CN112019519B - Method and device for detecting threat degree of network security information and electronic device - Google Patents

Method and device for detecting threat degree of network security information and electronic device Download PDF

Info

Publication number
CN112019519B
CN112019519B CN202010782330.6A CN202010782330A CN112019519B CN 112019519 B CN112019519 B CN 112019519B CN 202010782330 A CN202010782330 A CN 202010782330A CN 112019519 B CN112019519 B CN 112019519B
Authority
CN
China
Prior art keywords
information
network security
confidence
security information
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010782330.6A
Other languages
Chinese (zh)
Other versions
CN112019519A (en
Inventor
温延龙
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010782330.6A priority Critical patent/CN112019519B/en
Publication of CN112019519A publication Critical patent/CN112019519A/en
Application granted granted Critical
Publication of CN112019519B publication Critical patent/CN112019519B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a method and a device for detecting the threat degree of network security information, an electronic device and a storage medium, wherein the method for detecting the threat degree of the network security information comprises the following steps: acquiring network security intelligence data from a plurality of data sources; extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information; processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information; and judging whether the first network security information is threat information or not at least according to the first confidence coefficient. The problem of low detection accuracy of the threat level of the network security information in the correlation technique is solved, and the technical effect of improving the detection accuracy of the threat level of the network security information is achieved.

Description

Method and device for detecting threat degree of network security information and electronic device
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting threat level of network security information, an electronic apparatus, and a storage medium.
Background
With the continuous occurrence of novel threats and network attacks mainly based on APT, malicious mining, legionella virus and the like, the number of the threats continuously rises, the network threats are rapidly and maliciously evolving, meanwhile, means and channels of the network attacks are also diversified, higher requirements are provided for the analysis and processing capacity of network security personnel, and enterprises and organizations need to rely on sufficient, efficient and accurate security threat information as support when preventing external attacks, so that the enterprises and organizations can better discover and deal with the novel threats.
Threat intelligence is some evidence-based knowledge, including context, mechanism, label, meaning, and actionable advice, that is relevant to a threat or hazard that an asset faces, has been or is in transit, and that can be used to provide information support for asset-related subjects to respond to the threat or hazard or to make processing decisions. In fact, the vast majority of threat intelligence is narrowly defined threat intelligence whose main content is objects for identifying and detecting threats, including but not limited to IP, domain name, URL, program run path, registry key, file HASH value, and home tags for these objects, including threat type, attribute, threat level, etc.
The threat intelligence can help the user to make clear the online information assets and the safety condition of the user, and relevant vulnerability repair and risk management can be carried out according to the importance degree and the influence surface of the assets of the user. The threat intelligence can also help users to know the threat environment of the industry where the users are located, which attackers exist, tactical technologies used by the attackers and the like.
With the development and application of threat intelligence, especially for network security enterprises, how to quickly establish their own threat intelligence database is very important. At present, a large amount of open source network security information exists in a network, but the information is difficult to accurately judge whether the network security information is threat information, so that how to realize threat degree detection of the network security information by combining the multi-source information is important.
The threat degree detection of the network security information in the related technology usually adopts manual judgment of the threat degree of huge open source network security information, but the data source quantity of the network security information can be obtained, so that the manual judgment of the threat degree of the multisource network security information needs to consume a large amount of manpower, and the detection accuracy of the threat degree of the network security information is also low.
At present, no effective solution is provided aiming at the problem of low detection accuracy of the threat degree of network security information in the related technology.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting threat degree of network security information, an electronic device and a storage medium, so as to at least solve the problem of low detection accuracy of threat degree of network security information in the related technology.
In a first aspect, an embodiment of the present application provides a method for detecting threat level of network security information, including: acquiring network security intelligence data from a plurality of data sources; extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information; processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information; judging whether the first network security information is threat information or not at least according to the first confidence coefficient; and storing the first network security information to a threat information database under the condition that the first network security information is threat information.
In some embodiments, processing the characteristic information of the first cyber-security intelligence through a cyber-security intelligence confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first cyber-security intelligence comprises: obtaining auxiliary information of the first network security intelligence from the plurality of data sources respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; matching the auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In some of these embodiments, the method further comprises: and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security intelligence as security intelligence.
In some embodiments, determining whether the first cyber-security intelligence is threat intelligence based at least on the first confidence level comprises: obtaining a second confidence level, the second confidence level comprising at least one of: a third confidence level determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence level determined by whether the first network security intelligence can be matched in a preset intelligence library, and a fifth confidence level determined by the discovery time in the characteristic information of the first network security intelligence; and judging whether the first network security intelligence is threat intelligence or not according to the first confidence coefficient and the second confidence coefficient.
In some of these embodiments, obtaining the second confidence level comprises at least one of: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether a malicious communication behavior exists in the malicious file; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information.
In some embodiments, determining whether the first cyber-security intelligence is threat intelligence according to the first confidence level and the second confidence level includes: determining a weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security intelligence; and under the condition that the sixth confidence coefficient of the first network security information is higher than a preset value, determining the first network security information as threat information.
In some of these embodiments, after obtaining network security intelligence data from a plurality of data sources, the method further comprises: and standardizing the network security information data to obtain standardized network security information data.
In a second aspect, an embodiment of the present application provides an apparatus for detecting threat level of network security information, including: the acquisition module is used for acquiring network security intelligence data from a plurality of data sources; the integration module is used for extracting the characteristics of a plurality of network safety information from the network safety information data and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information; the evaluation module is used for processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of the threat information of the network security information according to the characteristic information of the network security information; the judging module is used for judging whether the first network security information is threat information or not at least according to the first confidence coefficient; and the storage module is used for storing the first network security information to a threat information database under the condition that the first network security information is threat information.
In a third aspect, an embodiment of the present application provides an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method for detecting network security threat as described in the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting cyber-security-information threat as described in the first aspect.
Compared with the related art, the method, the device, the electronic device and the storage medium for detecting the threat degree of the network security information provided by the embodiment of the application solve the problem of low detection accuracy rate of the threat degree of the network security information in the related art, and realize the technical effect of improving the detection accuracy rate of the threat degree of the network security information.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for detecting threat of network security information according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for detecting cyber-security intelligence threat level according to a preferred embodiment of the present application;
FIG. 3 is a block diagram of an apparatus for detecting threat level of network security information according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (including a single reference) are to be construed in a non-limiting sense as indicating either the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a method for detecting a threat degree of network security information according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, network security intelligence data is obtained from a plurality of data sources.
In this embodiment, the network security intelligence data includes, but is not limited to, at least one of: open source information data, enterprise internal information data and information partner information data, wherein the open source information data comprises open source network safety information data acquired from a network; the internal information data of the enterprise comprises honeypot data, safety products and other network safety information data generated inside the enterprise, and the quality of the internal information data of the enterprise is higher than that of open source information data; the intelligence partner intelligence data comprises network security intelligence data shared by intelligence manufacturers and enterprises in a cooperative manner.
After determining the data source for network security intelligence data acquisition, data acquisition can be performed on the network security intelligence data based on a web crawler. Network security intelligence data that can only be obtained from a single data source needs to be collected more carefully, for example: and determining information labels (botnet, C2 communication and the like) of the network security information data, finding time, malicious files related to the network security information data, related information articles and the like.
In some of these embodiments, after obtaining network security intelligence data from a plurality of data sources, the method further comprises: and standardizing the network security information data to obtain the standardized network security information data.
In this embodiment, the network security intelligence data may be standardized, the network security intelligence data may be converted into information data with a uniform format through standardized processing, and the standardized network security intelligence data may be stored in an initial information library for subsequent management and processing of the network security intelligence data, wherein the initial information library may be an HIVE data warehouse tool or an elastic search engine library.
Step S102, extracting the characteristics of a plurality of network security information from the network security information data, and integrating the characteristics of the first network security information in the plurality of network security information to obtain the characteristic information of the first network security information.
In this embodiment, the characteristic information of the network security intelligence includes, but is not limited to, at least one of the following: information labels (botnet, C2 communication, etc.) of network security information data, discovery time, malicious files associated with network security information data, and related information articles associated with network security information data.
The characteristic information of the first network security intelligence may be obtained from network security intelligence data obtained from a plurality of data sources, for example: for network security information depending on injection, an enterprise internally marks an information label thereof as a botnet, and an information provider marks the information label thereof as C2 communication, at the moment, two data sources are needed to be integrated for the information label of the network security information. Malicious files associated with the cyber-security intelligence data, related intelligence articles associated with the cyber-security intelligence data, and discovery time may also be integrated.
In some embodiments, processing the characteristic information of the first cyber-security intelligence through the cyber-security-intelligence confidence-degree evaluation model to obtain a first confidence degree corresponding to the characteristic information of the first cyber-security intelligence includes: the method comprises the steps of respectively obtaining auxiliary information of first network security intelligence from a plurality of data sources, wherein the auxiliary information comprises at least one of the following: IP position, associated sub domain name of the domain name, record information of the domain name, IP associated domain name information; matching auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through the network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In this embodiment, the auxiliary information of the first network security intelligence obtained from the plurality of data sources may be obtained based on a web crawler.
In some of these embodiments, the method further comprises: and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security information as security information.
In this embodiment, the white list data information in the preset white list library may be sorted based on Alexa ranking, dog search webpage rating, dog search domain name income amount, baidu income amount, necessary income amount, website homepage integrity, whether it is a mainstream domain name suffix, domain name IP resolution geographical position, a record and CNAME, and domain name WHOIS data information.
The white list data information can be processed through a weighting algorithm, and the processed white list data is put into a preset white list library. In general, the malicious domain name cannot be a website domain name with very high traffic, the home page of the malicious domain name cannot be designed elaborately, and the integrity of the webpage is low. In addition, whether the domain name can be stored in a preset white list library can be determined by whether the IP of domain name resolution is abroad and whether the WHOIS information of the domain name is complete.
When matching is performed on IP data in a preset white list library, it is necessary to first obtain a geographic location of an IP, a domain name associated with the IP, and whether the IP is a private IP, where the private IP is a private IP owned by each company enterprise or by a government or a school, and the private IP is not easily used by others, and the private IP is basically white list data in the preset white list library.
Step S103, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information.
In this embodiment, the network security information confidence evaluation model may be trained based on a random forest algorithm, and the network security information confidence evaluation model processes feature information of the first network security information to determine whether the first network security information has a threat, for example, the first confidence of the first network security information may be set to 0.4 when the network security information confidence evaluation model determines that the first network security information has a threat, and the first confidence of the first network security information may be set to 0 when the network security information confidence evaluation model determines that the first network security information has no threat.
Step S104, at least according to the first confidence, judging whether the first network security information is threat information.
In this embodiment, a threshold may be set, for example, the threshold is 0.2, and when the first confidence is higher than 0.2, the first network security information is determined to be threat information; and under the condition that the first confidence coefficient is lower than 0.2, judging that the first network security information is security information.
In other embodiments, the threshold may also be other values, such as 0.3, 0.1.
Step S105, under the condition that the first network security information is threat information, storing the first network security information to a threat information database.
In this embodiment, by collecting the network security information data, processing the network security information data, and detecting the threat level, the threat report can be used to help establish the threat information database, and since the first network security information passes the evaluation of the first confidence level, the threat information in the threat information database is judged only when the first confidence level is higher than the threshold value, so that the threat information in the threat information database is more accurate.
The threat degree detection of the network security information in the related technology usually adopts manual judgment of the threat degree of huge open source network security information, but the data source quantity of the network security information can be obtained, so that the manual judgment of the threat degree of the multisource network security information needs to consume a large amount of manpower, and the detection accuracy of the threat degree of the network security information is also low.
Through the steps S101 to S105, the application obtains the network security information data from the plurality of data sources, extracts and integrates the characteristics of the network security information data, processes the characteristic information of the first network security information through the network security information confidence evaluation model to obtain the first confidence corresponding to the first network security information, and determines whether the first network security information is threat information according to the first confidence, without manually determining the threat degree of the huge amount of open source network security information, thereby solving the problem of low detection accuracy of the threat degree of the network security information in the related art, and achieving the technical effect of improving the detection accuracy of the threat degree of the network security information.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 2 is a flow chart of a method for detecting network security intelligence threat according to a preferred embodiment of the present application, as shown in fig. 2, in some embodiments, the method includes:
step S201, network security intelligence data is acquired from a plurality of data sources.
Step S202, the network security information data is standardized to obtain the standardized network security information data.
Step S203, respectively obtaining auxiliary information of the first cyber-security intelligence from a plurality of data sources, where the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, filing information of the domain name, IP associated domain name information; and matching the auxiliary information in a preset white list library.
Step S204, under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information; and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security information as security information.
Step S205, the characteristic information of the first cyber-security information is processed by the cyber-security information confidence evaluation model to obtain a first confidence of the first cyber-security information, wherein the cyber-security information confidence evaluation model is a machine learning model trained to evaluate the confidence of the cyber-security information belonging to the threat information according to the characteristic information of the cyber-security information.
Step S206, acquiring a second confidence level, wherein the second confidence level comprises at least one of the following: a third confidence degree determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence degree determined by whether the first network security intelligence can be matched in a preset intelligence base, and a fifth confidence degree determined by the discovery time in the characteristic information of the first network security intelligence.
In some of these embodiments, obtaining the second confidence level includes at least one of: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether the malicious file has malicious communication behaviors; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information.
In this embodiment, the confidence of the first network security intelligence can be obtained through four aspects, for example: the first confidence level of the first network security information may be set to 0.4 when the network security information confidence level evaluation model determines that the first network security information is threatening, and the first confidence level of the first network security information may be set to 0 when the network security information confidence level evaluation model determines that the first network security information is not threatening.
The malicious files in the feature information of the first network security intelligence can be operated in the simulation environment of the preset sandbox, the third confidence coefficient of the first network security intelligence is set to be 1.0 under the condition that the malicious files are detected to initiate malicious communication behaviors, and the third confidence coefficient of the first network security intelligence is set to be 0 under the condition that the malicious files are not detected to initiate the malicious communication behaviors.
The first network security intelligence can be matched in a preset intelligence library, wherein the preset intelligence library can be an intelligence library provided by an open source intelligence manufacturer, such as: and the online virus checking website-VirusTotal sets the fourth confidence coefficient of the first network security information to 0.4 under the condition that the first network security information is detected in the preset information library, and sets the fourth confidence coefficient of the first network security information to 0 under the condition that the first network security information is not detected in the preset information library.
It is also possible to determine whether the first network security information is failure information according to the discovery time in the feature information of the first network security information, for example: when the discovery time in the characteristic information of the first network security information is longer than the preset time and the first confidence coefficient, the third confidence coefficient and the fourth confidence coefficient of the first network security information are all 0, marking the first network security information as failure information, setting the fifth confidence coefficient of the first network security information as 0.2, and setting the fifth confidence coefficient of the first network security information as 0.4 when the first network security information is effective information.
Step S207, determining whether the first network security information is threat information according to the first confidence level and the second confidence level.
In some embodiments, determining whether the first cyber-security intelligence is threat intelligence according to the first confidence level and the second confidence level includes: determining the weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security information; and under the condition that the sixth confidence coefficient of the first network security information is higher than the preset value, determining the first network security information as threat information.
In this embodiment, the second confidence may be the sum of the third confidence, the fourth confidence and the fifth confidence, and in the above embodiment, for example, when the first confidence is 0.4, the third confidence is 1.0, the fourth confidence is 0.4 and the fifth confidence is 0.4, the second confidence is equal to 2.2. At this time, a weighted sum of the first confidence level and the second confidence level may be determined, so as to obtain a sixth confidence level of the first network security information, for example, the sixth confidence level =0.4+2.2 + 50% =1.5, the preset value may be 1, and the sixth confidence level 1.5 is greater than 1, where it is determined that the first network security information is threat information.
In other embodiments, the preset value may also be other values, such as 2 and 3, and the weighted value may also be changed accordingly, for example: and when the sixth confidence coefficient =0.4+, 2.2 +, 80% =3.16 is greater than 2, the first network security information is determined to be threat information.
In other embodiments, the first confidence level and the second confidence level may be directly added to obtain a sixth confidence level.
In other embodiments, a first preset value, a second preset value, and a third preset value may also be set, for example: the first preset value can be 1, the second preset value can be 0.6, the third preset value can be 0.4, and under the condition that the sixth confidence coefficient is greater than or equal to 1, the first network security information is determined to be threat information; determining the first network security information as medium threat information under the condition that the sixth confidence coefficient is greater than or equal to 0.6 and smaller than 1; and determining the first network security information as low-level threat information under the condition that the sixth confidence coefficient is less than or equal to 0.4.
Step S208, under the condition that the first network security information is threat information, storing the first network security information into a threat information database.
Through steps S201 to S208, a first confidence, a third confidence, a fourth confidence and a fifth confidence of the first cyber-security message are obtained by performing multiple confidence evaluations on the first cyber-security message, a second confidence can be obtained according to the sum of the third confidence, the fourth confidence and the fifth confidence, a sixth confidence is obtained according to the weighted sum of the first confidence and the second confidence, whether the first cyber-security message is a threat message is judged according to the sixth confidence, the confidence evaluations are performed from multiple dimensions, a misjudgment of the threat level detection of the first cyber-security message is avoided, and the accuracy of the threat level detection of the first cyber-security message is further improved.
The embodiment also provides a device for detecting the threat degree of network security information, which is used for implementing the above embodiments and preferred embodiments, and the description of the device that has been already made is omitted. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram of an apparatus for detecting threat level of network security information according to an embodiment of the present application, and as shown in fig. 3, the apparatus includes: an obtaining module 30, configured to obtain network security intelligence data from multiple data sources; the integration module 31 is used for extracting the characteristics of a plurality of network security information from the network security information data and integrating the characteristics of first network security information in the plurality of network security information to obtain the characteristic information of the first network security information; the evaluation module 32 is used for processing the characteristic information of the first network security information through the network security information confidence evaluation model to obtain a first confidence of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence of the threat information of the network security information according to the characteristic information of the network security information; the judging module 33 is configured to judge whether the first network security information is threat information at least according to the first confidence level; the storage module 34 is configured to store the first network security information into the threat information database when the first network security information is threat information.
In one embodiment, the evaluation module 32 is configured to obtain the auxiliary information of the first network security intelligence from a plurality of data sources, respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, record information of the domain name, IP associated domain name information; matching auxiliary information in a preset white list library; and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
In one embodiment, the evaluation module 32 is further configured to flag the first network security intelligence as security intelligence if the secondary information is matched in a preset whitelist library.
In one embodiment, the determining module 33 is configured to obtain a second confidence level, and the second confidence level includes at least one of: a third confidence coefficient determined by a malicious file in the characteristic information of the first network security intelligence, a fourth confidence coefficient determined by whether the first network security intelligence can be matched in a preset intelligence library, and a fifth confidence coefficient determined by the discovery time in the characteristic information of the first network security intelligence; and judging whether the first network security information is threat information or not according to the first confidence coefficient and the second confidence coefficient.
In one embodiment, the determining module 33 is further configured to run a malicious file in the feature information of the first cyber-security intelligence in a preset sandbox, and determine a third confidence level of the first cyber-security intelligence according to whether the malicious file has a malicious communication behavior; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; and determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information.
In one embodiment, the determining module 33 is further configured to determine a weighted sum of the first confidence level and the second confidence level, to obtain a sixth confidence level of the first cyber-security intelligence; and under the condition that the sixth confidence coefficient of the first network security information is higher than a preset value, determining the first network security information as threat information.
In one embodiment, the apparatus further comprises a standardization module, wherein the standardization module is configured to standardize the network security intelligence data to obtain standardized network security intelligence data.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 404 and a processor 402, the memory 404 having a computer program stored therein, the processor 402 being configured to execute the computer program to perform the steps of any of the above-described method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 404 may include, among other things, mass storage 404 for data or instructions. By way of example, and not limitation, memory 404 may include a Hard Disk Drive (Hard Disk Drive, abbreviated HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical disc, a magneto-optical disc, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 404 may include removable or non-removable (or fixed) media, where appropriate. The memory 404 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 404 is a Non-Volatile (Non-Volatile) memory. In certain embodiments, memory 404 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory 404 (FPMDRAM), an Extended data output Dynamic Random-Access Memory (eddram), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 404 may be used to store or cache various data files needed for processing and/or communication purposes, as well as possibly computer program instructions executed by processor 402.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement any of the above-described methods for detecting network security threat.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 402 may be configured to execute the following steps by a computer program:
s1, network security information data are obtained from a plurality of data sources.
S2, extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of the first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information.
And S3, processing the characteristic information of the first network security information through a network security information confidence coefficient evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence coefficient evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of the threat information of the network security information according to the characteristic information of the network security information.
And S4, judging whether the first network security information is threat information or not at least according to the first confidence coefficient.
And S5, storing the first network security information into a threat information database under the condition that the first network security information is threat information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, by combining the method for detecting the threat degree of the network security information in the above embodiment, the embodiment of the present application can provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements any one of the above methods for detecting cyber-security information threat.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (8)

1. A method for detecting network security information threat degree is characterized by comprising the following steps:
acquiring network security intelligence data from a plurality of data sources;
extracting the characteristics of a plurality of network safety information from the network safety information data, and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information;
processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of the network security information belonging to threat information according to the characteristic information of the network security information;
obtaining a second confidence level of the first network security intelligence by: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether a malicious communication behavior exists in the malicious file; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information; the second confidence is the sum of the third confidence, the fourth confidence and the fifth confidence;
judging whether the first network security intelligence is threat intelligence or not according to the first confidence coefficient and the second confidence coefficient;
and storing the first network security information to a threat information database under the condition that the first network security information is threat information.
2. The method of claim 1, wherein processing the characteristic information of the first cyber-security intelligence through a cyber-security intelligence confidence level evaluation model to obtain a first confidence level of the first cyber-security intelligence comprises:
obtaining auxiliary information of the first network security intelligence from the plurality of data sources respectively, wherein the auxiliary information includes at least one of: IP position, associated sub domain name of the domain name, record information of the domain name, IP associated domain name information;
matching the auxiliary information in a preset white list library;
and under the condition that the auxiliary information is not matched in the preset white list library, processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence corresponding to the characteristic information of the first network security information.
3. The method of detecting network security intelligence threat of claim 2, further comprising:
and under the condition that the auxiliary information is matched in the preset white list library, marking the first network security intelligence as security intelligence.
4. The method for detecting cyber-security information threat level according to claim 1, wherein determining whether the first cyber-security information is threat information according to the first confidence level and the second confidence level includes:
determining a weighted sum of the first confidence coefficient and the second confidence coefficient to obtain a sixth confidence coefficient of the first network security intelligence;
and under the condition that the sixth confidence of the first network security information is higher than a preset value, determining the first network security information as threat information.
5. The method of any of claims 1-4, wherein after obtaining network security intelligence data from a plurality of data sources, the method further comprises:
and standardizing the network security information data to obtain standardized network security information data.
6. A detection device for network security information threat degree is characterized by comprising:
the acquisition module is used for acquiring network security intelligence data from a plurality of data sources;
the integration module is used for extracting the characteristics of a plurality of network safety information from the network safety information data and integrating the characteristics of first network safety information in the plurality of network safety information to obtain the characteristic information of the first network safety information;
the evaluation module is used for processing the characteristic information of the first network security information through a network security information confidence evaluation model to obtain a first confidence coefficient of the first network security information, wherein the network security information confidence coefficient evaluation model is a machine learning model which is trained to evaluate the confidence coefficient of threat information of the network security information according to the characteristic information of the network security information;
the judging module is used for acquiring a second confidence coefficient of the first network security information in the following mode: running a malicious file in the characteristic information of the first network security intelligence in a preset sandbox, and determining a third confidence coefficient of the first network security intelligence according to whether the malicious file has malicious communication behaviors or not; matching the first network security information in a preset information library, and determining a fourth confidence coefficient of the first network security information according to a matching result; determining a fifth confidence coefficient of the first network security information according to the discovery time in the characteristic information of the first network security information and whether the first network security information is failure information; the second confidence coefficient is the sum of the third confidence coefficient, the fourth confidence coefficient and the fifth confidence coefficient;
the judging module is further configured to judge whether the first network security information is threat information according to the first confidence level and the second confidence level;
and the storage module is used for storing the first network security information to a threat information database under the condition that the first network security information is threat information.
7. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting network security information threat according to any one of claims 1 to 5.
8. A storage medium having a computer program stored thereon, wherein the computer program is configured to execute the method for detecting network security threat as claimed in any one of claims 1 to 5 when the computer program is run.
CN202010782330.6A 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device Active CN112019519B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010782330.6A CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010782330.6A CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Publications (2)

Publication Number Publication Date
CN112019519A CN112019519A (en) 2020-12-01
CN112019519B true CN112019519B (en) 2023-04-07

Family

ID=73500074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010782330.6A Active CN112019519B (en) 2020-08-06 2020-08-06 Method and device for detecting threat degree of network security information and electronic device

Country Status (1)

Country Link
CN (1) CN112019519B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671744A (en) * 2020-12-17 2021-04-16 杭州安恒信息技术股份有限公司 Threat information processing method, device, equipment and storage medium
CN113542278B (en) * 2021-07-16 2023-04-25 北京源堡科技有限公司 Network security assessment method, system and device
CN113468384B (en) * 2021-07-20 2023-11-03 山石网科通信技术股份有限公司 Processing method, device, storage medium and processor for network information source information
CN114024736B (en) * 2021-11-02 2024-04-12 丁牛信息安全科技(江苏)有限公司 Threat source relevance identification processing method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10366229B2 (en) * 2016-06-20 2019-07-30 Jask Labs Inc. Method for detecting a cyber attack
CN108460278B (en) * 2018-02-13 2020-07-14 奇安信科技集团股份有限公司 Threat information processing method and device
US11431745B2 (en) * 2018-04-30 2022-08-30 Microsoft Technology Licensing, Llc Techniques for curating threat intelligence data
CN110177114B (en) * 2019-06-06 2021-07-13 腾讯科技(深圳)有限公司 Network security threat indicator identification method, equipment, device and computer readable storage medium
CN110868418A (en) * 2019-11-18 2020-03-06 杭州安恒信息技术股份有限公司 Threat information generation method and device
CN111125694B (en) * 2019-12-20 2023-01-20 杭州安恒信息技术股份有限公司 Threat information analysis method and system based on ant colony algorithm

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109672674A (en) * 2018-12-19 2019-04-23 中国科学院信息工程研究所 A kind of Cyberthreat information confidence level recognition methods

Also Published As

Publication number Publication date
CN112019519A (en) 2020-12-01

Similar Documents

Publication Publication Date Title
CN112019519B (en) Method and device for detecting threat degree of network security information and electronic device
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN110099059B (en) Domain name identification method and device and storage medium
US8763132B2 (en) Open source security monitoring
Niakanlahiji et al. Phishmon: A machine learning framework for detecting phishing webpages
Panchenko et al. Analysis of fingerprinting techniques for Tor hidden services
US20180191736A1 (en) Method and apparatus for collecting cyber incident information
CN107888606B (en) Domain name credit assessment method and system
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
CN111988341B (en) Data processing method, device, computer system and storage medium
CN113810395B (en) Threat information detection method and device and electronic equipment
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
US20200272765A1 (en) Method and apparatus for detecting label data leakage channel
Ramesh et al. Identification of phishing webpages and its target domains by analyzing the feign relationship
Le Page et al. Domain classifier: Compromised machines versus malicious registrations
Acharya et al. Detecting malware, malicious URLs and virus using machine learning and signature matching
US20170206619A1 (en) Method for managing violation incident information and violation incident management system and computer-readable recording medium
US20200007559A1 (en) Web Threat Investigation Using Advanced Web Crawling
CN111970262B (en) Method and device for detecting third-party service enabling state of website and electronic device
CN110188537B (en) Data separation storage method and device, storage medium and electronic device
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN112104656B (en) Network threat data acquisition method, device, equipment and medium
Kergl et al. Detection of zero day exploits using real-time social media streams

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant