CN111800439A - Application method and system of threat information in bank - Google Patents
Application method and system of threat information in bank Download PDFInfo
- Publication number
- CN111800439A CN111800439A CN202010933025.2A CN202010933025A CN111800439A CN 111800439 A CN111800439 A CN 111800439A CN 202010933025 A CN202010933025 A CN 202010933025A CN 111800439 A CN111800439 A CN 111800439A
- Authority
- CN
- China
- Prior art keywords
- threat
- data
- attack
- information
- hit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004364 calculation method Methods 0.000 claims abstract description 36
- 238000011156 evaluation Methods 0.000 claims abstract description 30
- 238000004519 manufacturing process Methods 0.000 claims description 35
- 230000000903 blocking effect Effects 0.000 claims description 11
- 238000005457 optimization Methods 0.000 claims description 5
- 230000001360 synchronised effect Effects 0.000 claims 1
- 230000008569 process Effects 0.000 description 19
- 238000012544 monitoring process Methods 0.000 description 15
- 238000001514 detection method Methods 0.000 description 11
- 239000000047 product Substances 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 230000002085 persistent effect Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 1
- 206010072219 Mevalonic aciduria Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000011157 data evaluation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009469 supplementation Effects 0.000 description 1
- 238000013268 sustained release Methods 0.000 description 1
- 239000012730 sustained-release form Substances 0.000 description 1
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 1
- 229960005486 vaccine Drugs 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an application method and a system of threat information in a bank, wherein the method comprises the following steps: acquiring threat information data; when the time period begins, comparing the alarm logs collected from multiple links of the access data stream with threat information data one by one to obtain a comparison result; establishing an assignment calculation intermediate table for each link, and weighting threat information data in the assignment calculation intermediate table according to a comparison result to obtain a weighted value of each link; establishing a threat intelligence evaluation table, and establishing an index between the threat intelligence evaluation table and an assignment calculation intermediate table of each link; when the time period is over, calculating the weighted value of each link in a threat information evaluation table to obtain a credit value; and judging the reliability of the threat intelligence data according to the credit value. The invention compares the threat information with the alarm information by using the current security product of the bank, verifies the reliability of the threat information and improves the use value of the threat information on the ground.
Description
Technical Field
The invention relates to the field of information security, in particular to an application method and an application system of threat intelligence in a bank.
Background
With the continuous development of information security technology, threat intelligence is a new concept and is concerned by more and more information security practitioners. According to Gartner's definition of threat intelligence, threat intelligence is some evidence-based knowledge, including context, mechanisms, notations, meanings, and actionable recommendations, that are related to the threat or hazard that an asset is exposed to, that can be used to provide information support for the asset-related entity's response to or processing decisions about the threat or hazard, and that aims to provide comprehensive, accurate, relevant, actionable and decision-making knowledge and information for the threat-exposed asset entity.
In the process, threat information is used as data type knowledge, value cannot be brought by independent existence, and the safety of the whole enterprise can be guaranteed in an all-around way only by combining with some traditional safety protection modes. At present, the ground use modes of threat information on the market are various, such as the combination with the existing security architecture and products of enterprises, the application to the event emergency response inside the enterprises and the like. However, in the process of landing and using threat intelligence, the threat intelligence is received passively, and a reliability evaluation mechanism for the threat intelligence provided by a security manufacturer or a threat intelligence application method aiming at a scene is lacked.
Disclosure of Invention
In view of the above problems, the invention provides an application method and system of threat intelligence in a bank, which supplements firewall protection equipment strategy for threat intelligence with high reliability and high reputation value, and improves use value of the threat intelligence when falling to the ground.
In order to solve the technical problems, the invention adopts the technical scheme that: a method for applying threat intelligence in a bank comprises the following steps: step 1, threat information data is obtained; step 2, when the time period starts, comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one to obtain a comparison result; step 3, establishing an assignment calculation intermediate table for each link, and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result to obtain a weighted value of each link; step 4, establishing a threat intelligence evaluation table, and establishing indexes between the threat intelligence evaluation table and an assignment calculation intermediate table of each link; step 5, when the time period is over, calculating the weighted value of each link in the threat information evaluation table to obtain a credit value; and 6, judging the reliability of the threat intelligence data according to the reputation value.
Preferably, the accessing data stream multi-link includes: the step 2 specifically includes, at the side of the internet DMZ, the core production area, and the application server:
performing primary comparison on the Internet DMZ, and if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat intelligence data, performing first tA weighting on the hit threat intelligence data, otherwise, not performing operation;
performing secondary comparison in the core production area, and performing SecondA weighting on hit threat information data if both the source IP and the attack characteristic information in the alarm log of the core production area can hit the attack source IP and the attack characteristic information in the threat information data; if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data; if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data; if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;
comparing for three times on the side of the application server, and if the source IP and the attack characteristic information in the alarm log on the side of the application server can both hit the attack source IP and the attack characteristic information in the threat information data, carrying out ThirdA weighting on the hit threat information data by the hit threat information data; if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data; if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data; and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
As a preferred scheme, the step 2 further comprises a special attack type comparison, if the alarm log at the application server side contains a special attack type, and both the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat intelligence data, the firewall is compared to block the log;
and if the special attack type alarm log is matched with the firewall blocking log, carrying out Fourtha weighting on the hit threat intelligence data, and otherwise, not carrying out any operation.
Preferably, if the threat intelligence data is hit multiple times in the same link in a round of time period, the weighted value in the assignment calculation intermediate table is selected as the maximum value.
Preferably, the calculation formula of the reputation value in step 3 is as follows:
reputation value = initialization valuation ± (K ^ weight term dimension index 1 ^ weight term weight 1 + weight term dimension index 2 ^ weight term weight 2 + … + weight term dimension index N ^ weight term weight N)/100));
weighted value = weighted item dimension index ^ weighted item weight;
where the initial assignment is typically 60, the value of K is the asset weight, and the K values are [10, 20 … 50], respectively, for a system rated by a standardized rating of L1-L5.
As a preferred scheme, for protected assets of different levels, the interval level of the reputation value is also dynamically adjusted correspondingly according to the difference of the asset level K values to match different reputation values, and the division manner of the interval level of the reputation value is as follows:
the credit value belongs to [60 x (logK) ^2,80 x (logK) ^2 ], and the judgment result shows that the reliability of the threat intelligence data is lower;
the credit value is belonged to (80 ^ log K) ^2,100 ^ log K ^2), and the judgment result is that the reliability of the threat intelligence data is general;
and the credit value is belonged to (100 ^ log K) 2,120 ^ log K ^2), and the judgment result shows that the reliability of the threat intelligence data is higher.
And as a preferred scheme, putting the threat intelligence data with the reputation value of higher reliability into a rule optimization directory, and synchronizing the threat intelligence data to an outlet firewall of the DMZ domain of the Internet to block the source IP.
The invention also provides an application system of the threat intelligence in the bank, which comprises the following steps: the acquisition module is used for acquiring threat information data; the comparison module is used for comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one at the beginning of a time period to obtain a comparison result; the weighting module is used for establishing an assignment calculation intermediate table for each link and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result so as to obtain a weighted value of each link; the index module is used for establishing a threat intelligence evaluation table and establishing an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link; the operation module is used for operating the weighted value of each link in the threat information evaluation table to obtain a credit value when the time period is over; and the judging module is used for judging the reliability of the threat intelligence data according to the credit value.
Preferably, the accessing data stream multi-link includes: the system comprises an Internet DMZ, a core production area and an application server side, wherein the comparison module comprises a primary comparison module, a secondary comparison module and a tertiary comparison module;
the primary comparison module is used for carrying out primary comparison on the Internet DMZ, if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat information data, the hit threat information data is subjected to first tA weighting, otherwise, operation is not carried out;
the secondary comparison module is used for carrying out secondary comparison in the core production area, and if the source IP and the attack characteristic information in the alarm log of the core production area can both hit the attack source IP and the attack characteristic information in the threat information data, SecondA weighting is carried out on the hit threat information data; if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data; if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data; if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;
the third comparison module is used for carrying out third comparison on the side of the application server, and if both the source IP and the attack characteristic information in the alarm log of the side of the application server can hit the attack source IP and the attack characteristic information in the threat information data, the hit threat information data is subjected to ThirdA weighting;
if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data; if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data; and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
As a preferred scheme, the system also comprises a special comparison module, wherein the special comparison module is used for comparing special attack types, and if the alarm log at the application server side contains the special attack types, the source IP and the attack characteristic information in the special attack types can hit the attack source IP and the attack characteristic information in the threat information data, and the firewall is compared to block the log; and if the special attack type alarm log is matched with the firewall blocking log, carrying out Fourtha weighting on the hit threat intelligence data, and otherwise, not carrying out any operation.
Compared with the prior art, the invention has the beneficial effects that: comparing threat information with alarm information of safety protection equipment such as WAF and IPS in an Internet DMZ area by using the current safety architecture and safety products of a bank to verify the reliability of the threat information; and the credibility value of the threat information is given by combining different dimensions, weights, effectiveness and other modes, the dynamic regulation interval of the credibility value is given, the shared threat information data of the same industry is optimized in a credibility value feedback mode, the strategy supplementation of protective equipment such as a firewall and a WAF is carried out on the threat information with high credibility value, and the landing use value of the threat information is improved.
Drawings
The disclosure of the present invention is illustrated with reference to the accompanying drawings. It is to be understood that the drawings are designed solely for the purposes of illustration and not as a definition of the limits of the invention. In the drawings, like reference numerals are used to refer to like parts. Wherein:
FIG. 1 is a flow chart of a method for applying threat intelligence in a bank according to an embodiment of the present invention;
FIG. 2 is a flow chart of another form of the method for applying threat intelligence in a bank according to the embodiment of the present invention;
fig. 3 is a schematic block diagram of an application system of threat intelligence in a bank according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a comparison module according to an embodiment of the present invention.
Detailed Description
It is easily understood that according to the technical solution of the present invention, a person skilled in the art can propose various alternative structures and implementation ways without changing the spirit of the present invention. Therefore, the following detailed description and the accompanying drawings are merely illustrative of the technical aspects of the present invention, and should not be construed as all of the present invention or as limitations or limitations on the technical aspects of the present invention.
First, the terms appearing in the present invention are explained:
DMZ: the firewall-based security system is an abbreviation of English "refined zone", and is named as a "isolation zone" in the Chinese, and is a buffer zone between a non-security system and a security system, which is set for solving the problem that an access user of an external network cannot access an internal network server after a firewall is installed.
WAF: is an acronym for "refined zone" in english, known in chinese as the Web application protection system, and is a product that specifically provides protection for Web applications by enforcing a series of security policies against HTTP/HTTPs.
IPS: is an abbreviation of English "Intrusion Prevention System", and the Chinese name is Intrusion Prevention System, which is a computer network security facility and is a supplement to antivirus software and firewall.
IDS: the network security device is an abbreviation of English intrusion detection system, is a Chinese name intrusion detection system, and is a network security device which can monitor network transmission immediately, and give an alarm or take active reaction measures when suspicious transmission is found.
RASP: the application program is an abbreviation of the English Runtime application self-protection technology, and is a novel application safety protection technology, a protection program is injected into an application program like a vaccine, the application program is integrated, all calls from the application program to a system are intercepted, safety attacks can be detected and blocked in real time, the application program has self-protection capability, and when the application program is damaged by actual attacks, the application program can be automatically defended.
SFTP: the network transport Protocol is an abbreviation of an English SSH File Transfer Protocol, is named as a secure File Transfer Protocol in Chinese, and is a network transport Protocol for connecting data streams and providing File access, transmission and management functions.
csv format: is a comma separated value file format.
APT: is the abbreviation of english "Advanced Persistent thread", the chinese name is Advanced Persistent Threat, refers to a hidden and Persistent computer intrusion process, which is usually elaborated by some people and is aimed at a specific target.
Webshell: the code execution environment exists in the form of webpage files such as asp, php, jsp or cgi and can also be called a webpage backdoor.
An embodiment according to the present invention is shown in connection with fig. 1. A method for applying threat intelligence in a bank comprises the following steps:
s110: threat intelligence data is obtained.
S120: and when the time period starts, comparing the alarm logs collected from multiple links of the access data stream with threat information data one by one to obtain a comparison result.
S130: and establishing an assignment calculation intermediate table for each link, and weighting threat information data in the assignment calculation intermediate table according to the comparison result to obtain the weighted value of each link.
S140: and establishing a threat intelligence evaluation table, and establishing an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link.
S150: and when the time period is over, calculating the weighted value of each link in the threat information evaluation table to obtain the credit value.
S160: and judging the reliability of the threat intelligence data according to the credit value.
Referring to fig. 2, the banking production environment is used as a reference object to describe in detail the application method of threat intelligence in the bank provided by the present invention.
At present, the banking industry introduces more or less threat information data of third-party security manufacturers, firstly, for a receiving mode of the threat information data, the third-party security manufacturers are required to transmit files to an inline threat information data center in an SFTP (small form-factor pluggable) fixed-point pushing mode every day, and the files are in a csv format so as to be convenient for subsequent calling.
The in-line threat information data center is used as a threat information data source of the in-line safety operation platform, threat information data are sent to the in-line safety operation platform, the in-line safety operation platform is used for collecting safety protection equipment alarm logs of multiple links of the access data flow, and the alarm logs of the multiple links of the access data flow are compared with the threat information data one by one. In the embodiment of the present invention, the multiple links for accessing the data stream include: the system comprises an Internet DMZ, a core production area and an application server side. Specifically, the method comprises the following steps:
(1) threat intelligence first alignment (internet DMZ):
and in the process of primary comparison of threat information, the alarm logs of safety protection equipment such as IPS intrusion prevention equipment, WAF web application firewall and the like collected by the intra-row safety operation platform are deployed in the DMZ area of the Internet and are compared with the threat information data by an attack source IP.
I. If the source IP information in the alarm log of the safety protection equipment can hit the attack source IP information in the threat information data, the threat information data is proved to be primarily effective or the possibility of false alarm of the safety protection equipment based on a rule base mode is not eliminated, so that the credit value of the hit threat information data is initialized and assigned, and the FirstA weighting is carried out.
If the source IP information in the alarm log of the security protection type device does not hit the attack source IP information in the threat intelligence data, this may not indicate any problem, because as the security protection type device for real-time protection alarm, the relevant attack log may not be detected at this time, or the threat intelligence data may be inaccurate, and at this time, no operation is performed on the threat intelligence data.
(2) Threat intelligence data secondary alignment (core production zone):
according to the access data flow of internet application, when the access flow reaches an application server and a database server in a core production area, corresponding intranet safety monitoring means such as IDS intrusion detection equipment, full-flow analysis detection equipment and the like are needed, and the bypass flow mirror type intranet safety monitoring equipment alarm log collected by the joint intra-row safety operation platform is compared with the attack source IP and the attack characteristic in the secondary comparison process of threat information.
I. If the source IP and the attack characteristic information in the alarm log of the intranet safety monitoring equipment can just hit the attack source IP and the attack characteristic information in the threat information data, the effectiveness of the threat information data is proved to be improved, meanwhile, the possibility that a safety protection equipment rule base is imperfect and an attacker bypasses the safety protection equipment rule base exists, the possibility that the intranet safety monitoring equipment misreport is not eliminated, and the SecondA weighting is carried out on the hit threat information data at the moment.
If the source IP in the alarm log of the intranet safety monitoring equipment can hit the attack source IP information in the threat information data and the attack characteristic information is not hit, the fact that the IP information provided in the threat information is likely to attack a bank pertinently is proved, the attack mode is possibly changed, the alarm of the intranet safety monitoring equipment is caused while the safety protection equipment is bypassed, the possibility of false alarm of the intranet safety monitoring equipment is not eliminated, and the SecondB weighting is carried out on the hit threat information data.
If the attack characteristic information in the alarm log of the intranet safety monitoring equipment can hit the attack characteristic information in the threat intelligence data and the attack source IP information does not hit, the fact that an attacker can change an IP address to attack is proved, the attacker can be an attack IP or APT attacker which is not involved in the threat intelligence, and at the moment, SecondC weighting is carried out on the hit threat intelligence data.
And IV, if the alarm log information of the intranet safety monitoring equipment does not hit the attack source IP and the attack characteristic information in the threat information data, the inaccuracy of the threat information data or the imperfection of the safety monitoring rule cannot be explained at the moment, because of the randomness of the real-time data and the effectiveness of the fixed rule, relatively accurate judgment cannot be given at present, and at the moment, no operation is carried out on the threat information data.
(3) Threaten intelligence data three-time comparison (application server side)
With the application side detection means such as HIDS host IDS and RASP application program self-protection deployed on the inline application server, the final homing of the data stream is also the process of the final comparison of threat information, and in the process, the accuracy of the attack mode can be relatively accurately confirmed.
I. If the source IP and the attack characteristic information in the alarm log monitored by the application server side can just hit the attack source IP and the attack characteristic information in the threat information data, the attack is relatively accurately considered to penetrate into the application server at the moment, the threat information is relatively accurate, and ThirdA weighting is carried out on the hit threat information data at the moment.
And II, if the source IP in the monitoring alarm log of the application server side can hit the attack source IP information in the threat intelligence data and the attack characteristic information is not hit, the source IP information is proved to be the APT long-term attack IP, a plurality of attacks can be made in the IP information of the threat intelligence data in a loitering manner, and ThirdB weighting is carried out on the hit threat intelligence data.
And III, if the attack characteristic information in the monitoring alarm log of the application server side can hit the attack characteristic information in the threat intelligence data and the attack source IP information does not hit, proving that an attacker has multiple attack means, and partially bypassing safety protection equipment by the attack means and carrying out ThircC weighting on the hit threat intelligence data.
And IV, if the monitoring alarm log information of the application server side does not hit the attack source IP and the attack characteristic information in the threat intelligence data, not performing any operation on the threat intelligence data.
(4) Special attack type alignment
Particularly, the attack type is specially judged (such as Trojan embedded attack), if the application server side monitors that the alarm log has the attack types such as webshell uploading, Trojan files, backdoor access and the like, the comparison with the network export firewall log of the Internet DMZ area is increased after threatened information data is compared for three times, and the reliability of the high-risk attack is confirmed.
I. If the alarm log monitored by the application server side contains the special attack type, the source IP and the attack characteristic information in the special attack type log can just hit the attack source IP and the attack characteristic information in the threat information data, and the firewall blocking log needs to be compared at the moment, so that the intranet exit blocking log except the service port of the class of non-80/443 is compared because the prior banking industry has more complete internet exit firewall port control measures, and the fact that the access behaviors of the special attack types such as Trojan files, backdoor access and the like are blocked by the firewall is laterally proved. If the alarm log of the special attack type, the threat intelligence data and the exit firewall blocking log of the DMZ of the internet are matched by monitoring the application server side, at the moment, Fourtha weighting is carried out on the hit threat intelligence data.
And II, if the special attack type alarm log, the threat information data and the Internet DMZ zone exit firewall blocking log are not matched and hit by the application server side, no operation is performed on the threat information data at the moment.
For reputation value assignment weighting adjustment of real-time log comparison threat intelligence data, only effective data of a reputation value in a certain interval is concerned, the value is continuously and dynamically adjusted, for the threat intelligence data carrying the reputation value after adjustment, the method is also quasi-real-time, and the follow-up method is embodied in dynamic adjustment of safety protection rule optimization.
At this time, we do a combing to all the assigned items of the reputation value of the threat intelligence data, as shown in the following table:
during the initial comparison, the credit value of the threat information data is initialized and assigned to be 60, namely the security threat information data provided by a third-party security manufacturer is defaulted to be an initialization level, and in a series of multiple judgment comparison processes performed by an application server and a database server when the access flow reaches a core production area, the weighting indexes are as follows:
the reputation value is calculated by the formula:
reputation value = initialization valuation ± (K ^ weight term dimension index 1 ^ weight term weight 1 + weight term dimension index 2 ^ weight term weight 2 + … + weight term dimension index N ^ weight term weight N)/100));
where the initial assignment is typically 60, the value of K is the asset weight, and the K values are [10, 20 … 50], respectively, for a system rating of L1-L5.
Taking K = 10 (L1 level system) as an example, the reputation value is calculated as follows:
weighted terms | Reputation value | Weighted terms | Reputation value |
FirstA | 69.48 | FirstA+ SecondA+ ThirdA | 107.52 |
SecondA | 74.7 | FirstA+ SecondA+ ThirdB | 100.8 |
SecondB | 70.92 | FirstA+ SecondA+ ThirdC | 96 |
SecondC | 68.04 | FirstA+ SecondB+ ThirdA | 103.74 |
FirstA+ SecondA | 84.18 | FirstA+ SecondB+ ThirdB | 97.02 |
FirstA+ SecondB | 80.4 | FirstA+ SecondB+ ThirdC | 92.22 |
FirstA+ SecondC | 77.52 | FirstA+ SecondC+ ThirdA | 100.86 |
ThirdA | 83.34 | FirstA+ SecondC+ ThirdB | 94.14 |
ThirdB | 76.62 | FirstA+ SecondC+ ThirdC | 89.34 |
ThirdC | 71.82 | FourthA+ ThirdA | 91.74 |
SecondA+ ThirdA | 98.04 | FirstA+ SecondA+ ThirdA+ FourthA | 115.92 |
SecondA+ ThirdB | 91.32 | FirstA+ SecondB+ ThirdA+ FourthA | 112.32 |
SecondA+ ThirdC | 86.52 | FirstA+ SecondC+ ThirdA+ FourthA | 109.26 |
SecondB+ ThirdA | 94.26 | SecondA+ ThirdA+ FourthA | 106.44 |
SecondB+ ThirdB | 87.54 | SecondB+ ThirdA+ FourthA | 102.66 |
SecondB+ ThirdC | 82.74 | SecondC+ ThirdA+ FourthA | 99.78 |
SecondC+ ThirdA | 91.38 | ||
SecondC+ ThirdB | 84.66 | ||
SecondC+ ThirdC | 79.86 |
The type comparison of the special Fourtha attacks is a sub-classification of comparison of the monitoring alarm logs on the side of the ThirdA application server, and the ThirdA + Fourtha judgment process needs to be bound for use.
For example with K = 10 (L1 level system), the interval ranking of reputation values is as follows:
the credit value belongs to [60,80), and the judgment result shows that the detection and protection reliability of the threat intelligence data in the bank environment for an L1 level system is lower;
the credit value belongs to (80,100), and the judgment result is that the detection and protection reliability of the threat intelligence data in the bank environment aiming at the L1 level system is general;
and the credit value is epsilon (100,120), and the judgment result is that the detection and protection reliability of the threat intelligence data in the bank environment for the L1 level system is higher.
For protected assets with L grades (L is L1-L5), the interval grades of the reputation values are correspondingly dynamically adjusted according to different asset grade K values to match different reputation values, and the division mode of the interval grades of the reputation values is as follows:
the credit value belongs to [60 x (logK) ^2,80 x (logK) ^2 ], and the judgment result shows that the detection and protection reliability of the threat intelligence data in the bank environment for the L x level system is lower;
the credit value is as large as (80 x (logK) ^2,100 x (logK) ^2), and the judgment result is that the detection and protection reliability of the threat intelligence data in the bank environment for the L x level system is general;
and the credit value is epsilon (100 (logK) ^2,120 (logK) ^2), and the judgment result shows that the detection and protection reliability of the threat intelligence data in the bank environment for the L level system is higher.
For reputation values carried by threat intelligence data, the comparison process of different layers on a link is always in the process of continuous dynamic adjustment.
In a round of time period, the starting point of a flow initiation period is a natural period starting point, namely a time node for starting threat intelligence data evaluation is started, each sub-link in the period is a different comparison process, each comparison process is carried out relatively independently, credit value assignment adjustment is carried out on the threat intelligence data after the comparison is finished, credit value assignment of each link is used for establishing an assignment calculation intermediate table, the calculation assignment process is finished in the assignment calculation intermediate table, and related operations are not carried out on the original threat intelligence warehousing data.
Furthermore, considering the condition that threat intelligence data are not hit in each link stage, the time period is used as an end mark of each time period, the time period of each time period is 1 minute, each link is indexed by the threat intelligence evaluation table when the time period of each time period is ended, and a calculation intermediate table is assigned to perform credit value calculation. And putting the threat information data with higher reliability as a credit value judgment result into a rule optimization directory, and synchronizing the threat information data to an outlet firewall of the DMZ area of the Internet for source IP (Internet protocol) blocking.
The threat intelligence data warehousing design is as follows:
serial number | HASH value | IP | Domain name | Attack mode | Address location | …… | Unique index |
1 | X | X | X | X | X | XXXX | |
2 | X | X | X | X | X | XXXX |
The stage assignment intermediate table is designed as follows:
serial number | HASH value | IP | Domain name | Attack mode | Address location | … | Unique index | Time stamp | Weighted terms |
1 | X | X | X | X | X | XXXX | X | SecondB | |
2 | X | X | X | X | X | XXXX | X | SecondA |
The threat intelligence evaluation form is designed as follows:
serial number | HASH value | IP | Domain name | Attack mode | Address location | … | Unique index | Value of K | Weighted terms |
1 | X | X | X | X | X | XXXX | 20 | SecondB+ ThirdA | |
2 | X | X | X | X | X | XXXX | 30 | FirstA+ SecondB+ ThirdA |
In each round of time period, each sub-link alarm log is only processed once in the comparison process, namely the hits of the same entries of the sub-link alarm logs are only assigned and calculated for 1 time in one time period.
