CN112769775A - Threat information correlation analysis method, system, equipment and computer medium - Google Patents
Threat information correlation analysis method, system, equipment and computer medium Download PDFInfo
- Publication number
- CN112769775A CN112769775A CN202011567581.9A CN202011567581A CN112769775A CN 112769775 A CN112769775 A CN 112769775A CN 202011567581 A CN202011567581 A CN 202011567581A CN 112769775 A CN112769775 A CN 112769775A
- Authority
- CN
- China
- Prior art keywords
- threat intelligence
- association
- threat
- lost
- degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02W—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO WASTEWATER TREATMENT OR WASTE MANAGEMENT
- Y02W90/00—Enabling technologies or technologies with a potential or indirect contribution to greenhouse gas [GHG] emissions mitigation
Abstract
The application discloses a threat information correlation analysis method, a system, equipment and a computer medium, which are used for determining threat information appearing in each lost equipment; for each lost device, establishing an incidence relation among threat intelligence of the lost device; for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation; and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation relation and the correlation degree. In the application, if threat intelligence appears in one lost device at the same time, association relationship among the threat intelligence can be considered, and if a plurality of lost devices appear in a certain association relationship at the same time, association degree of the association relationship can be considered to be larger, so that a threat intelligence association analysis result can be determined based on the threat intelligence, the association relationship and the association degree; large-scale threat information production and correlation analysis can be realized, and the efficiency is high.
Description
Technical Field
The present application relates to the field of computer security technologies, and more particularly, to a method, a system, a device, and a computer medium for threat intelligence association analysis.
Background
With the rapid development of the internet, network attacks also become a difficult problem which is difficult to avoid in the internet application process. In order to better prevent the network attack, the network attack needs to be analyzed and researched, for example, the network attack is analyzed and researched through a threat intelligence correlation technology; threat intelligence is some evidence-based knowledge, including context, mechanism, label, meaning and actionable advice, which is related to the threat or danger faced by the asset, can be used for providing information support for the response or processing decision of the relevant agent of the asset to the threat or danger, and the main content can be a breach identification for identifying and detecting the threat, such as file HASH value, IP (Internet Protocol), domain name, program running path, registry entry, etc., and related attribution label.
The existing threat intelligence association method is to build a sandbox platform or an implementation environment locally to execute virus files virtually, identify an IP address or URL (Uniform Resource Locator) of communication between a virus file MD5(Message Digest MD5, Message Digest Algorithm) and a remote control CC (Computers and computing) by means of a network traffic relationship after the virus files are executed, and establish a connection relationship to implement the association relationship between threat intelligence.
However, the existing threat information correlation method cannot process large-scale virus files, cannot realize large-scale threat information production and correlation analysis, and has low efficiency.
In summary, how to improve the efficiency of the threat intelligence association method is a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a threat information correlation analysis method which has the effect of high efficiency. The application also provides a threat intelligence correlation analysis system, an electronic device and a computer readable storage medium.
In order to achieve the above purpose, the present application provides the following technical solutions:
a threat intelligence correlation analysis method, comprising:
determining threat intelligence of each lost device;
for each lost device, establishing an incidence relation among the threat intelligence of the lost device;
for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation;
and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation and the correlation degree.
Preferably, the determining a threat intelligence association analysis result based on the threat intelligence, the association relation, and the association degree includes:
using the threat intelligence as a vertex in an undirected graph;
taking the incidence relation as an edge in the undirected graph;
converting the association degree into the length of the corresponding edge, and establishing the undirected graph corresponding to the threat intelligence, the association relation and the association degree;
and analyzing the undirected graph to determine the correlation analysis result of the threat intelligence.
Preferably, the converting the association degree into the length of the corresponding edge includes:
converting the association degree into the length of the corresponding edge according to a conversion rule that the association degree is inversely proportional to the length;
the analyzing the undirected graph to determine the result of the threat intelligence correlation analysis comprises:
in the undirected graph, determining each threat intelligence set which is connected through the edge and the length of which is less than a preset value;
and collecting all the threat intelligence as the threat intelligence correlation analysis result.
Preferably, after the collecting each of the threat intelligence sets as the result of the threat intelligence association analysis, the method further includes:
and for each threat intelligence set, extracting virus family information or the same attack behavior information of the threat intelligence set.
Preferably, the determining threat intelligence of the occurrence of each lost device includes:
obtaining a security event of each lost device, wherein the security event comprises security events generated by a flow layer and a host layer of the lost device;
and analyzing the security event of each lost device, and extracting all threat intelligence contained in the security event.
Preferably, the acquiring the safety event of each of the lost devices includes:
and acquiring the safety events of the equipment in the preset time length.
Preferably, the types of threat intelligence include: attacker IP, virus sample md5, remote control CC communication IP address, URL of malicious request.
A threat intelligence correlation analysis system, comprising:
the threat information determining module is used for determining threat information appearing in each lost device;
the incidence relation establishing module is used for establishing incidence relation among the threat intelligence of the lost equipment for each lost equipment;
the association degree counting module is used for counting the number of the lost devices with the association relation as the association degree of the association relation for each association relation;
and the association analysis result determining module is used for determining the association analysis result of the threat intelligence based on the threat intelligence, the association relation and the association degree.
An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of any of the above-described threat intelligence association analysis methods when executing the computer program.
A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the steps of any of the threat intelligence association analysis methods described above.
The threat information correlation analysis method provided by the application determines threat information appearing in each lost device; for each lost device, establishing an incidence relation among threat intelligence of the lost device; for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation; and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation relation and the correlation degree. According to the method, threat intelligence appearing in each lost device can be determined, if the threat intelligence appears in one lost device at the same time, association relation among the threat intelligence appearing in the lost device can be established, correspondingly, if a plurality of lost devices appear in a certain association relation at the same time, association degree of the association relation can be considered to be large, the number of the lost devices with the association relation can be counted as association degree of the association relation, and finally, a threat intelligence association analysis result is determined based on the threat intelligence, the association relation and the association degree; threat information correlation analysis is realized by analyzing and counting threat information of a plurality of lost devices, large-scale threat information production and correlation analysis can be realized, and the efficiency is high. The threat intelligence correlation analysis system, the electronic equipment and the computer-readable storage medium solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a first flowchart of a threat intelligence association analysis method according to an embodiment of the present application;
fig. 2 is a second flowchart of a threat intelligence association analysis method according to an embodiment of the present application;
FIG. 3 is a diagram of an undirected graph corresponding to threat intelligence in practical applications;
fig. 4 is a third flowchart of a threat intelligence association analysis method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a threat intelligence association analysis system according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a first flowchart of a threat intelligence association analysis method according to an embodiment of the present application.
The threat intelligence correlation analysis method provided by the embodiment of the application can comprise the following steps:
step S101: and determining threat intelligence of each lost device.
In practical application, because threat intelligence exists in the lost equipment, the threat intelligence of each lost equipment can be determined; the number of the lost devices, that is, the servers, hosts, etc. that have been successfully invaded by attackers or viruses, can be determined according to actual needs.
It should be noted that the type of threat intelligence may be determined according to actual needs, for example, threat intelligence may include attacker IP, virus sample md5, remote control CC communication IP address, URL of malicious request, and the like.
Step S102: and establishing an incidence relation among threat intelligence of the lost equipment for each lost equipment.
In practical application, if two threat intelligence reports appear in the same lost device, it can be considered that there is a correlation between the two threat intelligence reports, for example, an attacker IP and a virus sample md5 appear in one lost device at the same time, it can be considered that there is a correlation between the attacker IP and a virus sample md5, so after determining the threat intelligence appearing in each lost device, for each lost device, an association relationship between the threat intelligence appearing in the lost device can be established, specifically, for each lost device, an association relationship between every two threat intelligence appearing in the lost device is established.
