CN112769775B - Threat information association analysis method, system, equipment and computer medium - Google Patents
Threat information association analysis method, system, equipment and computer medium Download PDFInfo
- Publication number
- CN112769775B CN112769775B CN202011567581.9A CN202011567581A CN112769775B CN 112769775 B CN112769775 B CN 112769775B CN 202011567581 A CN202011567581 A CN 202011567581A CN 112769775 B CN112769775 B CN 112769775B
- Authority
- CN
- China
- Prior art keywords
- association
- threat information
- threat
- subsidence
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02W—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO WASTEWATER TREATMENT OR WASTE MANAGEMENT
- Y02W90/00—Enabling technologies or technologies with a potential or indirect contribution to greenhouse gas [GHG] emissions mitigation
Abstract
The application discloses a threat information association analysis method, a system, equipment and a computer medium, which are used for determining threat information of each subsidence equipment; for each collapse device, establishing an association relationship between threat information appearing on the collapse device; for each association, counting the number of the subsidence devices with the association as the association degree of the association; and determining threat information association analysis results based on the threat information, the association relation and the association degree. In the application, if threat information is simultaneously present in one subsidence device, an association relationship can be considered to exist between threat information, and if a certain association relationship is simultaneously present in a plurality of subsidence devices, the association degree of the association relationship can be considered to be larger, so that a threat information association analysis result can be determined based on the threat information, the association relationship and the association degree; the method can realize large-scale threat information production and association analysis, and has high efficiency.
Description
Technical Field
The present disclosure relates to the field of computer security technologies, and in particular, to a threat intelligence association analysis method, system, device, and computer medium.
Background
With the rapid development of the internet, network attacks are also a difficult problem to avoid in the internet application process. In order to better prevent the network attack, the network attack needs to be analyzed and researched, for example, the network attack is analyzed and researched through threat intelligence association technology; threat intelligence is some evidence-based knowledge, including context, mechanism, designation, meaning, and actionable advice, that relates to threats or hazards in the face of an asset, and that can be used to provide information support for response or processing decisions by asset-related principals to the threat or hazard, and the primary content can be a sag identification for identifying and detecting the threat, such as file HASH (HASH) values, IP (Internet Protocol ), domain names, program run paths, registry entries, etc., and associated attribution labels.
The existing threat information association method is to build a sandbox platform locally or realize an environment to virtually execute a virus file, identify an IP address or URL (Uniform Resource Locator ) of communication between a virus file md5 (Message Digest Algorithm MD, message digest algorithm) and a remote control CC (Computers and Composition, computer and composition) by means of a network traffic relation after executing the virus file, and establish a connection relation to realize association relation between threat information.
However, the existing threat information association method cannot process large-scale virus files, cannot realize large-scale threat information production and association analysis, and is low in efficiency.
In summary, how to improve the efficiency of threat intelligence association method is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide a threat information association analysis method which has the effect of high efficiency. The application also provides a threat intelligence association analysis system, electronic equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
a threat intelligence association analysis method, comprising:
determining threat information of each subsidence device;
for each collapse device, establishing an association relationship between threat information appearing on the collapse device;
counting the number of the subsidence devices with the association relation as the association degree of the association relation for each association relation;
and determining threat information association analysis results based on the threat information, the association relation and the association degree.
Preferably, the determining the threat intelligence association analysis result based on the threat intelligence, the association relationship and the association degree includes:
the threat information is used as the vertex in the undirected graph;
taking the association relationship as an edge in the undirected graph;
converting the association degree into the length of the corresponding side, and establishing the undirected graph corresponding to the threat information, the association relationship and the association degree;
and analyzing the undirected graph to determine the threat information association analysis result.
Preferably, said converting said degree of association into a corresponding length of said edge includes:
converting the association degree into the corresponding length of the edge according to a conversion rule that the association degree is inversely proportional to the length;
the analyzing the undirected graph to determine the threat intelligence association analysis result comprises the following steps:
determining each threat information set which is connected through the edges and has the length smaller than a preset value in the undirected graph;
and taking all threat information sets as the threat information association analysis results.
Preferably, after each threat information set is used as the threat information association analysis result, the method further includes:
and extracting virus family information or same attack behavior information of each threat information set.