In each round of time period, if a piece of threat intelligence data is hit for multiple times in the same link, for example, the same threat intelligence data is hit in the 10 th and 30 th second of the 2 nd stage assignment calculation, but the hit modes are different, SecondA is used in the 10 th second, and SeconddB is used in the 30 th second, repeated assignment adjustment in the period exists, repeated assignment of the credit value is only subjected to one-way assignment to a larger value, and only the only assignment result of the threat intelligence data exists in the intermediate table of the stage assignment calculation.
Different K values caused by different asset grades bring different calculation dimensions, different K values are recorded in a threat intelligence evaluation table and used for subsequent credit value calculation, and calling calculation of different K values is carried out to different evaluation intervals for evaluation.
And after each time period is finished, the data in the threat information evaluation table is not subjected to table emptying operation in order to meet the calculation requirement, and the original table is covered after a new time period is finished. Therefore, assignment operation preemption behavior of the same threat information data in the process of repeated operation spanning different links is avoided, the error writing problem of hitting multiple threat information data in the same link is also avoided, and meanwhile, sustained-release measures are brought to the problem of multiple hits of the same data caused by continuous scanning type attacks.
The optimization of the safety protection rule is also a periodic action, in the dynamic adjustment process of the reputation value of the threat intelligence data, the data in the threat intelligence evaluation table is also periodically refreshed, the displacement of the interval where the reputation value is located is inevitably brought, at the moment, the safety protection rule needs to be dynamically adjusted according to the interval of the evaluation result with higher reliability, and if the threat intelligence data with higher reliability in the previous cycle is displaced to the level with common reliability after the new cycle of adjustment is finished, the corresponding rule is removed in the firewall blocking rule address pool.
As shown in fig. 3, the present invention also discloses an application system of threat intelligence in a bank, which includes:
an obtaining module 110, configured to obtain threat intelligence data;
a comparison module 120, configured to compare the alarm logs collected from multiple links of the access data stream with threat information data one by one at the beginning of the time period, and obtain a comparison result;
the weighting module 130 is configured to establish an assignment calculation intermediate table for each link, and weight the threat intelligence data in the assignment calculation intermediate table according to the comparison result to obtain a weighted value of each link;
the index module 140 is used for establishing a threat intelligence evaluation table and establishing an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link;
the operation module 150 is used for calculating the weighted value of each link in the threat information evaluation table to obtain a credit value when the time period is over;
and the judging module 160 is used for judging the reliability of the threat intelligence data according to the level of the reputation value.
Further, accessing the data stream includes: the system comprises an Internet DMZ, a core production area and an application server side. As shown in fig. 4, the alignment module 120 includes a primary alignment module 1201, a secondary alignment module 1202, and a tertiary alignment module 1203.
The primary comparison module 1201 is used for performing primary comparison in the internet DMZ, and if source IP information in an alarm log of the internet DMZ hits attack source IP information in threat intelligence data, performing first ta weighting on the hit threat intelligence data, otherwise, not performing operation.
The secondary comparison module 1202 is configured to perform secondary comparison in the core production area, and perform second weighting on hit threat information data if both the source IP and the attack characteristic information in the alarm log in the core production area can hit the attack source IP and the attack characteristic information in the threat information data. And if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, performing SecondB weighting on the hit threat information data. And if only the attack characteristic information in the alarm log of the core production area hits the attack characteristic information in the threat intelligence data, performing SecondC weighting on the hit threat intelligence data. And if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
The third comparison module 1203 is configured to perform third comparison on the application server side, and if both the source IP and the attack characteristic information in the alarm log on the application server side can hit the attack source IP and the attack characteristic information in the threat information data, perform third da weighting on the hit threat information data for the hit threat information data. And if only the source IP information in the alarm log of the application server side hits the attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data. And if only the attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, carrying out ThircC weighting on the hit threat intelligence data. And if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
In the embodiment of the present invention, the comparison module 120 further includes a special comparison module 1204, the special comparison module 1204 is configured to compare special attack types, and if the alarm log at the application server side includes a special attack type, and both the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat information data, the firewall is compared to block the log. If the special attack type alarm log is matched with the firewall blocking log, Fourtha weighting is carried out on the hit threat intelligence data, otherwise, no operation is carried out.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
It should be understood that the integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The technical scope of the present invention is not limited to the above description, and those skilled in the art can make various changes and modifications to the above-described embodiments without departing from the technical spirit of the present invention, and such changes and modifications should fall within the protective scope of the present invention.
Claims (10)
1. A method for applying threat intelligence in a bank is characterized by comprising the following steps:
step 1, threat information data is obtained;
step 2, when the time period starts, comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one to obtain a comparison result;
step 3, establishing an assignment calculation intermediate table for each link, and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result to obtain a weighted value of each link;
step 4, establishing a threat intelligence evaluation table, and establishing indexes between the threat intelligence evaluation table and an assignment calculation intermediate table of each link;
step 5, when the time period is over, calculating the weighted value of each link in the threat information evaluation table to obtain a credit value;
and 6, judging the reliability of the threat intelligence data according to the reputation value.
2. The method of applying threat intelligence in a bank of claim 1, wherein the accessing data flow multiple links comprise: the step 2 specifically includes, at the side of the internet DMZ, the core production area, and the application server:
performing primary comparison on the Internet DMZ, and if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat intelligence data, performing first tA weighting on the hit threat intelligence data, otherwise, not performing operation;
performing secondary comparison in the core production area, and performing SecondA weighting on hit threat information data if both the source IP and the attack characteristic information in the alarm log of the core production area can hit the attack source IP and the attack characteristic information in the threat information data;
if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data;
if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data;
if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;
comparing for three times on the side of the application server, and if the source IP and the attack characteristic information in the alarm log on the side of the application server can both hit the attack source IP and the attack characteristic information in the threat information data, carrying out ThirdA weighting on the hit threat information data by the hit threat information data;
if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data;
if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data;
and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
3. The method for applying threat intelligence in a bank according to claim 2, wherein the step 2 further comprises a special attack type comparison, if the alarm log at the application server side contains a special attack type, and both the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat intelligence data, the firewall is compared to block the log;
and if the special attack type alarm log is matched with the firewall blocking log, carrying out Fourtha weighting on the hit threat intelligence data, and otherwise, not carrying out any operation.
4. The method of applying threat intelligence of claim 2, wherein the weighting values in the assignment calculation intermediate table are selected to be the maximum values if the threat intelligence data is hit multiple times in the same link during a round of time period.
5. The method for applying threat intelligence in banks according to claim 1, wherein the calculation formula of the reputation value in step 3 is:
reputation value = initialization valuation ± (K ^ weight term dimension index 1 ^ weight term weight 1 + weight term dimension index 2 ^ weight term weight 2 + … + weight term dimension index N ^ weight term weight N)/100));
weighted value = weighted item dimension index ^ weighted item weight;
where the initial assignment is typically 60, the value of K is the asset weight, and the K values are [10, 20 … 50], respectively, for a system rated by a standardized rating of L1-L5.
6. The method of claim 5, wherein for protected assets of different levels, the interval level of reputation value is dynamically adjusted according to the difference of K value of asset level to match different reputation value, and the division of reputation value interval level is as follows:
the credit value belongs to [60 x (logK) ^2,80 x (logK) ^2 ], and the judgment result shows that the reliability of the threat intelligence data is lower;
the credit value is belonged to (80 ^ log K) ^2,100 ^ log K ^2), and the judgment result is that the reliability of the threat intelligence data is general;
and the credit value is belonged to (100 ^ log K) 2,120 ^ log K ^2), and the judgment result shows that the reliability of the threat intelligence data is higher.
7. The method of claim 6, wherein the threat intelligence data with the reputation value of high reliability is put into a rule optimization directory and synchronized to an internet DMZ domain exit firewall to block the source IP.
8. A system for applying threat intelligence to a bank, comprising:
the acquisition module is used for acquiring threat information data;
the comparison module is used for comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one at the beginning of a time period to obtain a comparison result;
the weighting module is used for establishing an assignment calculation intermediate table for each link and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result so as to obtain a weighted value of each link;
the index module is used for establishing a threat intelligence evaluation table and establishing an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link;
the operation module is used for operating the weighted value of each link in the threat information evaluation table to obtain a credit value when the time period is over;
and the judging module is used for judging the reliability of the threat intelligence data according to the credit value.
9. The system for applying threat intelligence to a bank according to claim 8, wherein the multiple access data flow links comprise: the system comprises an Internet DMZ, a core production area and an application server side, wherein the comparison module comprises a primary comparison module, a secondary comparison module and a tertiary comparison module;
the primary comparison module is used for carrying out primary comparison on the Internet DMZ, if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat information data, the hit threat information data is subjected to first tA weighting, otherwise, operation is not carried out;
the secondary comparison module is used for carrying out secondary comparison in the core production area, and if the source IP and the attack characteristic information in the alarm log of the core production area can both hit the attack source IP and the attack characteristic information in the threat information data, SecondA weighting is carried out on the hit threat information data;
if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data;
if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data;
if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;
the third comparison module is used for carrying out third comparison on the side of the application server, and if both the source IP and the attack characteristic information in the alarm log of the side of the application server can hit the attack source IP and the attack characteristic information in the threat information data, the hit threat information data is subjected to ThirdA weighting;
if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data;
if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data;
and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.
10. The system for applying threat intelligence in a bank according to claim 8, further comprising a special comparison module, wherein the special comparison module is used for comparing special attack types, if the alarm log at the application server side contains a special attack type, the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat intelligence data, and the firewall is compared to block the log;
and if the special attack type alarm log is matched with the firewall blocking log, carrying out Fourtha weighting on the hit threat intelligence data, and otherwise, not carrying out any operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010933025.2A CN111800439B (en) | 2020-09-08 | 2020-09-08 | Application method and system of threat information in bank |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010933025.2A CN111800439B (en) | 2020-09-08 | 2020-09-08 | Application method and system of threat information in bank |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111800439A true CN111800439A (en) | 2020-10-20 |
CN111800439B CN111800439B (en) | 2020-12-22 |
Family
ID=72834283
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010933025.2A Active CN111800439B (en) | 2020-09-08 | 2020-09-08 | Application method and system of threat information in bank |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111800439B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106777222A (en) * | 2016-12-26 | 2017-05-31 | 中国电子科技集团公司第三十研究所 | Safety means based on lightweight domain body threaten intelligence sharing method |
CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
CN109688091A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | The method for evaluating quality and device of the threat information of multi-source |
US10333898B1 (en) * | 2018-07-09 | 2019-06-25 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
US20190379681A1 (en) * | 2018-06-06 | 2019-12-12 | Reliaquest Holdings, Llc | Threat mitigation system and method |
CN111160749A (en) * | 2019-12-23 | 2020-05-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for evaluating information quality and fusing information |
CN111212049A (en) * | 2019-12-27 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for analyzing reputation of threat intelligence IOC |
-
2020
- 2020-09-08 CN CN202010933025.2A patent/CN111800439B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106777222A (en) * | 2016-12-26 | 2017-05-31 | 中国电子科技集团公司第三十研究所 | Safety means based on lightweight domain body threaten intelligence sharing method |
CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
CN108600212A (en) * | 2018-04-19 | 2018-09-28 | 北京邮电大学 | Threat information credibility method of discrimination and device based on the credible feature of various dimensions |
CN109688091A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | The method for evaluating quality and device of the threat information of multi-source |
US20190379681A1 (en) * | 2018-06-06 | 2019-12-12 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US10333898B1 (en) * | 2018-07-09 | 2019-06-25 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
CN109672674A (en) * | 2018-12-19 | 2019-04-23 | 中国科学院信息工程研究所 | A kind of Cyberthreat information confidence level recognition methods |
CN111160749A (en) * | 2019-12-23 | 2020-05-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for evaluating information quality and fusing information |
CN111212049A (en) * | 2019-12-27 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for analyzing reputation of threat intelligence IOC |
Non-Patent Citations (2)
Title |
---|
THOMAS SCHABERREITER等: "A Quantitative Evaluation of Trust in the Quality of Cyber", 《ARES 19: PROCEEDINGS OF THE 14TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITYAUGUST 2019 ARTICLE》 * |
周劭文 等: "基于层次分析法的威胁情报质量评估方法", 《2018第七届全国安全等级保护技术大会论文集》 * |
Also Published As
Publication number | Publication date |
---|---|
CN111800439B (en) | 2020-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wilson | Computer attack and cyber terrorism: Vulnerabilities and policy issues for congress | |
Jahankhani et al. | Cybercrime classification and characteristics | |
US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
US20070113281A1 (en) | Method used in the control of a physical system affected by threats | |
CA3037943A1 (en) | Connected security system | |
US20070180525A1 (en) | Security system and method | |
McMullan et al. | Cyberextortion at online gambling sites: criminal organization and legal challenges | |
Kaur et al. | Cybersecurity threats in Fintech | |
Veprytska et al. | AI powered attacks against AI powered protection: Classification, scenarios and risk analysis | |
CN109450866B (en) | Database collision early warning method based on big data analysis | |
CN117294524A (en) | Endophytic security defense method and system for network information system | |
CN111800439B (en) | Application method and system of threat information in bank | |
Ahmad et al. | An empirical analysis of cybercrime trends and its impact on moral decadence among secondary school level students in Nigeria | |
Awoyemi et al. | Globalization and cybercrimes: A review of forms and effects of cybercrime in Nigeria | |
Mezzour et al. | Global variation in attack encounters and hosting | |
Onuchowska et al. | Disruption and deception in crowdsourcing: Towards a crowdsourcing risk framework | |
Süzen | EXAMINING THE SOCIAL ENGINEERING ATTACK VECTOR IN THE LINE OF DATA BREACH | |
Jegede | Modern information technology, global risk, and the challenges of crime in the era of late modernity | |
Cavusoglu | The economics of information technology security | |
Farion et al. | Cybercrimes, cyber law and computer programs for security | |
Georgiades et al. | Crisis on impact: Responding to cyber attacks on critical information infrastructures | |
Bhalla | Is the mouse click mighty enough to bring society to its knees? | |
Ezeji | Disruptive technology on the cyberspace: the contestation | |
Литвиненко et al. | COUNTERING CYBERCRIME IN UKRAINE | |
Mbelli et al. | Cybersecurity, a threat to cyber banking in South Africa |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: No.4 building, Hexi Financial City, Jianye District, Nanjing City, Jiangsu Province, 210000 Patentee after: Jiangsu Sushang Bank Co.,Ltd. Country or region after: China Address before: No.4 building, Hexi Financial City, Jianye District, Nanjing City, Jiangsu Province, 210000 Patentee before: JIANGSU SUNING BANK Co.,Ltd. Country or region before: China |
|
CP03 | Change of name, title or address |