It should be noted that, because the correlation between two threat informations appearing in the failed device is affected by the time interval between the two threat informations, for example, the time interval between the two threat informations appearing in a single failed device is very different, assuming that the time interval is one week, the correlation between the two threat informations can be considered to be almost not related, and if the time interval between the two threat informations appearing in a single failed device is very small, assuming that the time interval is 1 minute, the correlation between the two threat informations can be considered to be very strong, in a specific application scenario, in the process of establishing the correlation between the threat informations appearing in the failed device, the time interval between the threat informations appearing in the failed device can be considered to determine whether to establish the correlation between the two threat informations, for example, whether the time interval between the two threat informations appearing in the failed device is less than the preset time length is judged, if so, establishing an association relationship between the two threat intelligence, otherwise, not establishing an association relationship between the two threat intelligence, and the like. In addition, the existing threat information correlation analysis method can only establish the correlation between the virus file md5 and the IP or URL of CC communication once, the determined correlation is few in types and low in efficiency, and in the method, because the threat information appearing on each lost device is of multiple types, if the threat information is determined by taking the lost device as a unit, the multiple types of threat information can be determined once, and then the correlation among the multiple types of threat information can be determined once, the determined correlation is multiple in types and high in efficiency, and the threat information correlation analysis effect is good.
Step S103: and for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation.
In practical application, after the association relationship between threat intelligence of each lost device is established, only the association relationship existing in each lost device can be determined, but the association degree between two threat intelligence is unknown, and the association degree of the association relationship existing in each lost device is the same, for example, the association relationship existing in the lost device a is the association relationship between the threat intelligence a and the threat intelligence B, and the association relationship existing in the lost device B is the association relationship between the threat intelligence B and the threat intelligence C, at this time, only the association relationship existing among the threat intelligence a, the threat intelligence B and the threat intelligence C can be known, but whether the association relationship is reliable or not can not be known, which is not beneficial for the subsequent threat intelligence association analysis, in order to solve the problem, because the present application has a plurality of lost devices, if a plurality of lost devices all have a certain association relationship, the association degree of the association relationship may be considered to be high, that is, the number of the lost devices having the corresponding association relationship may be used as the association degree of the association relationship in the present application, for example, 500 lost devices all have an association relationship between threat intelligence a and threat intelligence B, and 10 lost devices all have an association relationship between threat intelligence B and threat intelligence C, so that the association degree of the association relationship between threat intelligence a and threat intelligence B may be determined to be 500, and the association degree of the association relationship between threat intelligence B and threat intelligence C may be determined to be 10, so that not only the association relationship may be determined, but also the association degree may be determined, which is convenient for the subsequent threat intelligence association analysis. It should be noted that threat intelligence a, threat intelligence B, and threat intelligence C are described herein to generally refer to a class of threat intelligence.
Step S104: and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation relation and the correlation degree.
In practical application, after counting the number of lost devices having association relationship as association degree of association relationship for each association relationship, determining threat intelligence association analysis result based on threat intelligence, association relationship and association degree, determining process of threat intelligence association analysis result and corresponding information according to actual requirement, for example, threat intelligence having association relationship with each other and association degree greater than a certain value can be used as threat intelligence set, and threat intelligence set is output as threat intelligence association analysis result, for easy understanding, assuming threat intelligence a, threat intelligence B and threat intelligence C as examples, only threat intelligence a and threat intelligence B can be used as a set of threat intelligence set, of course, if there is association relationship between threat intelligence a and threat intelligence D and association degree is 450, threat intelligence D may also be added to the set of threat intelligence sets.