Preferably, the determining threat intelligence of each subsidence device includes:
acquiring security events of each collapse device, wherein the security events comprise security events generated by a traffic layer and a host layer of the collapse device;
and analyzing the security event of the collapse device for each collapse device, and extracting all threat information contained in the security event.
Preferably, the acquiring the security event of each collapse device includes:
and acquiring the security event of each collapse device within a preset duration.
Preferably, the types of threat intelligence include: attacker IP, virus sample md5, remote CC communication IP address, URL of malicious request.
A threat intelligence association analysis system, comprising:
the threat information determination module is used for determining threat information of each subsidence device;
the association relation establishing module is used for establishing association relation among threat information of the subsidence equipment for each subsidence equipment;
the association degree statistics module is used for counting the number of the subsidence devices with the association relation as the association degree of the association relation for each association relation;
and the association analysis result determining module is used for determining a threat information association analysis result based on the threat information, the association relation and the association degree.
An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the threat intelligence association analysis method as described in any of the above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor performs the steps of the threat intelligence association analysis method as defined in any of the above.
The threat information association analysis method provided by the application determines threat information of each subsidence device; for each collapse device, establishing an association relationship between threat information appearing on the collapse device; for each association, counting the number of the subsidence devices with the association as the association degree of the association; and determining threat information association analysis results based on the threat information, the association relation and the association degree. In the method, threat information appearing in each subsidence device can be determined, because the threat information appears in one subsidence device at the same time, association relations among the threat information can be considered to exist, association relations among the threat information appearing in the subsidence devices can be established, correspondingly, if a certain association relation appears in a plurality of subsidence devices at the same time, the association degree of the association relation can be considered to be larger, so that the number of subsidence devices with the association relation can be counted to be used as the association degree of the association relation, and finally, threat information association analysis results are determined based on the threat information, the association relation and the association degree; by means of analyzing and counting threat information of a plurality of collapse devices, threat information association analysis is achieved, large-scale threat information production and association analysis can be achieved, and efficiency is high. The threat information association analysis system, the electronic equipment and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a first flowchart of a threat intelligence association analysis method provided in an embodiment of the application;
FIG. 2 is a second flowchart of a threat intelligence association analysis method provided in an embodiment of the application;
FIG. 3 is a schematic diagram of an undirected graph corresponding to threat intelligence in practical applications;
FIG. 4 is a third flowchart of a threat intelligence association analysis method provided in an embodiment of the application;
FIG. 5 is a schematic structural diagram of a threat intelligence association analysis system according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a first flowchart of a threat intelligence association analysis method according to an embodiment of the present application.
The threat intelligence association analysis method provided by the embodiment of the application can comprise the following steps:
step S101: threat intelligence presented by each of the subsidence devices is determined.
In practical application, because threat information exists in the subsidence equipment, threat information appearing in each subsidence equipment can be determined first; the number of the subsidence devices, i.e. the servers, hosts, etc. which have been successfully invaded by the attacker or virus, can be determined according to actual needs.
It should be noted that the type of threat intelligence may be determined according to actual needs, for example, threat intelligence may include an attacker IP, a virus sample md5, a remote CC communication IP address, a URL of a malicious request, etc.
Step S102: and establishing association relations among threat information of the subsidence equipment for each subsidence equipment.
In practical application, if two threat information appear in the same subsidence device, it may be considered that there is a correlation between the two threat information, for example, an attacker IP and a virus sample md5 appear in one subsidence device at the same time, and then it may be considered that there is a correlation between the attacker IP and the virus sample md5, so after determining threat information appearing in each subsidence device, for each subsidence device, a correlation between threat information appearing in the subsidence device may be established, specifically, for each subsidence device, a correlation between every two threat information in the subsidence device may be established.
It should be noted that, because the association relationship between two threat informations occurring in the invagination device is affected by the occurrence time intervals of the two threat informations, for example, the occurrence time intervals of the two threat informations in a single invagination device are very different, if the occurrence time interval is one week, the two threat informations can be considered to have almost no association relationship, and if the occurrence time interval of the two threat informations in the single invagination device is very small, if the occurrence time interval is 1 minute, the association relationship between the two threat informations can be considered to be very strong, so in a specific application scenario, in the process of establishing the association relationship between the threat informations occurring in the invagination device, whether the association relationship between the two threat informations is established can be determined by considering the occurrence time interval of the threat informations in the invagination device, for example, if the occurrence time interval of the two threat informations in the invagination device is less than a preset duration is determined, if the association relationship between the two threat informations is established, and if not, the association relationship between the two threat informations can not be established. In addition, the existing threat information association analysis method can only establish the association relation between the virus file md5 and the IP or URL of CC communication at one time, the determined association relation is few in variety and low in efficiency, in the application, because threat information appearing in each subsidence device is of multiple varieties, if the threat information is determined by taking the subsidence device as a unit, multiple kinds of threat information can be determined at one time, and then the association relation among the multiple kinds of threat information can be determined at one time, the determined association relation is multiple in variety and high in efficiency, and the threat information association analysis effect is good.
Step S103: for each association, the number of the subsidence devices having the association is counted as the association degree of the association.
In practical application, after the association relation between threat information appearing in the subsidence equipment is established for each subsidence equipment, the association relation existing in each subsidence equipment can only be determined, but the association degree between two threat information is unknown, and the association degrees of the association relations existing in each subsidence equipment are the same, for example, the association relation existing in the subsidence equipment A is the association relation between the threat information A and the threat information B, the association relation existing in the subsidence equipment B is the association relation between the threat information B and the threat information C, at the moment, only the association relation between the threat information A, the threat information B and the threat information C can be known, but the association relation is not reliable, which is not beneficial to the subsequent threat information association analysis. It should be noted that threat intelligence a, threat intelligence B, and threat intelligence C are described herein as all being used to refer broadly to a certain class of threat intelligence.
Step S104: and determining threat information association analysis results based on the threat information, the association relation and the association degree.
In practical application, after counting the number of the subsided devices with the association relationship as the association degree of the association relationship for each association relationship, the threat information association analysis result can be determined based on the threat information, the association relationship and the association degree, the determination process of the threat information association analysis result and the corresponding information can be determined according to practical needs, for example, threat information with the association relationship and the association degree larger than a certain value can be used as a threat information set, and the threat information set is output as a threat information association analysis result, etc., in order to facilitate understanding, the threat information A, the threat information B and the threat information C are taken as examples, and only the threat information A and the threat information B can be used as a group of threat information sets if the association relationship exists between the threat information A and the threat information D and the association degree is 450, the threat information D is required to be added into the group of course.
The threat information association analysis method provided by the application determines threat information of each subsidence device; for each collapse device, establishing an association relationship between threat information appearing on the collapse device; for each association, counting the number of the subsidence devices with the association as the association degree of the association; and determining threat information association analysis results based on the threat information, the association relation and the association degree. In the method, threat information appearing in each subsidence device can be determined, because the threat information appears in one subsidence device at the same time, association relations among the threat information can be considered to exist, association relations among the threat information appearing in the subsidence devices can be established, correspondingly, if a certain association relation appears in a plurality of subsidence devices at the same time, the association degree of the association relation can be considered to be larger, so that the number of subsidence devices with the association relation can be counted to be used as the association degree of the association relation, and finally, threat information association analysis results are determined based on the threat information, the association relation and the association degree; by means of analyzing and counting threat information of a plurality of collapse devices, threat information association analysis is achieved, large-scale threat information production and association analysis can be achieved, and efficiency is high.
Referring to fig. 2, fig. 2 is a second flowchart of a threat intelligence association analysis method according to an embodiment of the disclosure.
The threat intelligence association analysis method provided by the embodiment of the application can comprise the following steps:
step S201: threat intelligence presented by each of the subsidence devices is determined.
Step S202: and establishing association relations among threat information of the subsidence equipment for each subsidence equipment.
Step S203: for each association, the number of the subsidence devices having the association is counted as the association degree of the association.
Step S204: threat intelligence is taken as the vertex in the undirected graph.
Step S205: and taking the association relationship as an edge in the undirected graph.
Step S206: and converting the association degree into the length of the corresponding side, and establishing an undirected graph corresponding to the threat information, the association relation and the association degree.
Step S207: and analyzing the undirected graph to determine threat information association analysis results.
In practical application, because the association relationship is used for representing whether association exists between threat information, the association degree is used for representing the association degree of the association relationship, the association relationship is various, and the association relationship possibly exists between two association relationships, if the threat information association analysis result is directly determined based on the threat information, the association relationship and the association degree, a large amount of information retrieval and information association matching exist, the process is complicated, the threat information association analysis efficiency is low, in order to avoid the problem, the threat information, the association relationship and the association degree can be represented by means of an undirected graph, and the threat information association analysis can be performed by means of the undirected graph.
Specifically, the threat information can be used as the vertex in the undirected graph, the association relationship is used as the side in the undirected graph, the association degree is converted into the length of the corresponding side, and the undirected graph corresponding to the threat information, the association relationship and the association degree is established, so that the threat information can show aggregation in the undirected graph, and the threat information association analysis result can be intuitively determined according to the undirected graph.
In a specific application scene, as the association degree is higher, the association between the association relations is shown to be stronger, and the distance between the two threat informations in the undirected graph is closer, in order to facilitate the determination of the threat informative association analysis result based on the undirected graph, in the process of converting the association degree into the length of the corresponding side, the association degree can be converted into the length of the corresponding side according to a conversion rule that the association degree is inversely proportional to the length; correspondingly, in the process of analyzing the undirected graph and determining the threat information association analysis result, each threat information set which is connected by edges and has the length smaller than a preset value can be determined in the undirected graph; and taking all threat information sets as threat information association analysis results. In order to facilitate understanding, assuming that an undirected graph corresponding to threat information in actual application is shown in fig. 3, the distance in the graph, that is, the length of a side, it can be known from fig. 3 that the distance between threat information a and threat information B, threat information C, threat information F is relatively close, so that threat information a, threat information B, threat information C, and threat information F can be used as a set of threat information sets.
In a specific application scenario, because the relevance among threat information in each threat information set is strong, and the threat information with strong relevance may belong to the same virus family or have the same attack behavior, after each threat information set is used as a threat information relevance analysis result, virus family information or the same attack behavior information of the threat information set can be extracted from each threat information set, so that the function of the threat information analysis method in the application is further expanded by carrying out virus family analysis or the same attack behavior information analysis through the relevance and the relevance among the threat information.
Referring to fig. 4, fig. 4 is a third flowchart of a threat intelligence association analysis method according to an embodiment of the present application.
The threat intelligence association analysis method provided by the embodiment of the application can comprise the following steps:
step S301: and acquiring the security events of each collapse device, wherein the security events comprise security events generated by a traffic layer and a host layer of the collapse device.
Step S302: and analyzing the security event of the collapse device for each collapse device, and extracting all threat information contained in the security event.
In practical application, because the security events of the subsidence equipment carry corresponding threat information, and the security events of the subsidence equipment mainly come from the traffic layer and the host layer of the subsidence equipment, in order to quickly determine the threat information of each subsidence equipment, the security events of each subsidence equipment can be acquired, the security events comprise the security events generated by the traffic layer and the host layer of the subsidence equipment, and for each subsidence equipment, the security events of the subsidence equipment are analyzed, and all threat information contained in the security events is extracted. Specifically, the alarm logs of the network security devices of the flow layer and the host layer of each collapse device can be analyzed and extracted to quickly obtain the security event of each collapse device.
In a specific application scenario, in order to ensure the reliability of the association relationship between the acquired threat information, a duration phoneme may be added in the process of acquiring the security event of each collapse device, that is, the security event of each collapse device within a preset duration may be acquired, for example, the security event of each collapse device within 24 hours, 48 hours, 72 hours, etc. may be acquired.
Step S303: and establishing association relations among threat information of the subsidence equipment for each subsidence equipment.
Step S304: for each association, the number of the subsidence devices having the association is counted as the association degree of the association.
Step S305: and determining threat information association analysis results based on the threat information, the association relation and the association degree.
The related descriptions of other steps in the present application may refer to the above embodiments, and are not repeated herein.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a threat information association analysis system according to an embodiment of the invention, and fig. 6 is a schematic structural diagram of hardware components of an electronic device according to an embodiment of the invention.
The threat intelligence association analysis system provided in the embodiment of the application may include:
a threat information determination module 101, configured to determine threat information that occurs in each subsidence device;
the association relation establishing module 102 is configured to establish, for each subsidence device, an association relation between threat information that occurs in the subsidence device;
a correlation degree statistics module 103, configured to, for each correlation, count the number of the collapse devices having the correlation as the correlation degree of the correlation;
the association analysis result determining module 104 is configured to determine a threat information association analysis result based on threat information, association relation and association degree.
The threat intelligence association analysis system provided in the embodiment of the application, the association analysis result determining module may include:
the vertex setting sub-module is used for taking threat information as a vertex in the undirected graph;
the side setting sub-module is used for taking the association relation as a side in the undirected graph;
the undirected graph establishing module is used for converting the association degree into the length of the corresponding side and establishing an undirected graph corresponding to threat information, association relation and association degree;
and the association analysis result determination submodule is used for analyzing the undirected graph and determining threat information association analysis results.
The threat intelligence association analysis system provided by the embodiment of the application, the undirected graph establishment module may include:
a length conversion unit for converting the association degree into the length of the corresponding edge according to a conversion rule that the association degree is inversely proportional to the length;
the association analysis result determination submodule may include:
the threat information set determining unit is used for determining each threat information set which is connected through edges and has the length smaller than a preset value in the undirected graph;
and the association analysis result determining unit is used for taking all threat information sets as threat information association analysis results.
The threat intelligence association analysis system provided in the embodiment of the application may further include:
and the analysis unit is used for extracting virus family information or the same attack behavior information of the threat information sets for each threat information set after the association analysis result determining unit takes each threat information set as the threat information association analysis result.
The threat intelligence association analysis system provided in the embodiment of the application, the threat intelligence determining module may include:
the security event acquisition sub-module is used for acquiring security events of each collapse device, wherein the security events comprise security events generated by a flow layer and a host layer of the collapse device;
and the threat information determination submodule is used for analyzing the security event of the collapse equipment for each collapse equipment and extracting all threat information contained in the security event.
The threat intelligence association analysis system provided in the embodiment of the application, the security event acquisition sub-module may include:
the security event acquisition unit is used for acquiring the security event of each collapse device within a preset duration.
The threat information association analysis system provided in the embodiment of the application may include: attacker IP, virus sample md5, remote CC communication IP address, URL of malicious request.
Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides an electronic device, and fig. 6 is a schematic diagram of a hardware composition structure of the electronic device of the embodiment of the present invention, as shown in fig. 6, where the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other devices and is used for executing the threat intelligence association analysis method provided by one or more technical schemes when running the computer program. And the computer program is stored on the memory 3.
Of course, in practice, the various components in the electronic device are coupled together by a bus system 4. It will be appreciated that the bus system 4 is used to enable connected communications between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for clarity of illustration the various buses are labeled as bus system 4 in fig. 6.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present invention may be applied to the processor 2 or implemented by the processor 2. The processor 2 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 2 or by instructions in the form of software. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 3 and the processor 2 reads the program in the memory 3 to perform the steps of the method described above in connection with its hardware.
The corresponding flow in each method of the embodiments of the present invention is implemented when the processor 2 executes the program, and for brevity, will not be described in detail herein.
In an exemplary embodiment, the present invention also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program executable by the processor 2 for performing the steps of the method described above. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Alternatively, the above-described integrated units of the present invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The description of the relevant parts in the threat intelligence association analysis system, the electronic device and the computer readable storage medium provided in the embodiments of the present application refers to the detailed description of the corresponding parts in the threat intelligence association analysis method provided in the embodiments of the present application, and will not be repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A threat intelligence association analysis method, comprising:
determining threat information of each subsidence device;
for each collapse device, establishing an association relationship between threat information appearing on the collapse device;
counting the number of the subsidence devices with the association relation as the association degree of the association relation for each association relation;
and determining threat information association analysis results based on the threat information, the association relation and the association degree.
2. The method of claim 1, wherein the determining threat intelligence association analysis results based on the threat intelligence, the association relationship, and the association degree comprises:
the threat information is used as the vertex in the undirected graph;
taking the association relationship as an edge in the undirected graph;
converting the association degree into the length of the corresponding side, and establishing the undirected graph corresponding to the threat information, the association relationship and the association degree;
and analyzing the undirected graph to determine the threat information association analysis result.
3. The method of claim 2, wherein said converting said degree of association into a corresponding length of said edge comprises:
converting the association degree into the corresponding length of the edge according to a conversion rule that the association degree is inversely proportional to the length;
the analyzing the undirected graph to determine the threat intelligence association analysis result comprises the following steps:
determining each threat information set which is connected through the edges and has the length smaller than a preset value in the undirected graph;
and taking all threat information sets as the threat information association analysis results.
4. The method of claim 3, wherein after said associating each of said sets of threat intelligence as a result of said threat intelligence association analysis, further comprising:
and extracting virus family information or same attack behavior information of each threat information set.
5. The method of any one of claims 1 to 4, wherein said determining threat intelligence presented by each of the subsidence devices comprises:
acquiring security events of each collapse device, wherein the security events comprise security events generated by a traffic layer and a host layer of the collapse device;
and analyzing the security event of the collapse device for each collapse device, and extracting all threat information contained in the security event.
6. The method of claim 5, wherein the acquiring the security event for each of the subsidence devices comprises:
and acquiring the security event of each collapse device within a preset duration.
7. The method of claim 1, wherein the type of threat intelligence comprises: attacker IP, virus sample md5, remote CC communication IP address, URL of malicious request.
8. A threat intelligence association analysis system, comprising:
the threat information determination module is used for determining threat information of each subsidence device;
the association relation establishing module is used for establishing association relation among threat information of the subsidence equipment for each subsidence equipment;
the association degree statistics module is used for counting the number of the subsidence devices with the association relation as the association degree of the association relation for each association relation;
and the association analysis result determining module is used for determining a threat information association analysis result based on the threat information, the association relation and the association degree.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the threat intelligence association analysis method of any one of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, which when executed by a processor, implements the steps of the threat intelligence association analysis method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567581.9A CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011567581.9A CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769775A CN112769775A (en) | 2021-05-07 |
| CN112769775B true CN112769775B (en) | 2023-05-12 |
Family
ID=75694713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011567581.9A Active CN112769775B (en) | 2020-12-25 | 2020-12-25 | Threat information association analysis method, system, equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769775B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904920B (en) * | 2021-09-14 | 2023-10-03 | 上海纽盾科技股份有限公司 | Network security defense method, device and system based on collapse equipment |
| CN113890758B (en) * | 2021-09-27 | 2024-04-12 | 深信服科技股份有限公司 | Threat information method, threat information device, threat information equipment and computer storage medium |
| CN116506235A (en) * | 2023-06-29 | 2023-07-28 | 北京优特捷信息技术有限公司 | Threat information processing method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN109688092A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | It falls equipment detection method and device |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103425579B (en) * | 2013-07-26 | 2016-07-06 | 南方电网科学研究院有限责任公司 | Mobile terminal system security evaluation method based on potential function |
| US10447733B2 (en) * | 2014-06-11 | 2019-10-15 | Accenture Global Services Limited | Deception network system |
| US10257227B1 (en) * | 2014-08-14 | 2019-04-09 | Amazon Technologies, Inc. | Computer security threat correlation |
| CN109857917B (en) * | 2018-12-21 | 2021-07-13 | 中国科学院信息工程研究所 | Security knowledge graph construction method and system for threat intelligence |
| CN110717049B (en) * | 2019-08-29 | 2020-12-04 | 四川大学 | Text data-oriented threat information knowledge graph construction method |
| CN111935082B (en) * | 2020-06-28 | 2022-09-09 | 新浪网技术(中国)有限公司 | Network threat information correlation analysis system and method |
-
2020
- 2020-12-25 CN CN202011567581.9A patent/CN112769775B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN109688092A (en) * | 2018-04-25 | 2019-04-26 | 北京微步在线科技有限公司 | It falls equipment detection method and device |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769775A (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN107454103B (en) | Network security event process analysis method and system based on time line | |
| JP7120350B2 (en) | SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN112019519B (en) | Method and device for detecting threat degree of network security information and electronic device | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN111008405A (en) | Website fingerprint identification method based on file Hash | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN114650187B (en) | Abnormal access detection method and device, electronic equipment and storage medium | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN114363062A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| WO2019123757A1 (en) | Classification device, classification method, and classification program | |
| CN111832018A (en) | Virus detection method, virus detection device, computer device and storage medium | |
| CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| WO2023151238A1 (en) | Ransomware detection method and related system | |
| CN115766258A (en) | Multi-stage attack trend prediction method and device based on causal graph and storage medium | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| EP3585034B1 (en) | Big data-based method for learning and protecting service logic and device for learning and protection | |
| CN113364766A (en) | APT attack detection method and device | |
| CN113836534B (en) | Virus family identification method, system, equipment and computer storage medium | |
| CN115134164B (en) | Uploading behavior detection method, system, equipment and computer storage medium | |
| CN115048533B (en) | Knowledge graph construction method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |