CN112073437B

CN112073437B - Multi-dimensional security threat event analysis method, device, equipment and storage medium

Info

Publication number: CN112073437B
Application number: CN202011071907.9A
Authority: CN
Inventors: 沈江波; 彭宁; 程虎; 罗梦霞
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-10-09
Filing date: 2020-10-09
Publication date: 2023-12-19
Anticipated expiration: 2040-10-09
Also published as: CN112073437A

Abstract

The invention provides a multidimensional security threat event analysis method, a device, equipment and a storage medium, wherein the method comprises the following steps: determining a target security threat event; generating a plurality of target analysis tasks for the target security threat event; acquiring preset security event analysis modules corresponding to a plurality of target analysis tasks respectively; the preset security event analysis module is obtained by combining a plurality of security analysis performances; based on a preset security event analysis module corresponding to each of the plurality of target analysis tasks, performing multidimensional threat analysis on the corresponding target analysis tasks to obtain threat analysis results corresponding to each of the plurality of target analysis tasks; and carrying out alarm processing on the target security threat event based on threat analysis results corresponding to the target analysis tasks. The invention relates to a cloud security technology in cloud technology, which can improve the accuracy of security threat detection, effectively protect the attack of security threat events on a system and ensure the privacy and security of the system.

Description

Multi-dimensional security threat event analysis method, device, equipment and storage medium

Technical Field

The invention belongs to the technical field of computers, and particularly relates to a multidimensional security threat event analysis method, a multidimensional security threat event analysis device, multidimensional security threat event analysis equipment and a storage medium.

Background

In the prior art, when the security threat is treated, a threat mode based on fixed rule detection and a mode of directly alarming without multidimensional analysis are generally adopted.

FIG. 1 is a schematic diagram of a real-time monitoring and alarming technique for rule matching based on a single virus library in the prior art. However, the alarm information in fig. 1 only shows suspicious file names and file paths, and does not carry out unfolding analysis on other clues of the security event, so that the alarm information is single, and the accuracy of security threat detection is low; in addition, the alarm processing method in fig. 1 only includes two modes (adding trusted files to a white list and running untrusted files in an isolation sandbox), but for some files which cannot run in the isolation sandbox, the threat properties of the files cannot be judged, the threat event analysis channel is single, the misjudgment rate is high, and therefore the security threat detection accuracy rate is further reduced.

Disclosure of Invention

In order to solve the technical problems, the invention provides a multi-dimensional security threat event analysis method, a multi-dimensional security threat event analysis device, multi-dimensional security threat event analysis equipment and a multi-dimensional security threat event analysis storage medium.

In one aspect, the present invention provides a method for analyzing security threat events in multiple dimensions, the method comprising:

determining a target security threat event, the target security threat event being related to an event cue of the monitored security threat event;

generating a plurality of target analysis tasks for the target security threat event;

acquiring preset security event analysis modules corresponding to the target analysis tasks respectively; the preset security event analysis module is obtained by combining a plurality of security analysis performances;

based on a preset security event analysis module corresponding to each of the plurality of target analysis tasks, performing multidimensional threat analysis on the corresponding target analysis task to obtain threat analysis results corresponding to each of the plurality of target analysis tasks;

and carrying out alarm processing on the target security threat event based on threat analysis results corresponding to the target analysis tasks.

In another aspect, an embodiment of the present invention provides a multi-dimensional security threat event analysis apparatus, the apparatus including:

the determining module is used for determining a target security threat event, and the target security threat event is related to an event clue of the monitored security threat event;

The generation module is used for generating a plurality of target analysis tasks of the target security threat event;

the acquisition module is used for acquiring the preset security event analysis modules corresponding to the target analysis tasks respectively; the preset security event analysis module is obtained by combining a plurality of security analysis performances;

the analysis module is used for carrying out multidimensional threat analysis on the corresponding target analysis tasks based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks to obtain threat analysis results corresponding to each of the plurality of target analysis tasks;

and the alarm module is used for carrying out alarm processing on the target security threat event based on threat analysis results corresponding to the target analysis tasks.

In another aspect, the present invention provides an electronic device for multi-dimensional security threat event analysis, the electronic device including a processor and a memory, the memory storing at least one instruction or at least one program, the at least one instruction or at least one program loaded and executed by the processor to implement the multi-dimensional security threat event analysis method as described above.

In another aspect, the present invention provides a computer readable storage medium having at least one instruction or at least one program stored therein, the at least one instruction or the at least one program loaded and executed by a processor to implement a multi-dimensional security threat event analysis method as described above.

According to the multidimensional security threat event analysis method, device, electronic equipment and storage medium, a plurality of preset security event analysis modules with known security performances are combined in advance, when security threat alarm processing is carried out, different types of target subtasks are generated according to detected target security threat events, and the different types of target analysis tasks are distributed to the corresponding preset security event analysis modules for processing, so that multidimensional alarm analysis of the target security threat events is realized. According to the embodiment of the invention, the threat event is subjected to multidimensional threat analysis through the preset security event analysis module obtained by combining multiple security performances, so that the defects that potential threats cannot be perceived and erroneous judgment is made due to incomplete awareness of a single security analysis channel are avoided, and the accuracy rate of security threat detection is improved; in addition, based on threat analysis results corresponding to the target analysis tasks, the alarm processing is carried out, the multi-dimensional analysis results can be fused to complete automatic alarm triage, the degree of automation is high, alarm information is various, the problem that the accuracy of security threat detection is low due to single alarm information is avoided, the accuracy of security threat detection is further improved, and attacks of security threats to a system are effectively defended.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a prior art real-time monitoring and alarming technique based on rule matching with a single virus library.

FIG. 2 is a schematic diagram of an implementation environment of a multi-dimensional security threat event analysis method according to an embodiment of the invention.

FIG. 3 is a flow chart of a method for multi-dimensional security threat event analysis provided by an embodiment of the invention.

FIG. 4 is a flow chart of another multi-dimensional security threat event analysis method provided by an embodiment of the invention.

FIG. 5 is a schematic diagram of an interface between threat qualitative results and alert triage information provided by an embodiment of the invention.

FIG. 6 is a flow chart of another method for multi-dimensional security threat event analysis provided by an embodiment of the invention.

FIG. 7 is a flow chart of another method for multi-dimensional security threat event analysis provided by an embodiment of the invention.

FIG. 8 is a flow chart of another method for multi-dimensional security threat event analysis provided by an embodiment of the invention.

Fig. 9 is a schematic flow chart of threat analysis on a corresponding target analysis task through an APT cue analysis scenario according to an embodiment of the present invention.

Fig. 10 is a schematic flow chart of threat analysis on a corresponding target analysis task through a defensive cue analysis scenario according to an embodiment of the present invention.

Fig. 11 is a schematic flow chart of threat analysis on a corresponding target analysis task by a suspicious IOCs analysis scenario according to an embodiment of the present invention.

Fig. 12 is a schematic flow chart of threat analysis on a corresponding target analysis task by a sandbox suspicious sample analysis scenario according to an embodiment of the present invention.

Fig. 13 is a schematic flow chart of threat analysis on a corresponding target analysis task through a client real-time stream analysis scenario according to an embodiment of the present invention.

Fig. 14 is a schematic flow chart of threat analysis on a corresponding target analysis task by cloud mirror threat analysis drama according to an embodiment of the invention.

FIG. 15 is a schematic flow chart of threat analysis of corresponding target analysis tasks by supply chain analysis drama according to an embodiment of the invention.

FIG. 16 is a schematic diagram of an alternative architecture of a blockchain system provided by embodiments of the present invention.

Fig. 17 is an alternative schematic diagram of a block structure according to an embodiment of the present invention.

Fig. 18 is a schematic structural diagram of a multi-dimensional security threat event analysis apparatus according to an embodiment of the invention.

Fig. 19 is a schematic diagram of a server structure according to an embodiment of the present invention.

Detailed Description

Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.

The cloud technology is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like based on cloud computing business model application, can form a resource pool, and is flexible and convenient as required. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing. Specifically, cloud technology includes technical fields of security, big data, databases, industry applications, networks, storage, management tools, computing, and the like.

Specifically, cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, and Security Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.

The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like.

Specifically, the embodiment of the invention relates to the field of cloud computing security in cloud security.

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

FIG. 2 is a schematic diagram of an implementation environment of a multi-dimensional security threat event analysis method according to an embodiment of the invention. As shown in fig. 2, the implementation environment may include at least a plurality of terminals 01 and servers 02, and the plurality of terminals 01 and servers 02 may be directly or indirectly connected through wired or wireless communication, which is not limited herein. For example, the server 02 may transmit corresponding alarm information or the like to the plurality of terminals 01 through wired or wireless communication.

Specifically, the terminal 01 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc., but is not limited thereto.

Specifically, the terminal 01 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc., but is not limited thereto. The server 02 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like. The terminal 01 and the server 02 may be directly or indirectly connected through wired or wireless communication, and the present invention is not limited herein.

It should be noted that fig. 2 is only an example.

FIG. 3 is a flow chart of a method for multi-dimensional security threat event analysis provided by an embodiment of the invention. The method may be used in the implementation environment of fig. 2. The present specification provides method operational steps as described in the examples or block diagrams, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in a real system or server product, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in a parallel processor or multithreaded environment). As shown in fig. 3, the method may include:

s101, determining a target security threat event, wherein the target security threat event is related to an event clue of the monitored security threat event.

Specifically, as shown in fig. 4, S101 may include:

s10101, monitoring event clues of security threat events.

S10103, when an abnormal event clue occurs, taking a security threat event corresponding to the abnormal event clue as a target security threat event.

In the embodiment of the invention, a plurality of probes for detecting event clues of security threat events can be designed in advance, wherein the probes can be script files for detecting sensitive information through a webpage programming language.

It should be noted that, in the process of writing the probe through the web page programming language, a corresponding detection function is already given to the probe.

In one possible embodiment, in order to reduce the workload of the server, reduce the bandwidth occupation of the server caused by data transmission, and also further monitor the data, the probe may further have a basic security threat detection capability, and may identify various common attacks or security anomalies, and capture valid data, i.e., event clues, from the traffic information.

In another possible embodiment, the probe may be further equipped with a base feature library for assisting in analyzing the flow information, the base feature library comprising at least:

(1) A network attack feature library, which may be used to identify network attacks in traffic, such as intrusion prevention system (Intrusion Prevention System, IPS) attacks, web application level intrusion prevention system (Web Application Firewall, WAF) attacks, distributed denial of service (Distributed denial of service, DDoS) attacks, etc.;

(2) The malicious code feature library can be used for identifying common malicious codes in traffic;

(3) The botnet feature library can be used for identifying botnet viruses;

(4) Malicious IP feature libraries, such as through IP scanning, port scanning, etc., identify malicious IP;

(5) A malicious domain name feature library, such as through IP scanning, port scanning, etc., identifying a malicious domain name (domain);

(6) The vulnerability feature library can be used for identifying various vulnerabilities.

Based on a preset basic feature library, the probe at least identifies one or more of network attack, malicious code, botnet communication, malicious IP, malicious domain name and suspicious vulnerability from the traffic information.

The probes in the embodiment of the invention can be respectively deployed on the switches or routers of the monitoring network areas and can be used for dynamically acquiring the flow information of the monitoring network areas and collecting the specific flow information from the flow information.

Fig. 5 is a schematic diagram of an interface between threat qualitative results and alert triage information provided by an embodiment of the present invention. The relevant information of the plurality of probes provided in the embodiment of the present invention may be shown in fig. 5, and as shown in fig. 5, the relevant information of the probes includes, but is not limited to, probe identification numbers (Identity Document, IDs) and types of information that can be detected by the probes.

In the embodiment of the invention, when the security threat event needs to be detected, the pre-designed multiple probes can be triggered, and event clues are detected through the multiple probes, wherein the event clues comprise, but are not limited to domain, commands, file md5 information, IP and the like, and md5 is an information summarization algorithm.

In the process of detecting the event clues, the event clues detected by the plurality of probes can be subjected to exception analysis, if the event clues are abnormal, security threat events corresponding to the abnormal event clues are determined, and the security threat events are taken as target threat events. For example, if a certain probe detects the IP explosion of a certain client in a short time, the IP detected by the probe is abnormal, and the IP explosion is determined to be a security threat event subjected to the distributed denial of attack in a short time, so that the distributed denial of attack can be used as a target security threat event.

In the embodiment of the invention, the event clues are monitored through the preset probes, and as different probes have different detection functions, the event clues are monitored with higher accuracy and wider monitoring range, thereby effectively improving the accuracy and reliability of determining the target security threat event, and further improving the threat detection accuracy.

S103, generating a plurality of target analysis tasks of the target security threat event.

Specifically, if the event clues corresponding to the target security threat event include a plurality of event clues, as shown in fig. 4, S103 may include:

s10301, analyzing the event clues respectively to obtain analysis tasks corresponding to the event clues.

S10303, taking analysis tasks corresponding to the event clues as a plurality of target analysis tasks of the target security threat event.

In the embodiment of the invention, after the target security threat event is determined, a plurality of different kinds of target analysis tasks can be generated according to different event clues (including domain, command, file md5 information, IP and the like) generated in the target security event clues.

As further shown in FIG. 5, the target analysis tasks in embodiments of the present invention correspond to event cues detected by the probes. Thus, different target analysis tasks may be generated based on different event cues.

It should be noted that the same probe corresponds to the same target analysis task, and different event cues may correspond to different target analysis tasks or may correspond to the same target analysis task. For example, probes with probe IDs of 32 in fig. 5 each correspond to a real-time flow analysis task. As another example, the hint "C:/Windows/system 32/Window … …" and the hint "C:/Windows/system32/bitsad … …" in FIG. 5 each correspond to a client real-time stream analysis task.

In the embodiment of the invention, a plurality of target analysis tasks of the target security threat event are generated according to the event clues detected by the probes, and the event clues are detected by the preset probes with certain specific functions, so that the accuracy of event clue monitoring is higher, and a plurality of different types of target analysis tasks are determined according to at least one of the event clues with high accuracy, thereby ensuring the determination accuracy and reliability of the plurality of different types of target analysis tasks and further improving the threat detection accuracy.

S105, acquiring preset security event analysis modules corresponding to the target analysis tasks respectively; the preset security event analysis module is obtained by combining a plurality of security analysis performances.

As shown in fig. 6, the method may further include constructing a preset security event analysis module, and the constructing the preset security event analysis module may include:

s001, acquiring a plurality of safety analysis performances.

S003, determining association relations among a plurality of safety analysis performances.

S005, combining the plurality of security analysis performances based on the association relation to obtain a preset security event analysis module.

In the embodiment of the invention, a plurality of known security analysis performances can be combined in advance, namely, the security arrangement is carried out on the plurality of known security analysis performances, so as to obtain a plurality of preset security event analysis modules (namely, a plurality of customized scripts).

Wherein, the security arrangement means: the security capabilities of different systems of a customer or different components within a system are combined together in a logical relationship through an application programming interface (Application Programming Interface, API) and a manual checkpoint to complete the process of a particular security operation.

The customized scenario refers to: according to the characteristics of the target object, a processing flow which is suitable for the functional requirements of the target object is provided for the target object. In the security arrangement, the script is oriented to an arrangement manager, and the manager expresses analysis processing flows of different security events in a script mode according to personal experience.

In the embodiment of the invention, a plurality of known security analysis performances, association relations, logic relations and the like among the known security analysis performances can be obtained, and then the known security analysis performances are combined based on a security arrangement mechanism to obtain a customized script (namely a preset security analysis module). It should be noted that, because the processing flows of different customized scripts are different, the known security analysis performances corresponding to different preset security event analysis modules are different.

The customized script in the embodiment of the invention corresponds to the known analysis task, namely, a plurality of security analysis performances required for processing the known analysis task are determined according to the known analysis task, and the plurality of security analysis performances are combined according to a logic relationship or an association relationship to obtain the customized script corresponding to the known analysis task. In addition, a mapping relationship between the analysis task and the customized script can be established and stored.

In the embodiment of the present invention, after generating multiple target analysis tasks of the target security threat event, in S105, a preset security event analysis module corresponding to each target analysis task may be obtained according to the mapping relationship.

Because the customized script (i.e. the preset security analysis module) in the embodiment of the invention is obtained by connecting a plurality of existing security analysis performances in series by utilizing a logic relationship, namely, each preset security analysis module integrates a plurality of security analysis performances, each preset security analysis module can perform a multi-dimensional threat analysis function on a corresponding analysis task, thereby improving the comprehensiveness of threat analysis and further improving the accuracy of security threat detection.

S107, distributing the plurality of target analysis tasks to corresponding preset security event analysis modules.

In the embodiment of the invention, after the preset security event analysis modules corresponding to the target analysis tasks are acquired, the target analysis tasks can be distributed to the corresponding preset security event analysis modules, so that analysis processing of different target analysis tasks through different customized drama is realized.

S109, based on preset security event analysis modules corresponding to the target analysis tasks, performing multidimensional threat analysis on the corresponding target analysis tasks to obtain threat analysis results corresponding to the target analysis tasks.

Specifically, as shown in fig. 7, S109 may further include:

s10901, threat qualitative analysis is carried out on the corresponding target analysis tasks based on preset security event analysis modules corresponding to the target analysis tasks, and threat qualitative results corresponding to the target analysis tasks are obtained.

S10903, determining threat analysis results corresponding to the target analysis tasks as first type threats when threat qualitative results corresponding to the target analysis tasks are not matched with preset threat information.

S10905, when threat qualitative results corresponding to the target analysis tasks are matched with preset threat information, obtaining strong correlation samples corresponding to the target analysis tasks, wherein the strong correlation samples corresponding to the target analysis tasks are samples with correlation with corresponding event clues being larger than a preset threshold value.

S10907 carrying out variant analysis on strong correlation samples corresponding to the target analysis tasks.

S10909, when the strong correlation samples corresponding to the target analysis tasks respectively show new varieties, determining threat analysis results corresponding to the target analysis tasks respectively as second type threats.

S109011, determining threat analysis results corresponding to the target analysis tasks as third type threats when the strong correlation samples corresponding to the target analysis tasks do not have new varieties.

In the embodiment of the invention, after each preset security event analysis module receives a corresponding target analysis task, threat analysis can be performed on the corresponding target analysis task based on the multi-dimensional security analysis performance of the corresponding target analysis task, so that threat analysis results corresponding to each target analysis task are obtained.

It should be noted that, the processing procedures of the corresponding target analysis tasks between the preset security event analysis modules are operated in parallel.

S1011, carrying out alarm processing on the target security threat event based on threat analysis results corresponding to the target analysis tasks.

Specifically, as further shown in fig. 4, S1011 may include:

s101101, carrying out alarm analysis on the corresponding threat analysis results based on preset security event analysis modules corresponding to the target analysis tasks, and obtaining alarm information corresponding to the target analysis tasks.

S101103, based on the preset security event analysis modules corresponding to the target analysis tasks, corresponding alarm information is sent to the terminals corresponding to the corresponding preset security event analysis modules.

In the embodiment of the present invention, after different target analysis tasks are sent to corresponding customized scripts, the customized scripts in S107 perform multidimensional analysis processing on the corresponding target analysis tasks according to multiple security analysis performances inside the customized scripts, so as to obtain threat analysis results, where the threat analysis results may include: known family known threats, known high-risk threats of known families, known family new varieties, adventitious new threats, adventitious old threats, and adventitious high-risk old threats.

Fig. 8 is a flow chart of another multi-dimensional security threat event analysis method provided by the embodiment of the invention, as shown in fig. 8, each customized scenario may be integrated with a multi-dimensional threat analysis result to complete automatic alarm diagnosis, that is, alarm analysis may be performed on threat analysis results corresponding to each of a plurality of target analysis tasks, so as to obtain alarm information corresponding to each of the plurality of target analysis tasks, and synchronize the information to a threat event knowledge base, and meanwhile, the corresponding alarm information is directionally distributed to a terminal corresponding to a corresponding preset security event analysis module, so that relevant technicians of the corresponding terminal process the corresponding alarm information.

In the embodiment of the invention, analysts corresponding to different customized dramas can be preset, wherein the customized dramas comprise advanced sustainable threat (Advanced Persistent Threat, APT) thread analysis dramas, defense thread analysis dramas, suspicious IOCs analysis dramas, sandbox suspicious sample analysis dramas, client real-time flow analysis dramas, supply chain analysis dramas and cloud mirror threat analysis dramas, and the IOCs are dramas for analyzing domain names, IP and md 5. As shown in fig. 8, an APT alert analyst may be set for an APT thread analysis scenario, a master defense alert analyst may be set for a defense thread analysis scenario, an IOCs alert analyst may be set for a suspicious IOCs analysis scenario, a sample alert analyst may be set for a sandbox suspicious sample analysis scenario, a real-time threat alert analyst may be set for a client real-time streaming analysis scenario, a supply chain alert analyst may be set for a supply chain analysis scenario, and an on-cloud threat analyst may be set for a cloud mirror threat analysis scenario.

Threat analysis results, security levels of threat results, threat qualitative scores, corresponding alert handlers, processing states, etc. in embodiments of the invention may be shown in fig. 5.

In the embodiment of the invention, for a single target analysis task, as the customized series for processing the single target analysis task has a plurality of safety analysis performances, threat analysis can be carried out on the single target analysis task in multiple directions, thereby improving the accuracy of threat analysis of the single target analysis task. For the whole target security threat event, threat analysis is carried out on a plurality of different types of target analysis tasks generated by the whole target security threat event through a plurality of different customized scripts, so that the defects that potential threats cannot be perceived and wrong judgment is carried out due to incomplete awareness of a single security analysis channel are avoided, and the accuracy of security threat detection is improved; meanwhile, as the alarm information is obtained by alarming according to different threat analysis results of different target analysis tasks, the dimension of the alarm information is higher, the analysis of the threats is more comprehensive, the multi-dimensional threat analysis and analysis results can be fused to complete automatic alarm triage, the problem that the accuracy of security threat detection is lower due to single alarm information is effectively avoided, and the accuracy of security threat detection is improved; furthermore, the alarm diagnosis is automatically finished, so that the degree of automation is high. In addition, corresponding expertise and experienced analysts are set for different customized scripts, corresponding alarm information is analyzed through the expertise and experienced analysts, accurate judgment can not be made according to self experience under the condition that available clues are limited, and the accuracy of manual research and judgment of security threat events can be improved.

The following describes S107-S1011 by taking a preset security analysis module including an APT thread analysis scenario, a defense thread analysis scenario, a suspicious IOCs analysis scenario, a sandbox suspicious sample analysis scenario, a client real-time flow analysis scenario, a cloud mirror threat analysis scenario, and a supply chain analysis scenario as an example:

s107 may include: the method comprises the steps of sending target analysis tasks related to an APT thread analysis script to the APT thread analysis script, sending target analysis tasks related to a defense thread analysis script to the defense thread analysis script, sending target analysis tasks related to suspicious IOCs analysis scripts to the suspicious IOCs analysis script, sending target analysis tasks related to a sandbox suspicious sample analysis script to the sandbox suspicious sample analysis script, sending target analysis tasks related to a client real-time flow analysis script to the client real-time flow analysis script, sending target analysis tasks related to a cloud mirror threat analysis script to the cloud mirror threat analysis script, and sending target analysis tasks related to a supply chain analysis script to the cloud mirror threat script.

Taking the APT thread analysis scenario as an example, where the APT thread analysis scenario is mainly used for analyzing channel sources of threats, as shown in fig. 9, S109 to S1011 may further include:

S10901 may include: based on the APT clue analysis script, threat qualitative analysis is carried out on the corresponding target analysis task, and a threat qualitative result corresponding to the APT clue analysis script is obtained. The process can be specifically as follows:

1) In practical application, there may be a plurality of target analysis tasks imported from the client into the APT thread analysis scenario, where the plurality of target analysis tasks may be stored in a task queue, and when the APT thread analysis scenario processes the task, a corresponding target analysis task may be obtained from the task queue.

2) Before the APT clue analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the fact that the target analysis task to be analyzed does not exist at the moment is indicated, the task processing process is ended, and if not, the step 3 is entered.

3) Judging whether the target analysis task in the task queue needs to be re-analyzed, if not, directly entering the step 4, if so, carrying out clue qualitative analysis on the target analysis task, and entering the step 4 after the completion of the clue qualitative analysis.

Because the server generates a corresponding ID for each event cue detected by the probe, and stores the event cue and the corresponding ID to obtain an event cue table, the qualitative analysis of the event cue refers to querying attribute information of the event cue corresponding to the target analysis task from the event cue table, where the attribute information includes but is not limited to: the type of the event thread, whether the event thread was previously analyzed, the ID of the event thread, etc.

4) And acquiring a probe and a probe tag for detecting an event clue corresponding to the target analysis task, wherein the probe tag is equivalent to the probe ID.

5) And carrying out threat qualitative analysis on the target analysis task based on the obtained event clues, event clue IDs, probes and probe IDs to obtain an initial threat result.

6) And carrying out APT sample channel analysis on the initial threat result to obtain a threat qualitative result corresponding to the target analysis task.

The analysis of the APT sample channel refers to judging the source of the threat, namely judging where the threat comes from, if the analysis result of the APT sample channel is a mailbox channel, the threat is obtained by sending a mail through the mailbox, and if the analysis result of the APT sample channel is a file downloading channel, the threat is obtained by a file downloading service.

S10903 may include: judging whether the threat qualitative result is qualified to the family threat, if not, determining that the threat analysis result corresponding to the target task is a first type threat, and entering into S101101, wherein the first type threat comprises an undetermined new threat.

The family threats are threats with similar attack modes and habits, and have overall similarity and individual variability. Judging whether the threat qualitative result is qualified to the family threat, wherein the essence is that the threat qualitative result is matched with the family threat (namely, preset threat information), and if the threat qualitative result is not matched (namely, the attack behavior and habit of the threat qualitative result are not matched with the attack behavior and habit in the family threat), the threat qualitative result is not qualified to the family.

S10905 may include: and if the threat qualitative result is qualitative to the family threat, acquiring a strong correlation sample of the target analysis task, wherein the strong correlation sample of the target analysis task is a sample with correlation with a corresponding event clue being greater than a preset threshold value.

In the embodiment of the invention, if the threat qualitative result is matched with the preset threat information, the threat qualitative result indicates that the threat is qualitative, a sample with the correlation with the corresponding event clue being larger than the preset threshold value can be obtained, a strong correlation sample is obtained, the strong correlation sample is blackened, and the strong correlation sample is sent to an information base for analysis. For example, if the event clue corresponding to the target analysis task is IP, the IP may be extended to obtain other relevant IPs, and the relevant IP with a low extension level is used as the strong correlation sample.

S10907 may include: and carrying out variant analysis on the strong correlation sample corresponding to the target analysis task.

In the embodiment of the invention, the variety analysis can be carried out on the blackened strong correlation sample through the information library in the APT sample. Variant analysis refers to determining whether the strongly correlated sample produces a differential variation compared to a known threat.

S10909 may include: if the strong correlation sample has a new variety, determining that the threat analysis result corresponding to the target analysis task is a second type threat, wherein the second threat type includes a new variety of known families, and entering S101101.

S109011 may include: if the strong correlation sample corresponding to the target analysis task does not have a new variety, determining that the threat analysis result corresponding to the target analysis task is a third type threat, wherein the third type threat comprises a known threat of a known family.

In an embodiment of the present invention, after determining the known threat of the known family, the method may further include:

it is determined whether the known threat of the known family originated from a mailbox channel.

If so, it is further determined that the known threat of the known family is a mailbox channel threat and S101101 is entered.

If not, further determining that the known threat of the known family is other channel threats other than the mailbox threat, updating the task state of the target analysis task to be a task state 2, and ending the processing process of the target analysis task, wherein the task state 2 represents that the threat is less harmful and does not need to be processed.

S101101 may include: and carrying out alarm analysis on threat analysis results corresponding to the target analysis task to obtain alarm information corresponding to the target analysis task.

If the threat analysis result is 'uncertain new threat', carrying out alarm analysis on the 'uncertain new threat', and generating alarm information corresponding to the 'uncertain new threat'; if the threat analysis result is "known family new variety", the "known family new variety" can be subjected to alarm analysis to generate alarm information corresponding to the "known family new variety"; if the threat analysis result is "known threat of known family", and the "known threat of known family" originates from the mailbox channel, the alarm analysis may be performed on the "known threat of known family", to generate alarm information corresponding to the "known threat of known family".

After the alarm information is generated, the task state of the target analysis task can be updated into a task state 1, and the task state 1 represents a state in which the threat hazard is large and alarm processing is required.

S101103 may include: and sending the alarm information corresponding to each target analysis task to the terminal corresponding to the corresponding preset security event analysis module.

After the task state is updated, the alarm information can be sent to a terminal corresponding to the APT cue analysis script, so that an APT alarm analysis personnel can analyze the alarm information.

From the above-mentioned APT thread sample analysis flow, it can be seen that the APT thread analysis scenario combines various security analysis performances including acquisition tasks, task analysis, thread qualitative analysis, threat qualitative analysis, APT sample channel analysis, family threat analysis, variant analysis, mailbox channel analysis, alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

Taking a defensive cue analysis scenario as an example, the defensive cue analysis scenario is mainly used for performing active defensive interception analysis on a threat, namely when detecting that some threats are about to happen, pre-recording context information before and after the threat happens, and intercepting the context information in time, so as to effectively prevent the occurrence of subsequent threat behaviors, as shown in fig. 10, S109-S1011 may further include:

S10901 may include: based on the defense clue analysis script, threat qualitative analysis is carried out on the corresponding target analysis task, and threat qualitative results corresponding to the defense clue analysis script are obtained. The process can be specifically as follows:

1) In practical application, there may be multiple target analysis tasks imported from the client into the defensive cue analysis scenario, where the multiple target analysis tasks may be stored in a task queue, and when the defensive cue analysis scenario processes the task, the corresponding target analysis task may be obtained from the task queue.

2) Before the defense clue analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the task processing process is ended, and if not, the step 3 is entered.

3) Judging whether the task in the task queue needs to be re-analyzed, if not, directly entering the step 4, if so, carrying out clue qualitative analysis on the task, and entering the step 4 after the completion of the clue qualitative analysis.

The thread analysis process in this embodiment is similar to that in the APT thread analysis scenario, and will not be described here.

6) And carrying out primary anti-interception analysis on the initial threat result to obtain a threat qualitative result corresponding to the target analysis task.

The main interception prevention analysis refers to active defense interception analysis on an initial threat node, namely, when detecting that some threats are about to happen, pre-recording context information before and after the occurrence of the threat, and intercepting the context information in time, so that the occurrence of subsequent threat behaviors is effectively prevented.

S10903 may include: judging whether the threat qualitative result is qualitative to the family threat, if the threat qualitative result is not qualitative to the family, further judging whether the threat level of the threat qualitative result is greater than a preset threat level threshold.

If yes, determining that the threat analysis result corresponding to the target task is a first type threat (the first type threat includes an undetermined new threat), and proceeding to S101101.

If not, determining that the threat analysis result corresponding to the target task is a common threat, and updating the task state of the target analysis task into a task state 2.

The manner of determining the family threat in this embodiment is similar to that in the APT thread analysis scenario, and will not be described here again.

In the embodiment of the invention, if the threat qualitative result is matched with the preset threat information, the threat qualitative result indicates that the threat is qualitative, a sample with the correlation with the corresponding event clue being larger than the preset threshold value can be obtained, a strong correlation sample is obtained, and the strong correlation sample is blacked out.

In the embodiment of the invention, the variety analysis can be performed on the blackened strong correlation sample through the information library in the defense clue analysis script.

it is determined whether the known threat of the known family has been intercepted by the primary anti-intercept.

If yes, the task state of the target analysis task is updated to be a task state 2, and meanwhile, the processing process of the target analysis task is finished.

If not, the process advances to S101101.

If the threat analysis result is 'uncertain new threat', carrying out alarm analysis on the 'uncertain new threat', and generating alarm information corresponding to the 'uncertain new threat'; if the threat analysis result is "known family new variety", the "known family new variety" can be subjected to alarm analysis to generate alarm information corresponding to the "known family new variety"; if the known threat of the known family is not intercepted by the primary anti-interception, alarm analysis can be performed on the known threat of the known family to generate alarm information corresponding to the known threat of the known family.

After the task state is updated, the alarm information can be sent to a terminal corresponding to the defense clue analysis script, so that the master defense alarm analysis personnel can analyze the alarm information.

From the above-mentioned analysis flow of the defense clue analysis scenario, the defense clue analysis scenario combines various security analysis performances including acquisition tasks, task analysis, clue qualitative analysis, threat qualitative analysis, main anti-interception analysis, family threat analysis, variant analysis, threat level analysis, and alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

Taking the suspicious IOCs analysis scenario as an example, the suspicious IOCs analysis scenario refers to a scenario analyzed for the domain name, the IP, and the file MD5, as shown in fig. 11, S109-S1011 may further include:

s10901 may include: based on the suspicious IOCs analysis script, threat qualitative analysis is carried out on the corresponding target analysis task, and a threat qualitative result corresponding to the suspicious IOCs analysis script is obtained. The process can be specifically as follows:

1) In practical application, the client may have multiple target analysis tasks imported into the suspicious IOCs analysis scenario, where the multiple target analysis tasks may be stored in a task queue, and when the suspicious IOCs analysis scenario processes a task, the client may obtain a corresponding target analysis task from the task queue.

2) Before the suspicious IOCs analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the task processing process is ended, and if not, the step 3 is entered.

3) And (4) carrying out clue qualitative analysis on the target analysis task, and entering step 4 after the completion of the clue qualitative analysis.

4) Based on the qualitative analysis result of the clue, carrying out threat qualitative analysis on the target analysis task to obtain a threat qualitative result.

S10903 may include: judging whether the threat qualitative result is qualified to the family threat, if not, updating the task state of the target analysis task to be a task state 2, and ending the processing procedure of the target analysis task.

The determination method of the strongly correlated samples in this embodiment is similar to that in the APT thread analysis scenario, and will not be described here again.

it is determined whether the known threat of the known family is a high risk threat.

If yes, the process advances to S101101.

If not, the task state of the target analysis task is updated to be the task state 2, and the processing procedure of the target analysis task is ended.

If the threat analysis result is "known family new variety", the "known family new variety" may be subjected to alarm analysis to generate alarm information 1 corresponding to the "known family new variety"; if the known threat of the known family is a high-risk threat, alarm analysis is performed on the "known threat of the known family" to generate alarm information 2 corresponding to the "known threat of the known family".

After generating the alarm information 1 or the alarm information 2, the task state of the target analysis task may also be updated to "task state 1".

After the task state is updated, the alarm information can be sent to a terminal corresponding to the suspicious IOCs analysis script, so that the IOCs alarm analysis personnel can analyze the alarm information.

As can be seen from the suspicious IOCs analysis script analysis flow, the suspicious IOCs analysis script combines a plurality of security analysis performances, wherein the plurality of security analysis performances comprise acquisition tasks, task analysis, clue qualitative analysis, threat qualitative analysis, family threat analysis, variant analysis, mailbox channel analysis and alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

Taking a sandbox suspicious sample analysis scenario as an example, where the sandbox is a tool for testing the behavior of an untrusted file or application program in an isolated environment, the sandbox suspicious sample analysis scenario is a scenario for monitoring the behavior of a file, a process, a registry, and a network, as shown in fig. 12, S109-S1011 may further include:

s10901 may include: based on the analysis script of the suspicious sample of the sandbox, threat qualitative analysis is carried out on the corresponding target analysis task, and threat qualitative results corresponding to the analysis script of the suspicious sample of the sandbox are obtained. The process can be specifically as follows:

1) In practical application, a plurality of target analysis tasks may be imported from the client into the sandbox suspicious sample analysis scenario, the plurality of target analysis tasks may be stored in a task queue, and when the sandbox suspicious sample analysis scenario processes the tasks, the corresponding target analysis tasks may be obtained from the task queue.

2) Before the sandbox suspicious sample analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty needs to be judged, if yes, the task processing process is ended, and if not, the step 3 is entered.

The qualitative analysis process of the thread in this embodiment is similar to that in the APT thread analysis scenario, and will not be described here again.

4) Based on the analysis result of the clue qualitative analysis, threat qualitative analysis is carried out on the target analysis task, and an initial threat result is obtained.

5) And analyzing basic information of the sandbox sample to obtain a threat qualitative result corresponding to the target analysis task.

The analysis of basic information of the sandboxed sample mainly analyzes networking behavior, operation behavior (such as which files are opened and which contents are written) of the target analysis task, registry operation information and the like.

S10903 may include: judging whether the threat qualitative result is qualified to the family threat, if not, determining that the threat analysis result corresponding to the target subtask is a first type threat (the first type threat comprises an undetermined new threat), and proceeding to S101101.

In this embodiment, if the threat qualitative result is matched with the preset threat information, it indicates that the threat is qualitative, a sample with a correlation with the corresponding event clue greater than a preset threshold may be obtained, a strong correlation sample may be obtained, and the strong correlation sample may be blacked out.

In the embodiment of the invention, the variety analysis can be performed on the blackened strong correlation sample through the information library in the sandbox suspicious sample analysis script.

S109011 may include: if no new variety appears in the strong correlation sample corresponding to the target analysis task, determining that the threat analysis result corresponding to the target analysis task is a third type threat, where the third type threat includes a known threat of a known family, and proceeding to S101101.

If the threat analysis result is 'uncertain new threat', carrying out alarm analysis on the 'uncertain new threat', and generating alarm information corresponding to the 'uncertain new threat'; if the threat analysis result is "known family new variety", the "known family new variety" can be subjected to alarm analysis to generate alarm information corresponding to the "known family new variety"; if the threat analysis result is "known threat of known family", then the alarm analysis can be performed on the "known threat of known family" to generate alarm information corresponding to the "known threat of known family".

After generating the corresponding alarm information, the method may further include:

and updating the task state of the target analysis task into a task state 1, judging whether the alarm is required according to the alarm information, if so, carrying out the alarm, and entering S101103, otherwise, directly entering S101103.

After the alarm information is generated, the alarm information can be sent to a terminal corresponding to the sandbox suspicious sample analysis script, so that sample alarm analysis personnel can analyze the alarm information.

As can be seen from the sandbox suspicious sample analysis flow, the sandbox suspicious sample analysis script combines various security analysis performances including acquisition tasks, task analysis, clue qualitative analysis, threat qualitative analysis, sandbox sample basic information analysis, family threat analysis, variant analysis and alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

Taking a client-side real-time flow analysis scenario as an example, the client-side real-time flow analysis scenario is mainly aimed at a client, data acquired from the client are real-time data, and the client-side real-time flow analysis scenario is used for analyzing how many users have a certain threat event, the range, the distribution and the like of the threat event in a certain time period. Then, as shown in fig. 13, S109-S1011 may further include:

s10901 may include: based on the client real-time flow analysis script, threat qualitative analysis is carried out on the corresponding target analysis task, and a threat qualitative result corresponding to the client real-time flow analysis script is obtained. The process can be specifically as follows:

1) In practical application, the client may have multiple target analysis tasks imported into the client real-time stream analysis scenario, where the multiple target analysis tasks may be stored in a task queue, and when the client real-time stream analysis scenario processes the task, the corresponding target analysis task may be obtained from the task queue.

2) Before the client real-time flow analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the task processing process is ended, and if not, the step 3 is entered.

6) And carrying out clue trend analysis on the initial threat result to obtain a threat qualitative result corresponding to the target analysis task.

The clue trend analysis refers to analyzing the number, distribution, propagation range and the like of event clues corresponding to the target analysis task.

S10903 may include: judging whether the threat qualitative result is qualitative to the family threat, if the threat qualitative result is not quantitative to the family threat, analyzing the threat level of the threat qualitative result, and judging whether the threat qualitative analysis result is the existing old threat.

If the threat qualitative analysis result is an indeterminate new threat, the process proceeds to S101101.

If the threat qualitative result is an uncertain old threat, judging whether the uncertain old threat is again spread on a large scale.

If the scale is large again, the process proceeds to S101101. If the large-scale transmission is not performed again, the task state of the target analysis task is updated to be a task state 2, and the processing process of the target analysis task is finished.

In the embodiment of the invention, the variety analysis can be performed on the blackened strong correlation sample through the information library in the client real-time stream analysis script.

it is determined whether the range of propagation of the known threat of the known family exceeds a preset range threshold.

If not, the threat is not exploded, the state of the target analysis task can be updated to be a task state 2, and the processing procedure of the target analysis task is finished.

If so, the threat propagation range is indicated to be expanded, and the process proceeds to S101101.

If the threat analysis result is "uncertain old threat", the alarm analysis can be performed on the "uncertain old threat" to generate alarm information 4 corresponding to the "uncertain old threat", and if the threat analysis result is "uncertain new threat", the alarm analysis can be performed on the "uncertain new threat" to generate alarm information 3 corresponding to the "uncertain new threat"; if the threat analysis result is "known family new variety", the alarm analysis can be directly performed on the "known family new variety" to generate alarm information 1 corresponding to the "known family new variety"; if the propagation range of the known threat of the known family is greater than the preset range threshold, alarm analysis can be performed on the known threat of the known family to generate alarm information 2 corresponding to the known threat of the known family.

After the alarm information 4 is generated, the state of the target analysis task may be updated to "task state 2", and if the alarm information 1, alarm information 2, or alarm information 3 is generated, the state of the target analysis task may be updated to "task state 1".

After the alarm information is generated, the alarm information can be sent to a terminal corresponding to the real-time flow analysis script of the client, so that real-time threat alarm analysis personnel can analyze the alarm information.

From the client-side real-time flow separation flow, the client-side real-time flow analysis script combines various security analysis performances, wherein the various security analysis performances comprise acquisition tasks, task analysis, clue qualitative analysis, threat qualitative analysis, clue trend analysis, family threat analysis, variant analysis, threat propagation range analysis, threat burst scale analysis and alarm information generation analysis. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

Taking the cloud mirror threat analysis scenario as an example, as shown in fig. 14, S109-S1011 may further include:

s10901 may include: based on the cloud mirror threat analysis script, threat qualitative analysis is carried out on the corresponding target analysis task, and a threat qualitative result corresponding to the cloud mirror threat analysis script is obtained. The process can be specifically as follows:

1) In practical application, the client may have multiple target analysis tasks imported into the cloud mirror threat analysis scenario, where the multiple target analysis tasks may be stored in a task queue, and when the cloud mirror threat analysis scenario processes a task, the target analysis task may be obtained from the task queue.

2) Before the cloud mirror threat analysis script acquires the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the task processing process is ended, and if not, the step 3 is entered.

The qualitative analysis process of the clues in the embodiment of the invention is similar to that in the APT clue analysis scenario, and will not be described in detail.

6) And carrying out cluster analysis on the initial threat result to obtain a threat qualitative result corresponding to the target analysis task.

Because the cloud mirror threat analysis script uses more data, the user quantity is larger, and each user has corresponding portrait, different users can be integrated in a clustering mode, so that the subsequent analysis flow is simplified, and the threat event analysis efficiency and accuracy are improved.

In the embodiment of the invention, the variation analysis can be carried out on the blacked strong correlation sample through the information library of the cloud mirror threat analysis script.

After the task state is updated, the alarm information can be sent to a terminal corresponding to the cloud mirror threat analysis script, so that threat analysis personnel on the cloud can analyze the alarm information.

From the cloud mirror threat analysis flow, the cloud mirror threat analysis scenario combines various security analysis performances including acquisition tasks, task analysis, clue qualitative analysis, threat qualitative analysis, cluster analysis, family threat analysis, variety analysis and alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

From the above-described plurality of different customized analysis scripts, it can be seen that the present invention can subdivide and qualify the discovered threats into known-family threats, known-family high-risk threats, known-family new varieties, indeterminate new threats, indeterminate old threats, and indeterminate high-risk old threats. Therefore, the invention can more pointedly discover the directional security threat by combining the security capability of the customized logic relationship, namely, can further judge the nature of the threat and further improve the accuracy of security detection.

In the embodiment of the invention, the supply chain analysis script is mainly used for analyzing whether the target analysis task has silent popularization behaviors, wherein the silent popularization refers to a default installation popularization mode.

Then, when the preset security event analysis module is a supply chain analysis module, as shown in fig. 15, S109 may further include:

performing release file behavior analysis on the corresponding target analysis task based on the supply chain analysis module to obtain a release file behavior analysis result;

when the silent popularization analysis is carried out on the analysis result of the release file behaviors based on the supply chain analysis module, and the silent popularization behaviors of the corresponding target analysis tasks are determined, the networking behavior analysis is carried out on the corresponding target analysis tasks based on the supply chain analysis module, so that a networking behavior analysis map is obtained;

when the second silent popularization behaviors exist in the target analysis tasks corresponding to the supply chain analysis modules based on the networking behavior analysis results, generating networking behavior analysis graphs based on the supply chain analysis modules;

and analyzing the networking behavior analysis map based on the supply chain analysis module to obtain threat analysis results of the target analysis task corresponding to the supply chain analysis module.

The following describes the above steps in detail:

1) In practical applications, there may be multiple target analysis tasks imported into the supply chain analysis scenario by the client, where the multiple target analysis tasks may be stored in a task queue, and the target analysis tasks may be obtained from the task queue when the supply chain analysis scenario processes the tasks.

2) Before the supply chain analysis script obtains the corresponding target analysis task from the task queue, whether the task queue is empty or not needs to be judged, if yes, the task processing process is ended, and if not, the next step 3 is entered.

3) And carrying out basic information analysis on the target analysis task, wherein the basic information analysis is mainly used for analyzing whether the target analysis task is malicious or not.

4) And carrying out release file behavior analysis on the corresponding target analysis task based on the supply chain analysis module to obtain a release file behavior analysis result.

The file release behavior refers to judging whether the text except the target analysis task is released or not when the target analysis task is operated. For example, a certain software is installed to analyze whether a game related to the software is released or not, and the like.

5) And judging whether the target analysis task has a first silent popularization behavior or not based on the analysis result of the release file behavior.

If the first silent popularization behavior exists, networking behavior analysis is carried out on the corresponding target analysis task, a networking behavior analysis result is obtained, and step 6 is carried out.

If the first silent popularization behavior does not exist, the step 7 is entered.

6) And judging whether the target analysis task has a second silent popularization behavior or not based on the networking behavior analysis result.

In practical application, whether the silent popularization behavior exists or not can be judged through the networking behavior, for example, a certain software is installed, and the software continuously accesses a certain shopping website, so that the silent popularization behavior can be judged.

If the second silent popularization behavior exists, generating a networking behavior analysis map based on a supply chain analysis module according to the networking behavior analysis result, and analyzing the networking behavior analysis map based on the supply chain analysis module to obtain a threat analysis result of the target analysis task.

The network behavior analysis map mainly shows the access condition of the user in the form of a map.

After the networking behavior analysis map is obtained, the time sequence behavior of the user can be analyzed according to the networking behavior analysis map to obtain a time sequence analysis behavior result of the user, and the threat analysis result of the target analysis task is obtained according to the time sequence analysis behavior result of the user. The time sequence analysis behavior of the user is equivalent to judging which programs the user accesses at a certain time, and is equivalent to connecting the access behaviors of the user in series through time.

If the second silent popularization behavior does not exist, the step 7 is entered. The second silent pushing action is more threatening than the first silent promoting action.

As further shown in fig. 15, S1011 may further include:

1) And generating corresponding alarm information based on the release file behavior analysis result, the networking behavior analysis result or the user time sequence analysis behavior result.

2) And updating the task state of the target analysis task to be 'task state 1'.

3) And determining whether an alarm is needed or not based on a threat analysis result, if not, ending a task processing flow without processing the threat, and if so, sending the alarm information to a terminal corresponding to a supply chain analysis script so as to enable the supply chain alarm analysis personnel to process the alarm information.

From the supply chain analysis flow, it can be seen that the supply chain analysis scenario combines a variety of security analysis capabilities including acquisition tasks, task analysis, basic information analysis, release profile behavior analysis, silent popularization behavior analysis, networking behavior analysis, and alarm information generation. Through the multiple safety analysis performances, the multi-dimensional analysis of the target analysis task is realized, so that the threat detection accuracy is improved.

In one possible embodiment, at least one of the target security threat event in S101, the event cue in S10101, the target analysis task in S103, the threat analysis result in S109 may be stored in the blockchain system. Referring To fig. 16, fig. 16 is a schematic diagram illustrating an alternative architecture of a blockchain system provided by an embodiment of the present invention, where a plurality of nodes form a Peer-To-Peer (P2P) network, and the P2P protocol is an application layer protocol that runs on top of a transmission control protocol (TCP, transmission Control Protocol) protocol. In a blockchain system, any machine, such as a server, a terminal, may join to become a node, including a hardware layer, a middle layer, an operating system layer, and an application layer.

Referring to the functionality of each node in the blockchain system shown in fig. 16, the functions involved include:

1) The routing, the node has basic functions for supporting communication between nodes.

Besides the routing function, the node can also have the following functions:

2) The application is used for being deployed in a block chain to realize specific service according to actual service requirements, recording data related to the realization function to form recorded data, carrying a digital signature in the recorded data to represent the source of task data, sending the recorded data to other nodes in the block chain system, and adding the recorded data into a temporary block when the source and the integrity of the recorded data are verified by the other nodes.

3) The blockchain comprises a series of blocks (blocks) which are connected with each other according to the generated sequence time, the new blocks are not removed once being added into the blockchain, and record data submitted by nodes in the blockchain system are recorded in the blocks.

Referring to fig. 17, fig. 17 is an optional schematic diagram of a Block Structure (Block Structure) according to an embodiment of the present invention, where each Block includes a hash value of a transaction record stored in the Block (hash value of the Block) and a hash value of a previous Block, and each Block is connected by the hash value to form a Block chain. In addition, the block may include information such as a time stamp at the time of block generation. Blockchain (Blockchain), essentially a de-centralized database, is a string of data blocks, each data block, that are generated in association using cryptographic methods.

The multidimensional security threat event analysis method provided by the embodiment of the invention has the following beneficial effects:

1) The embodiment of the invention provides a security arrangement scheme based on a plurality of customized scripts. Starting from the detected event clues and different types of analysis tasks generated by the security events, completing multi-azimuth analysis and information fusion according to a customized security arrangement flow, and completing automatic alarm triage by fusing multi-dimensional analysis results, thereby improving threat detection accuracy and degree of automation.

2) The invention subdivides the discovered threats into known threats of known families, known high-risk threats of known families, new varieties of known families, new threats of indeterminate, old threats of indeterminate, and high-risk old threats of indeterminate. Therefore, the invention can more pointedly discover the directional security threat by combining the security capability of the customized logic relationship, namely can further judge the nature of the threat, further improve the accuracy of security detection and effectively defend the attack of the security threat on the system.

3) In the embodiment of the invention, for a single target analysis task, as the customized series for processing the single target analysis task has a plurality of safety analysis performances, threat analysis can be carried out on the single target analysis task in multiple directions, thereby improving the accuracy of threat analysis of the single target analysis task. For the whole target security threat event, threat analysis is carried out on the whole target security threat event through a plurality of different customized scripts, so that the defects that potential threats cannot be perceived and false judgment is carried out due to incomplete awareness caused by a single security analysis channel are avoided, and the accuracy rate of security threat detection is improved; meanwhile, the alarm information is obtained by alarming according to different threat analysis results of different target analysis tasks, so that the dimension of the alarm information is higher, the threat analysis is more comprehensive, the multi-dimensional threat analysis and analysis results can be fused to complete automatic alarm triage, the problem that the security threat detection accuracy is lower due to single alarm information is effectively avoided, and the security threat detection accuracy is improved. In addition, corresponding expertise and experienced analysts are set for different customized scripts, corresponding alarm information is analyzed through the expertise and experienced analysts, accurate judgment can not be made according to self experience under the condition that available clues are limited, and the accuracy of manual research and judgment of security threat events can be improved.

As shown in fig. 18, the embodiment of the present invention further provides a multi-dimensional security threat event analysis apparatus, which may at least include:

the determining module 201 may be configured to determine a target security threat event that is related to an event cue of the monitored security threat event.

The generation module 203 may be configured to generate a plurality of target analysis tasks for a target security threat event.

The acquiring module 205 may be configured to acquire preset security event analysis modules corresponding to the multiple target analysis tasks respectively; the preset security event analysis module is obtained by combining a plurality of security analysis performances.

The analysis module 207 may be configured to perform multidimensional threat analysis on the corresponding target analysis task based on a preset security event analysis module corresponding to each of the plurality of target analysis tasks, to obtain threat analysis results corresponding to each of the plurality of target analysis tasks.

The alarm module 209 may be configured to perform alarm processing on the target security threat event based on threat analysis results corresponding to each of the plurality of target analysis tasks.

Further, the determining module 201 may include:

and the monitoring unit can be used for monitoring event clues of the security threat events.

The abnormal unit can be used for taking the security threat event corresponding to the abnormal event clue as a target security threat event when the abnormal event clue is abnormal.

Further, if the event clues corresponding to the target security threat event include a plurality of event clues, the generating module 203 may include:

the clue analysis unit can be used for respectively analyzing the event clues to obtain analysis tasks corresponding to the event clues.

The target analysis task determining unit may be configured to use the analysis tasks corresponding to the event cues as a plurality of target analysis tasks of the target security threat event.

Further, the apparatus may further include a build module, which may include:

the security analysis performance acquisition unit may be configured to acquire a plurality of security analysis performances.

The association relation determining unit may be configured to determine association relations between the plurality of security analysis performances.

The combination unit can be used for combining a plurality of safety analysis performances based on the association relation to obtain a preset safety event analysis module.

Further, the apparatus may further comprise a distribution module, which may be configured to: and distributing the plurality of target analysis tasks to corresponding preset security event analysis modules.

Specifically, the analysis module 207 may include:

the threat qualitative result acquisition unit can be used for carrying out threat qualitative analysis on the corresponding target analysis tasks based on the preset security event analysis modules corresponding to the target analysis tasks respectively to obtain threat qualitative results corresponding to the target analysis tasks respectively.

The first type threat determination unit may be configured to determine, when threat qualitative results corresponding to the plurality of target analysis tasks do not match preset threat information, that threat analysis results corresponding to the plurality of target analysis tasks are first type threats.

The strong correlation sample acquiring unit may be configured to acquire strong correlation samples corresponding to the plurality of target analysis tasks when threat qualitative results corresponding to the plurality of target analysis tasks are matched with preset threat information, where the strong correlation samples corresponding to the plurality of target analysis tasks are samples with correlation with corresponding event clues greater than a preset threshold.

And the variant analysis unit can be used for carrying out variant analysis on the strong correlation samples corresponding to the target analysis tasks.

The second type threat determination unit may be configured to determine, when a new variant occurs in a strong correlation sample corresponding to each of the plurality of target analysis tasks, that a threat analysis result corresponding to each of the plurality of target analysis tasks is a second type threat.

The third type threat determination unit may be configured to determine, when the strong correlation samples corresponding to the target analysis tasks do not have new variations, that threat analysis results corresponding to the target analysis tasks are third type threats.

Further, when the preset security event analysis module includes a supply chain analysis module, the analysis module 207 may include:

the release file behavior analysis unit can be used for carrying out release file behavior analysis on the corresponding target analysis task based on the supply chain analysis module to obtain a release file behavior analysis result.

The networking behavior analysis map generation unit can be used for carrying out networking behavior analysis on the corresponding target analysis tasks based on the supply chain analysis module to obtain networking behavior analysis maps when silence popularization analysis is carried out on the release file behavior analysis results based on the supply chain analysis module and silence popularization behaviors exist in the corresponding target analysis tasks.

The threat analysis result determining unit can be used for analyzing the networking behavior analysis map based on the supply chain analysis module to obtain threat analysis results of the target analysis tasks corresponding to the supply chain analysis module.

Further, the alarm module 209 may include:

the alarm information determining unit can be used for carrying out alarm analysis on the corresponding threat analysis results based on the preset security event analysis modules corresponding to the target analysis tasks respectively to obtain alarm information corresponding to the target analysis tasks respectively.

The sending unit can be used for sending corresponding alarm information to the terminal corresponding to the corresponding preset security event analysis module based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks.

It should be noted that, the device embodiment provided by the embodiment of the present invention and the method embodiment described above are based on the same inventive concept.

The embodiment of the invention also provides a multi-dimensional electronic device for analyzing the security threat event, which comprises a processor and a memory, wherein at least one instruction or at least one section of program is stored in the memory, and the at least one instruction or the at least one section of program is loaded and executed by the processor to realize the multi-dimensional security threat event analysis method provided by the embodiment of the method.

Embodiments of the present invention also provide a computer readable storage medium that may be disposed in a terminal to store at least one instruction or at least one program related to a method for implementing a multi-dimensional security threat event analysis method in a method embodiment, where the at least one instruction or at least one program is loaded and executed by a processor to implement the multi-dimensional security threat event analysis method provided in the method embodiment described above.

Alternatively, in the present description embodiment, the storage medium may be located in at least one network server among a plurality of network servers of the computer network. Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The memory of the embodiments of the present description may be used to store software programs and modules that are stored in the memory for execution by the processor to perform various functional applications and multidimensional security threat event analysis. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for functions, and the like; the storage data area may store data created according to the use of the device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory may also include a memory controller to provide access to the memory by the processor.

Embodiments of the present invention also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the multi-dimensional security threat event analysis method provided by the above method embodiment.

The embodiment of the multi-dimensional security threat event analysis method provided by the embodiment of the invention can be executed in a terminal, a computer terminal, a server or similar computing devices. Taking the operation on a server as an example, fig. 19 is a hardware structural block diagram of a server of a multi-dimensional security threat event analysis method according to an embodiment of the invention. As shown in fig. 19, the server 300 may vary considerably in configuration or performance, and may include one or more central processing units (Central Processing Units, CPU) 310 (the processor 310 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA), a memory 330 for storing data, one or more storage mediums 320 (e.g., one or more mass storage devices) for storing applications 323 or data 322. Wherein the memory 330 and the storage medium 320 may be transitory or persistent storage. The program stored in the storage medium 320 may include one or more modules, each of which may include a series of instruction operations on a server. Still further, the central processor 310 may be configured to communicate with the storage medium 320 and execute a series of instruction operations in the storage medium 320 on the server 300. The server 300 may also include one or more power supplies 360, one or more wired or wireless network interfaces 350, one or more One or more input/output interfaces 340, and/or one or more operating systems 321, e.g., windows Server ^TM ，Mac OS X ^TM ，Unix ^TM ，Linux ^TM ，FreeBSD ^TM Etc.

The input-output interface 340 may be used to receive or transmit data via a network. The specific example of the network described above may include a wireless network provided by a communication provider of the server 300. In one example, the input-output interface 340 includes a network adapter (Network Interface Controller, NIC) that may connect to other network devices through a base station to communicate with the internet. In one example, the input/output interface 340 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.

It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 19 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the server 300 may also include more or fewer components than shown in fig. 19, or have a different configuration than shown in fig. 19.

It should be noted that: the sequence of the embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device and server embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and references to the parts of the description of the method embodiments are only required.

It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, where the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The foregoing is only illustrative of the present invention and is not to be construed as limiting thereof, but rather as various modifications, equivalent arrangements, improvements, etc., within the spirit and principles of the present invention.

Claims

1. A method of multidimensional security threat event analysis, the method comprising:

based on a preset security event analysis module corresponding to each of the plurality of target analysis tasks, performing multidimensional threat analysis on the corresponding target analysis task to obtain threat analysis results corresponding to each of the plurality of target analysis tasks; when the preset security event analysis module includes an advanced sustainable threat clue analysis script, a defense clue analysis script, a suspicious IOCs analysis script, a sandbox suspicious sample analysis script, a client real-time flow analysis script, and a cloud mirror threat analysis script, the multi-dimensional threat analysis is performed on the corresponding target analysis tasks based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks, so as to obtain threat analysis results corresponding to each of the plurality of target analysis tasks, including: based on a preset security event analysis module corresponding to each of the plurality of target analysis tasks, threat qualitative analysis is carried out on the corresponding target analysis tasks, and threat qualitative results corresponding to each of the plurality of target analysis tasks are obtained; when the corresponding threat qualitative result is not matched with preset threat information, determining that the corresponding threat analysis result is a first type threat, wherein the first type threat comprises an undetermined new threat; when the corresponding threat qualitative result is matched with the preset threat information, obtaining strong correlation samples corresponding to the target analysis tasks respectively, wherein the corresponding strong correlation samples are samples with correlation with corresponding event clues being larger than a preset threshold value; determining that the corresponding threat analysis result is a second type threat when a new variety appears in the corresponding strongly correlated sample, the second type threat including a known family new variety; when the corresponding strong correlation sample does not have a new variety, determining threat analysis results corresponding to each target analysis task as a third type of threat, wherein the third type of threat comprises known threats of known families; the suspicious IOCs analysis script is a script which is analyzed aiming at domain names, IP and md 5;

2. The method of claim 1, wherein the determining a target security threat event comprises:

monitoring event cues of the security threat event;

when the event clue is abnormal, taking a security threat event corresponding to the abnormal event clue as the target security threat event;

correspondingly, if the event clues corresponding to the target security threat event include a plurality of event clues, the generating a plurality of target analysis tasks of the target security threat event includes:

analyzing the event clues respectively to obtain analysis tasks corresponding to the event clues respectively;

and taking the analysis tasks corresponding to the event clues as a plurality of target analysis tasks of the target security threat event.

3. The method of claim 1 or 2, further comprising constructing the preset security event analysis module, the constructing the preset security event analysis module comprising:

acquiring a plurality of safety analysis performances;

Determining an association between the plurality of security analysis performances;

and combining the plurality of security analysis performances based on the association relation to obtain the preset security event analysis module.

4. The method according to claim 1, wherein when the preset security event analysis module includes a supply chain analysis module, the performing, based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks, multidimensional threat analysis on the corresponding target analysis task to obtain threat analysis results corresponding to each of the plurality of target analysis tasks includes:

when silence popularization analysis is carried out on the release file behavior analysis result based on the supply chain analysis module, and silence popularization behaviors of corresponding target analysis tasks are determined, networking behavior analysis is carried out on the corresponding target analysis tasks based on the supply chain analysis module, and a networking behavior analysis map is obtained;

and analyzing the networking behavior analysis map based on the supply chain analysis module to obtain threat analysis results of the target analysis tasks corresponding to the supply chain analysis module.

5. The method according to claim 1 or 4, wherein the alerting the target security threat event based on threat analysis results corresponding to each of the plurality of target analysis tasks comprises:

based on the preset security event analysis modules corresponding to the target analysis tasks, carrying out alarm analysis on the corresponding threat analysis results to obtain alarm information corresponding to the target analysis tasks;

based on the preset security event analysis modules corresponding to the target analysis tasks, corresponding alarm information is sent to the terminals corresponding to the preset security event analysis modules.

6. A multi-dimensional security threat event analysis apparatus, the apparatus comprising:

The analysis module is used for carrying out multidimensional threat analysis on the corresponding target analysis tasks based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks to obtain threat analysis results corresponding to each of the plurality of target analysis tasks; when the preset security event analysis module comprises an advanced sustainable threat clue analysis script, a defense clue analysis script, a suspicious IOCs analysis script, a sandbox suspicious sample analysis script, a client real-time flow analysis script and a cloud mirror threat analysis script, the analysis module comprises: the threat qualitative result acquisition unit is used for carrying out threat qualitative analysis on the corresponding target analysis tasks based on the preset security event analysis modules corresponding to the target analysis tasks respectively to obtain threat qualitative results corresponding to the target analysis tasks respectively; a first type threat determination unit, configured to determine that the corresponding threat analysis result is a first type threat when the corresponding threat qualitative result does not match preset threat information, where the first type threat includes an unqualified new threat; the strong correlation sample acquisition unit is used for acquiring strong correlation samples corresponding to the target analysis tasks when the corresponding threat qualitative result is matched with the preset threat information, wherein the corresponding strong correlation samples are samples with correlation with corresponding event clues being larger than a preset threshold value; a second type threat determination unit, configured to determine, when a new variety appears in the corresponding strongly correlated sample, that the corresponding threat analysis result is a second type threat, where the second type threat includes a known family new variety; a third type threat determination unit, configured to determine, when no new variety appears in the corresponding strong correlation sample, a threat analysis result corresponding to each target analysis task as a third type threat, where the third type threat includes a known threat of a known family; the suspicious IOCs analysis script is a script which is analyzed aiming at domain names, IP and md 5;

7. The apparatus of claim 6, wherein the means for determining comprises:

a monitoring unit for monitoring event clues of the security threat event;

the abnormal unit is used for taking a security threat event corresponding to the abnormal event clue as the target security threat event when the event clue is abnormal;

the generation module comprises:

the clue analysis unit is used for respectively analyzing the event clues to obtain analysis tasks corresponding to the event clues;

and the target analysis task determining unit is used for taking the analysis tasks corresponding to the event clues as a plurality of target analysis tasks of the target security threat event.

8. The apparatus of claim 6 or 7, further comprising a build module comprising:

a security analysis performance acquisition unit configured to acquire a plurality of security analysis performances;

an association relation determining unit configured to determine association relations between the plurality of security analysis performances;

And the combination unit is used for combining the plurality of security analysis performances based on the association relation to obtain the preset security event analysis module.

9. The apparatus of claim 6, wherein when the preset security event analysis module comprises a supply chain analysis module, the analysis module comprises:

the release file behavior analysis unit is used for carrying out release file behavior analysis on the corresponding target analysis task based on the supply chain analysis module to obtain a release file behavior analysis result;

the networking behavior analysis map generation unit is used for carrying out networking behavior analysis on the corresponding target analysis tasks based on the supply chain analysis module to obtain networking behavior analysis maps when silence popularization analysis is carried out on the release file behavior analysis results based on the supply chain analysis module and silence popularization behaviors of the corresponding target analysis tasks are determined;

the threat analysis result determining unit is used for analyzing the networking behavior analysis map based on the supply chain analysis module to obtain threat analysis results of the target analysis tasks corresponding to the supply chain analysis module.

10. The apparatus of claim 6 or 9, wherein the alert module comprises:

The alarm information determining unit is used for carrying out alarm analysis on the corresponding threat analysis results based on the preset security event analysis modules corresponding to the target analysis tasks respectively to obtain alarm information corresponding to the target analysis tasks respectively;

and the sending unit is used for sending corresponding alarm information to the terminal corresponding to the corresponding preset security event analysis module based on the preset security event analysis module corresponding to each of the plurality of target analysis tasks.

11. An electronic device for multi-dimensional security threat event analysis, the electronic device comprising a processor and a memory, the memory having stored therein at least one instruction or at least one program loaded and executed by the processor to implement the multi-dimensional security threat event analysis method of any of claims 1 to 5.

12. A computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the multi-dimensional security threat event analysis method of any of claims 1 to 5.