The threat information correlation analysis method provided by the application determines threat information appearing in each lost device; for each lost device, establishing an incidence relation among threat intelligence of the lost device; for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation; and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation relation and the correlation degree. According to the method, threat intelligence appearing in each lost device can be determined, if the threat intelligence appears in one lost device at the same time, association relation among the threat intelligence appearing in the lost device can be established, correspondingly, if a plurality of lost devices appear in a certain association relation at the same time, association degree of the association relation can be considered to be large, the number of the lost devices with the association relation can be counted as association degree of the association relation, and finally, a threat intelligence association analysis result is determined based on the threat intelligence, the association relation and the association degree; threat information correlation analysis is realized by analyzing and counting threat information of a plurality of lost devices, large-scale threat information production and correlation analysis can be realized, and the efficiency is high.
Referring to fig. 2, fig. 2 is a second flowchart of a threat intelligence association analysis method according to an embodiment of the present application.
The threat intelligence correlation analysis method provided by the embodiment of the application can comprise the following steps:
step S201: and determining threat intelligence of each lost device.
Step S202: and establishing an incidence relation among threat intelligence of the lost equipment for each lost equipment.
Step S203: and for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation.
Step S204: the threat intelligence is treated as a vertex in an undirected graph.
Step S205: and taking the incidence relation as an edge in the undirected graph.
Step S206: and converting the association degree into the length of the corresponding edge, and establishing an undirected graph corresponding to the threat intelligence, the association relation and the association degree.
Step S207: and analyzing the undirected graph to determine a threat intelligence correlation analysis result.
In practical application, because the association relationship is used for representing whether association exists between threat intelligence, the association degree is used for representing the association degree of the association relationship, the association relationship is of various types, and association may exist between the two association relationships, if the threat intelligence association analysis result is determined directly based on the threat intelligence, the association relationship and the association degree, a large amount of information retrieval and information association matching exist, the process is complicated, the efficiency of threat intelligence association analysis is low, in order to avoid the problem, the threat intelligence, the association relationship and the association degree can be represented by means of an undirected graph, and the threat intelligence association analysis is performed by means of the undirected graph.
Specifically, the threat intelligence can be used as a vertex in an undirected graph, the association relation can be used as an edge in the undirected graph, the association degree can be converted into the length of the corresponding edge, and the undirected graph corresponding to the threat intelligence, the association relation and the association degree is established, so that the threat intelligence can be gathered in the undirected graph, and the correlation analysis result of the threat intelligence can be visually determined according to the undirected graph.
In a specific application scenario, as the greater the association degree, the higher the association between the association relations is, the stronger the association between the two threat intelligence is, and the closer the distance between the two threat intelligence in the undirected graph can be, so as to facilitate determining the correlation analysis result of the threat intelligence based on the undirected graph, in the process of converting the association degree into the length of the corresponding side, the association degree can be converted into the length of the corresponding side according to a conversion rule that the association degree is inversely proportional to the length; correspondingly, in the process of analyzing the undirected graph and determining the threat intelligence correlation analysis result, each threat intelligence set which is connected through the edge and has the length smaller than the preset value can be determined in the undirected graph; and collecting all threat intelligence as a threat intelligence correlation analysis result. For convenience of understanding, it is assumed that an undirected graph corresponding to threat intelligence in practical application is shown in fig. 3, and distances in the graph, that is, lengths of sides, are closer to each other as shown in fig. 3, so that threat intelligence a, threat intelligence B, threat intelligence C, and threat intelligence F can be set as a set of threat intelligence.
In a specific application scenario, because the relevance between threat intelligence in each threat intelligence set is strong, and the threat intelligence with strong relevance may belong to the same virus family or have the same attack behavior, after each threat intelligence set is used as a threat intelligence relevance analysis result, virus family information or the same attack behavior information of the threat intelligence set can be extracted for each threat intelligence set, so that virus family analysis or the same attack behavior information analysis is carried out according to the relevance relation and the relevance degree between the threat intelligence sets, and the function of the threat intelligence analysis method in the application is further expanded.
Referring to fig. 4, fig. 4 is a third flowchart of a threat intelligence association analysis method according to an embodiment of the present application.
The threat intelligence correlation analysis method provided by the embodiment of the application can comprise the following steps:
step S301: and acquiring the security events of each lost device, wherein the security events comprise the security events generated by the flow layer and the host layer of the lost device.
Step S302: and analyzing the security event of each lost device, and extracting all threat intelligence contained in the security event.
In practical application, because the security event of the lost device carries corresponding threat information, and the security event of the lost device mainly comes from the flow layer and the host layer of the lost device, the security event of each lost device can be obtained in order to quickly determine the threat information appearing on each lost device, and the security event comprises the security event generated by the flow layer and the host layer of the lost device. Specifically, the alarm logs of the network security devices on the traffic layer and the host layer of each lost device can be analyzed and extracted, so that the security events and the like of each lost device can be rapidly acquired.
In a specific application scenario, in order to ensure reliability of an association relationship between acquired threat intelligence, a time duration phoneme may be added in a process of acquiring a security event of each lost device, that is, a security event of each lost device within a preset time duration may be acquired, for example, a security event of each lost device within 24 hours, 48 hours, 72 hours, or the like is acquired.
Step S303: and establishing an incidence relation among threat intelligence of the lost equipment for each lost equipment.
Step S304: and for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation.
Step S305: and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation relation and the correlation degree.
The related descriptions of other steps in the present application may refer to the above embodiments, and are not repeated herein.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a threat information association analysis system according to an embodiment of the present application, and fig. 6 is a schematic structural diagram of a hardware component of an electronic device according to an embodiment of the present invention.
The threat intelligence correlation analysis system provided by the embodiment of the application can comprise:
a threat intelligence determination module 101, configured to determine threat intelligence occurring in each lost device;
the association relation establishing module 102 is used for establishing association relation among threat intelligence of the lost equipment for each lost equipment;
the association degree counting module 103 is configured to count, for each association relationship, the number of the lost devices having the association relationship as the association degree of the association relationship;
and the association analysis result determining module 104 is used for determining the association analysis result of the threat intelligence based on the threat intelligence, the association relation and the association degree.
In an embodiment of the present application, the correlation analysis result determining module may include:
the vertex setting submodule is used for taking the threat intelligence as a vertex in an undirected graph;
the edge setting submodule is used for taking the association relationship as an edge in an undirected graph;
the undirected graph establishing module is used for converting the association degree into the length of the corresponding edge and establishing an undirected graph corresponding to the threat intelligence, the association relation and the association degree;
and the correlation analysis result determining submodule is used for analyzing the undirected graph and determining a threat intelligence correlation analysis result.
In an embodiment of the application, the undirected graph creating module includes:
a length conversion unit, configured to convert the association degree into a length of a corresponding edge according to a conversion rule in which the association degree is inversely proportional to the length;
the association analysis result determination sub-module may include:
the threat information set determining unit is used for determining each threat information set which is connected through edges and has the length smaller than a preset value in the undirected graph;
and the correlation analysis result determining unit is used for collecting all threat intelligence as a threat intelligence correlation analysis result.
The threat intelligence correlation analysis system provided by the embodiment of the application can further comprise:
and the analysis unit is used for extracting virus family information or the same attack behavior information of the threat information sets for each threat information set after the correlation analysis result determination unit takes each threat information set as a threat information correlation analysis result.
In an embodiment of the present application, a threat intelligence determination module may include:
the safety event acquisition sub-module is used for acquiring the safety events of all the lost devices, and the safety events comprise the safety events generated by the flow layer and the host layer of the lost devices;
and the threat information determining submodule is used for analyzing the security event of the lost equipment for each lost equipment and extracting all threat information contained in the security event.
In an embodiment of the present application, a security event obtaining sub-module of a system for analyzing threat intelligence association may include:
and the safety event acquisition unit is used for acquiring the safety events of the equipment which is subjected to the failure in the preset time length.
According to the threat intelligence correlation analysis system provided by the embodiment of the application, the types of threat intelligence can include: attacker IP, virus sample md5, remote control CC communication IP address, URL of malicious request.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides an electronic device, fig. 6 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present invention, and as shown in fig. 6, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the threat intelligence correlation analysis method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For the sake of clarity, however, the various buses are labeled as bus system 4 in fig. 6.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
For a description of relevant parts in the threat intelligence association analysis system, the electronic device, and the computer-readable storage medium provided in the embodiment of the present application, reference is made to detailed descriptions of corresponding parts in the threat intelligence association analysis method provided in the embodiment of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A threat intelligence correlation analysis method is characterized by comprising the following steps:
determining threat intelligence of each lost device;
for each lost device, establishing an incidence relation among the threat intelligence of the lost device;
for each incidence relation, counting the number of the lost devices with the incidence relation as the incidence degree of the incidence relation;
and determining a threat intelligence correlation analysis result based on the threat intelligence, the correlation and the correlation degree.
2. The method of claim 1, wherein said determining a threat intelligence association analysis result based on said threat intelligence, said association relationship, and said degree of association comprises:
using the threat intelligence as a vertex in an undirected graph;
taking the incidence relation as an edge in the undirected graph;
converting the association degree into the length of the corresponding edge, and establishing the undirected graph corresponding to the threat intelligence, the association relation and the association degree;
and analyzing the undirected graph to determine the correlation analysis result of the threat intelligence.
3. The method of claim 2, wherein converting the degree of association into a length of the corresponding edge comprises:
converting the association degree into the length of the corresponding edge according to a conversion rule that the association degree is inversely proportional to the length;
the analyzing the undirected graph to determine the result of the threat intelligence correlation analysis comprises:
in the undirected graph, determining each threat intelligence set which is connected through the edge and the length of which is less than a preset value;
and collecting all the threat intelligence as the threat intelligence correlation analysis result.
4. The method of claim 3, wherein said applying each said set of threat intelligence as a result of said threat intelligence correlation analysis further comprises:
and for each threat intelligence set, extracting virus family information or the same attack behavior information of the threat intelligence set.
5. The method according to any one of claims 1 to 4, wherein said determining threat intelligence present at each failed device comprises:
obtaining a security event of each lost device, wherein the security event comprises security events generated by a flow layer and a host layer of the lost device;
and analyzing the security event of each lost device, and extracting all threat intelligence contained in the security event.
6. The method of claim 5, wherein said obtaining a security event for each of said lost devices comprises:
and acquiring the safety events of the equipment in the preset time length.
7. The method of claim 1, wherein the types of threat intelligence comprise: attacker IP, virus sample md5, remote control CC communication IP address, URL of malicious request.
8. A threat intelligence correlation analysis system, comprising:
the threat information determining module is used for determining threat information appearing in each lost device;
the incidence relation establishing module is used for establishing incidence relation among the threat intelligence of the lost equipment for each lost equipment;
the association degree counting module is used for counting the number of the lost devices with the association relation as the association degree of the association relation for each association relation;
and the association analysis result determining module is used for determining the association analysis result of the threat intelligence based on the threat intelligence, the association relation and the association degree.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the threat intelligence association analysis method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the threat intelligence association analysis method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567581.9A CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567581.9A CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769775A true CN112769775A (en) | 2021-05-07 |
| CN112769775B CN112769775B (en) | 2023-05-12 |
Family
ID=75694713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011567581.9A Active CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769775B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890758A (en) * | 2021-09-27 | 2022-01-04 | 深信服科技股份有限公司 | Threat information method, device, equipment and computer storage medium |
| CN113904920A (en) * | 2021-09-14 | 2022-01-07 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on lost equipment |
| CN116506235A (en) * | 2023-06-29 | 2023-07-28 | 北京优特捷信息技术有限公司 | Threat information processing method, device, equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103425579A (en) * | 2013-07-26 | 2013-12-04 | 南方电网科学研究院有限责任公司 | Safety evaluation method for mobile terminal system based on potential function |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| US10257227B1 (en) * | 2014-08-14 | 2019-04-09 | Amazon Technologies, Inc. | Computer security threat correlation |
| CN109688092A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | It falls equipment detection method and device |
| US20190132358A1 (en) * | 2014-06-11 | 2019-05-02 | Accenture Global Services Limited | Deception Network System |
| CN109857917A (en) * | 2018-12-21 | 2019-06-07 | 中国科学院信息工程研究所 | Towards the security knowledge map construction method and system for threatening information |
| CN110717049A (en) * | 2019-08-29 | 2020-01-21 | 四川大学 | Text data-oriented threat information knowledge graph construction method |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111935082A (en) * | 2020-06-28 | 2020-11-13 | 新浪网技术(中国)有限公司 | Network threat information correlation system and method |
-
2020
- 2020-12-25 CN CN202011567581.9A patent/CN112769775B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103425579A (en) * | 2013-07-26 | 2013-12-04 | 南方电网科学研究院有限责任公司 | Safety evaluation method for mobile terminal system based on potential function |
| US20190132358A1 (en) * | 2014-06-11 | 2019-05-02 | Accenture Global Services Limited | Deception Network System |
| US10257227B1 (en) * | 2014-08-14 | 2019-04-09 | Amazon Technologies, Inc. | Computer security threat correlation |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN109688092A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | It falls equipment detection method and device |
| CN109857917A (en) * | 2018-12-21 | 2019-06-07 | 中国科学院信息工程研究所 | Towards the security knowledge map construction method and system for threatening information |
| CN110717049A (en) * | 2019-08-29 | 2020-01-21 | 四川大学 | Text data-oriented threat information knowledge graph construction method |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111935082A (en) * | 2020-06-28 | 2020-11-13 | 新浪网技术(中国)有限公司 | Network threat information correlation system and method |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904920A (en) * | 2021-09-14 | 2022-01-07 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on lost equipment |
| CN113904920B (en) * | 2021-09-14 | 2023-10-03 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on collapse equipment |
| CN113890758A (en) * | 2021-09-27 | 2022-01-04 | 深信服科技股份有限公司 | Threat information method, device, equipment and computer storage medium |
| CN113890758B (en) * | 2021-09-27 | 2024-04-12 | 深信服科技股份有限公司 | Threat information method, threat information device, threat information equipment and computer storage medium |
| CN116506235A (en) * | 2023-06-29 | 2023-07-28 | 北京优特捷信息技术有限公司 | Threat information processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769775B (en) | 2023-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112769775A (en) | Threat information correlation analysis method, system, equipment and computer medium | |
| US9083729B1 (en) | Systems and methods for determining that uniform resource locators are malicious | |
| CN111008405A (en) | Website fingerprint identification method based on file Hash | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN112272186A (en) | Network flow detection framework, method, electronic equipment and storage medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN114650187B (en) | Abnormal access detection method and device, electronic equipment and storage medium | |
| CN114189390A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN114363062A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN111191240A (en) | Method, device and equipment for collecting Internet electronic evidence | |
| CN109617887B (en) | Information processing method, device and storage medium | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| WO2023151238A1 (en) | Ransomware detection method and related system | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| CN116305290A (en) | System log security detection method and device, electronic equipment and storage medium | |
| CN115225385A (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| CN115766258A (en) | Multi-stage attack trend prediction method and device based on causal graph and storage medium | |
| CN114363060A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN115061841A (en) | Alarm merging method and device, electronic equipment and storage medium | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| CN111858782A (en) | Database construction method, device, medium and equipment based on information security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |