
Preferably, the endpoint detection module captures a suspicious sample of a user-side network endpoint and uploads the suspicious sample to the analysis cluster, and the traffic detection module captures user-side network abnormal traffic data and uploads the abnormal traffic data to the analysis cluster, further comprising: preprocessing the captured suspicious sample and abnormal flow data, including but not limited to: extracting threat dependence environment and eliminating redundant data segments.
Preferably, the analyzing cluster receives and automatically analyzes the uploaded suspicious samples and abnormal traffic data of the user-side network endpoint, and includes: carrying out automatic static analysis on the suspicious sample and abnormal flow data: calibrating the sample according to initial vector-level threat information issued by a manufacturer side and vector-level threat information generated in the previous time, and extracting the vector-level threat information; carrying out automatic dynamic analysis on suspicious samples and abnormal flow data: and deploying a corresponding sandbox system according to the suspicious samples uploaded by the network endpoint at the user side, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information.
Preferably, the calibrating the sample includes: the analysis cluster carries out automatic static analysis on suspicious samples and abnormal flow data of the network endpoint at the user side, fuzzy hash, domain name, IP or digital statistical characteristics in the suspicious samples and the abnormal flow data are extracted to be used as vector-level threat information, and the behavior characteristics, the threat degree, the associated organization information and the adopted specific tool are calibrated according to vector-level threat information contents to establish an attacker portrait, and the attacker portrait is perfected through continuous automatic static analysis.
The invention provides a system and a method for automatically producing and distributing vector-level threat information, which are characterized in that initial vector-level threat information is issued by a manufacturer side and a corresponding defense strategy is deployed to an analysis cluster of a user side, an initial detection analysis library is arranged on the user side, the analysis cluster issues the initial vector-level threat information and the corresponding defense strategy and deploys the information to an endpoint detection module and a flow detection module to endow a network endpoint and flow detection with initial safety detection capability, the endpoint detection module and the flow detection module continuously capture suspicious samples and abnormal flow data and upload the data to the analysis cluster, the analysis cluster carries out automatic analysis on the uploaded samples to generate vector-level threat information and a corresponding defense strategy, and issues the information to the endpoint detection module and the flow detection module again to continuously improve the safety detection capability of the user side, the detection analysis library of the user side is continuously perfect, finally, a perfect network security defense system aiming at the user environment is formed, when network attack occurs, the user side can detect and alarm in a short time, and timely issues a defense strategy to treat the attack, so that the problems that the rapid response to the attack cannot be realized, the defense lags behind the network attack all the time, the user is difficult to realize the integral monitoring of the attack event, and a perfect network security defense system aiming at the user environment is formed at the user side are solved.
The embodiment of the invention can achieve the following technical effects: the invention can form a perfect network security defense system aiming at the user system environment at the user side, and the system and the method can lead the detection capability of the user side to the threat to tend to be privatization, have uniqueness and pertinence, and when the network threat occurs, the user side can detect and alarm in a short time, and timely issue the defense strategy to deal with the attack.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above systems are described separately with the functions divided into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (7)

1. A vector-level threat intelligence automated production, distribution system, comprising: the system comprises a manufacturer side and a user side, wherein the user side comprises an analysis cluster, an endpoint detection module and a flow detection module;
the manufacturer side: the system comprises an analysis cluster, a data processing system and a data processing system, wherein the analysis cluster is used for issuing initial vector-level threat intelligence to a user side aiming at a system environment of the user and deploying the initial vector-level threat intelligence to the user side;
analyzing the cluster: the system comprises an endpoint detection module and a flow detection module, wherein the endpoint detection module and the flow detection module are used for receiving and automatically analyzing initial vector threat information sent by a manufacturer side, sending the initial vector threat information to the endpoint detection module and the flow detection module, automatically analyzing suspicious samples and network abnormal flow data uploaded by a user side, generating vector threat information and corresponding defense strategies, and sending the vector threat information and the corresponding defense strategies to the user side;
an endpoint detection module: the system comprises a data acquisition module, a data analysis module and a data analysis module, wherein the data acquisition module is used for receiving the vector threat information sent by the data analysis module and the corresponding defense strategy to execute detection operation, capturing suspicious samples of a user side network endpoint and transmitting the suspicious samples to the data analysis module;
the flow detection module: and the system is used for receiving the vector threat information issued by the analysis cluster and the corresponding defense strategy to execute detection operation, capturing the abnormal flow data of the user side network and uploading the abnormal flow data to the analysis cluster.
2. The system of claim 1, wherein the endpoint detection module and traffic detection module further comprise: a preprocessing module for preprocessing the captured suspicious sample and abnormal flow data, including but not limited to: extracting threat dependence environment and eliminating redundant data segments.
3. The system of claim 1, wherein the analysis cluster comprises: the system comprises a receiving module, an automatic static analysis module, an automatic dynamic analysis module and an information and strategy issuing module; the receiving module is used for receiving suspicious samples and abnormal flow data uploaded by a user side; the automatic static analysis module is used for carrying out automatic static analysis on the suspicious sample and the abnormal flow data: calibrating the sample according to initial vector-level threat information issued by a manufacturer side and vector-level threat information generated in the previous time, and extracting the vector-level threat information; the automatic dynamic analysis module is used for carrying out automatic dynamic analysis on the suspicious sample and the abnormal flow data: deploying a corresponding sandbox system according to the suspicious samples uploaded by the user side network endpoint, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information; and the intelligence and strategy issuing module is used for issuing and deploying vector-level threat intelligence and strategies generated by the analysis cluster to the endpoint detection module and the flow detection module.
4. A vector-level threat information automatic production and distribution method is characterized by comprising the following steps:
s1: a security manufacturer issues initial vector-level threat information and a corresponding defense strategy to a user side according to the system environment of the user, and deploys the initial vector-level threat information to an analysis cluster of the user side;
s2: the analysis cluster continuously issues initial vector threat information issued by a security manufacturer to a user side and a corresponding defense strategy to a user side network endpoint and flow detection equipment;
s3: the endpoint detection module captures suspicious samples of user side network endpoints and uploads the suspicious samples to the analysis cluster, and the flow detection module captures user side network abnormal flow data and uploads the abnormal flow data to the analysis cluster;
s4: the analysis cluster receives and automatically analyzes the uploaded suspicious samples and abnormal flow data of the user side network endpoints to generate corresponding vector-level threat information and a corresponding defense strategy;
s5: the analysis cluster issues vector-level threat information generated by previous automatic analysis and a corresponding defense strategy to the endpoint detection module and the flow detection module again, and handles the detected network threat;
s6: and (4) circularly carrying out S3-S5, carrying out deep learning, continuously enriching vector-level threat information and defense strategies at the user side, and further generating a vector-level threat information and defense strategy issuing system aiming at the system environment of the user.
5. The method of claim 4, wherein the endpoint detection module captures and uploads suspicious samples of user-side network endpoints to the analysis cluster, and the traffic detection module captures and uploads user-side network abnormal traffic data to the analysis cluster, further comprising: preprocessing the captured suspicious sample and abnormal flow data, including but not limited to: extracting threat dependence environment and eliminating redundant data segments.
6. The method of claim 4, wherein the analysis cluster receives and automatically analyzes uploaded suspicious samples and abnormal traffic data of the customer-side network endpoint, comprising: carrying out automatic static analysis on the suspicious sample and abnormal flow data: calibrating the sample according to initial vector-level threat information issued by a manufacturer side and vector-level threat information generated in the previous time, and extracting the vector-level threat information; carrying out automatic dynamic analysis on suspicious samples and abnormal flow data: and deploying a corresponding sandbox system according to the suspicious samples uploaded by the network endpoint at the user side, operating the suspicious samples and files for dynamic analysis, and extracting vector-level threat information.
7. The method of claim 6, wherein the calibrating the sample comprises: the analysis cluster carries out automatic static analysis on suspicious samples and abnormal flow data of the network endpoint at the user side, fuzzy hash, domain name, IP or digital statistical characteristics in the suspicious samples and the abnormal flow data are extracted to be used as vector-level threat information, and the behavior characteristics, the threat degree, the associated organization information and the adopted specific tool are calibrated according to vector-level threat information contents to establish an attacker portrait, and the attacker portrait is perfected through continuous automatic static analysis.
CN201910896724.1A 2019-09-20 2019-09-20 Vector-level threat information automatic production and distribution system and method Pending CN110661795A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910896724.1A CN110661795A (en) 2019-09-20 2019-09-20 Vector-level threat information automatic production and distribution system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910896724.1A CN110661795A (en) 2019-09-20 2019-09-20 Vector-level threat information automatic production and distribution system and method

Publications (1)

Publication Number Publication Date
CN110661795A true CN110661795A (en) 2020-01-07

Family

ID=69038326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910896724.1A Pending CN110661795A (en) 2019-09-20 2019-09-20 Vector-level threat information automatic production and distribution system and method

Country Status (1)

Country Link
CN (1) CN110661795A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835788A (en) * 2020-07-24 2020-10-27 奇安信科技集团股份有限公司 Information data distribution method and device
CN111935074A (en) * 2020-06-22 2020-11-13 国网电力科学研究院有限公司 Integrated network security detection method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107493256A (en) * 2016-06-13 2017-12-19 深圳市深信服电子科技有限公司 Security incident defence method and device
CN108040075A (en) * 2018-01-31 2018-05-15 海南上德科技有限公司 A kind of APT attack detection systems
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
US20190014084A1 (en) * 2016-02-26 2019-01-10 Microsoft Technology Licensing, Llc Hybrid hardware-software distributed threat analysis
CN109672671A (en) * 2018-12-12 2019-04-23 北京华清信安科技有限公司 Security gateway and security protection system based on intelligent behavior analysis
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190014084A1 (en) * 2016-02-26 2019-01-10 Microsoft Technology Licensing, Llc Hybrid hardware-software distributed threat analysis
CN107493256A (en) * 2016-06-13 2017-12-19 深圳市深信服电子科技有限公司 Security incident defence method and device
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
CN108040075A (en) * 2018-01-31 2018-05-15 海南上德科技有限公司 A kind of APT attack detection systems
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software
CN109672671A (en) * 2018-12-12 2019-04-23 北京华清信安科技有限公司 Security gateway and security protection system based on intelligent behavior analysis

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
肖新光等: "《攻击者对安全体系的预测_绕过_干扰与安全防护应对》", 《产学一线》 *
肖新光等: "《高级持续性网络威胁场景下的保密工作思考_肖新光》", 《保密科学技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935074A (en) * 2020-06-22 2020-11-13 国网电力科学研究院有限公司 Integrated network security detection method and device
CN111935074B (en) * 2020-06-22 2023-09-05 国网电力科学研究院有限公司 Integrated network security detection method and device
CN111835788A (en) * 2020-07-24 2020-10-27 奇安信科技集团股份有限公司 Information data distribution method and device
CN111835788B (en) * 2020-07-24 2022-08-02 奇安信科技集团股份有限公司 Information data distribution method and device

Similar Documents

Publication Publication Date Title
CN112769796B (en) Cloud network side collaborative defense method and system based on end side edge computing
CN112651006B (en) Power grid security situation sensing system
CN108768943B (en) Method and device for detecting abnormal account and server
CN107154950B (en) Method and system for detecting log stream abnormity
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN111711599A (en) Safety situation perception system based on multivariate mass data fusion association analysis
Jalili et al. Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
WO2012107557A1 (en) Method and system for improving security threats detection in communication networks
CN113162953B (en) Network threat message detection and source tracing evidence obtaining method and device
JP2016152594A (en) Network attack monitoring device, network attack monitoring method, and program
Hodo et al. Anomaly detection for simulated iec-60870-5-104 trafiic
CN107360145A (en) A kind of multinode honey pot system and its data analysing method
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN103457909A (en) Botnet detection method and device
CN110855649A (en) Method and device for detecting abnormal process in server
CN101635658A (en) Method and system for detecting abnormality of network secret stealing behavior
Bhatia Ensemble-based model for DDoS attack detection and flash event separation
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN107463839A (en) A kind of system and method for managing application program
CN110661795A (en) Vector-level threat information automatic production and distribution system and method
WO2021018440A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
CN115134250A (en) Network attack source tracing evidence obtaining method
CN111182002A (en) Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200107

WD01 Invention patent application deemed withdrawn after publication