CN112839061B - Tracing method and device based on regional characteristics - Google Patents

Tracing method and device based on regional characteristics Download PDF

Info

Publication number
CN112839061B
CN112839061B CN202110241596.4A CN202110241596A CN112839061B CN 112839061 B CN112839061 B CN 112839061B CN 202110241596 A CN202110241596 A CN 202110241596A CN 112839061 B CN112839061 B CN 112839061B
Authority
CN
China
Prior art keywords
characteristic information
regional
region
traced
area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110241596.4A
Other languages
Chinese (zh)
Other versions
CN112839061A (en
Inventor
薛晨龙
童志明
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202110241596.4A priority Critical patent/CN112839061B/en
Publication of CN112839061A publication Critical patent/CN112839061A/en
Application granted granted Critical
Publication of CN112839061B publication Critical patent/CN112839061B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a tracing method and a tracing device based on regional characteristics, wherein the method comprises the following steps: detecting an attack trigger event; obtaining at least one attack sample to be traced; performing feature extraction on at least one attack sample to be traced to obtain regional feature information of each attack sample to be traced; determining the correlation strength between the regional characteristic information and each region included in a pre-created regional characteristic library; and determining a target area to which at least one attack sample to be traced belongs according to the correlation strength. The source tracing efficiency can be improved by the scheme.

Description

Tracing method and device based on regional characteristics
Technical Field
The invention relates to the technical field of network security, in particular to a tracing method and a tracing device based on regional characteristics.
Background
Advanced Persistent Threat (APT), different from traditional network intrusion, often adopts multiple attack samples to carry out combined attack on a network information system, and because the combined attack has high risk, large detection difficulty, long duration and clear attack targets, serious Threat is caused to network security.
At present, most of malicious attack sample traceability analysis methods mainly aim at a single sample and are not suitable for APT multi-sample combined attack, and most of existing traceability analysis schemes have certain limitations and are mainly based on feature matching detection. Attack samples in the APT come from a plurality of attack organizations, and features in different attack actions are different, so that difficulty of feature matching and associated tracing is increased, meanwhile, tracing analysis needs to be carried out on a large amount of data accumulation, and mass feature data can be generated along with continuous change of APT attack means, so that the tracing difficulty of analysts can be increased, the time of tracing analysis is increased, and the tracing efficiency is low.
In view of the above, it is desirable to provide a tracing method and apparatus based on regional features to solve the above disadvantages.
Disclosure of Invention
The technical problem to be solved by the invention is how to improve the tracing efficiency, and aiming at the defects in the prior art, the invention provides a tracing method and a tracing device based on regional characteristics.
In order to solve the above technical problem, in a first aspect, the present invention provides a tracing method based on regional characteristics, including:
detecting an attack trigger event;
obtaining at least one attack sample to be traced;
performing feature extraction on the at least one attack sample to be traced to obtain regional feature information of each attack sample to be traced;
determining the correlation strength between the area feature information and each area included in a pre-established area feature library; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs;
and determining a target area to which the at least one attack sample to be traced belongs according to the association strength.
Optionally, the regional characteristic information of each attack sample to be traced includes at least one item of regional characteristic information;
the determining the strength of association between the region feature information and each region included in a pre-created region feature library includes:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure BDA0002962412800000021
wherein, P j The correlation strength k between the area characteristic information used for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information for characterizing the ith area in the jth area, A ij For characterizing the ith areaAnd n is used for representing the total number of items of the regional characteristic information extracted by the at least one attack sample to be traced.
Optionally, the determining, according to the association strength, a target area to which the at least one attack sample to be traced belongs includes:
determining at least one association strength with which the association strength is greater than a preset association threshold; wherein the association strength comprises an association strength corresponding to each region;
and determining the area corresponding to the at least one association strength as a target area.
Optionally, the method for creating the pre-created regional feature library includes:
acquiring regional characteristic data, wherein the regional characteristic data comprises regional knowledge data and historical attack samples, and the regional knowledge data comprises regional characteristic information of at least two regions;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information;
determining the area to which each item of area feature information belongs according to the area feature data;
storing the region feature information and the region to which the region feature information belongs to obtain a region feature library; the regional characteristic library stores the regional characteristic information and the corresponding relation between the regional characteristic information and the region to which the regional characteristic information belongs.
Optionally, the at least one item of regional characteristic information includes: language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbol characteristic information;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information, wherein the feature extraction comprises the following steps:
extracting the characteristics of the regional characteristic data according to the cultural factors to obtain the language characteristic information, the name characteristic information, the company characteristic information and the character symbol characteristic information corresponding to each region;
and extracting the characteristics of the regional characteristic data according to the geographic factors to obtain the time zone characteristic information, the network protocol characteristic information and the mail characteristic information corresponding to each region.
Optionally, the performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information includes:
for historical attack samples included in the region feature data, executing:
acquiring a file format of the historical attack sample; wherein the file format comprises: executable files, compound documents, scripts, compressed files, mail;
extracting the characteristics of the historical attack sample according to the cultural factors to obtain the language characteristic information, the name characteristic information, the company characteristic information and the character symbol characteristic information;
and extracting the characteristics of the historical attack sample according to the geographic factors to obtain the time zone characteristic information, the network protocol characteristic information and the mail characteristic information.
Optionally, after the determining, according to the association strength, a target area to which the at least one attack sample to be traced belongs, further includes:
acquiring the periodically updated regional characteristic data;
and updating the pre-established regional characteristic library according to the updated regional characteristic data.
In a second aspect, the present invention further provides a tracing apparatus based on regional characteristics, including:
the system comprises an acquisition module, a source tracing module and a source tracing module, wherein the acquisition module is used for acquiring at least one attack sample to be traced when an attack trigger event is detected;
the characteristic extraction module is used for extracting the characteristics of the at least one attack sample to be traced acquired by the acquisition module to obtain the regional characteristic information of each attack sample to be traced;
an association strength determination module configured to determine an association strength between the region feature information obtained by the feature extraction module and each region included in a region feature library created in advance; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs;
and the region determining module is used for determining a target region to which the at least one attack sample to be traced belongs according to the association strength determined by the association strength determining module.
In a third aspect, the present invention further provides a tracing apparatus based on regional characteristics, including: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to execute the tracing method based on the regional characteristics provided by the first aspect or any possible implementation manner of the first aspect.
In a fourth aspect, the present invention further provides a computer-readable medium, where computer instructions are stored, and when executed by a processor, cause the processor to perform the tracing method based on regional features provided in the first aspect or any possible implementation manner of the first aspect.
The method comprises the steps of performing feature extraction on at least one to-be-traced attack sample acquired by the current attack trigger event when the attack trigger event is detected, acquiring regional feature information corresponding to each to-be-traced attack sample, determining the association strength between the regional feature information and each region included in a pre-established regional feature library, and finally determining a target region to which the to-be-traced attack sample belongs according to the association strength. Therefore, as the pre-created regional characteristic library stores regional characteristic information and the corresponding relation between the regional characteristic information and the region to which the regional characteristic information belongs, the obtained regional characteristic information of the attack sample to be traced can be compared with the pre-created regional characteristic library, so that the target region to which the attack sample of the current attack trigger event belongs, including the attack organization to which the attack sample belongs or the specific region to which the attacker belongs, can be quickly and accurately positioned, the difficulty of manual tracing is reduced, and the efficiency of tracing analysis is further improved.
Drawings
Fig. 1 is a tracing method based on regional characteristics according to an embodiment of the present invention;
fig. 2 is another tracing method based on regional characteristics according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a device where a tracing apparatus based on regional characteristics is located according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a tracing apparatus based on regional characteristics according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, a tracing method based on regional characteristics provided in an embodiment of the present invention includes the following steps:
step 101: detecting an attack trigger event;
step 102: obtaining at least one attack sample to be traced;
step 103: performing feature extraction on at least one attack sample to be traced to obtain regional feature information of each attack sample to be traced;
step 104: determining the correlation strength between the regional characteristic information and each region in a pre-created regional characteristic library, wherein the regional characteristic library stores the regional characteristic information and the corresponding relation between the regional characteristic information and the region to which the regional characteristic information belongs;
step 105: and determining a target area to which at least one attack sample to be traced belongs according to the correlation strength.
In the embodiment of the invention, when an attack trigger event is detected, for at least one to-be-traced attack sample acquired by the current attack trigger event, feature extraction is performed on the to-be-traced attack sample to obtain regional feature information corresponding to each to-be-traced attack sample, then the association strength between the regional feature information and each region included in a pre-established regional feature library is determined, and finally the target region to which the to-be-traced attack sample belongs is determined according to the association strength. Therefore, as the pre-created regional characteristic library stores regional characteristic information and the corresponding relation between the regional characteristic information and the region to which the regional characteristic information belongs, the obtained regional characteristic information of the attack sample to be traced can be compared with the pre-created regional characteristic library, so that the target region to which the attack sample of the current attack trigger event belongs, including the attack organization to which the attack sample belongs or the specific region to which the attacker belongs, can be quickly and accurately positioned, the difficulty of manual tracing is reduced, and the efficiency of tracing analysis is further improved.
In the embodiment of the present invention, when an attack trigger event is detected, tracing of one attack sample to be traced can be implemented, and tracing of multiple attack samples to be traced of a multi-sample combined attack can also be implemented, specifically, by determining a target region for each attack sample to be traced respectively. And when a certain attack event is duplicated, the area to which the attack event belongs can be quickly positioned.
The target region is a specific region to which an attack organization or an attacker belongs, to which the attack sample belongs, and for example, the target region may be country a or X continent.
In the embodiment of the present invention, the attack trigger event detected in step 101 may include, but is not limited to, a trigger event of any one of the following: when the network flow is detected to be abnormal, when the abnormal network connection is detected, when the system resources of the host computer are greatly occupied and the system is stopped, and when a large number of useless data packets are detected to be filled in the network.
Optionally, in the tracing method based on regional characteristics shown in fig. 1, the regional characteristic information of each attack sample to be traced includes at least one item of regional characteristic information;
determining the strength of association between the region feature information and each region included in the pre-created region feature library in step 105 includes:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure BDA0002962412800000071
wherein, P j The correlation strength k between the area characteristic information for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information for characterizing the ith area in the jth area, A ij The method is used for representing the similarity between the ith item of area characteristic information and the corresponding item of area characteristic information in the jth area, and n is used for representing the total item number of the area characteristic information extracted by at least one attack sample to be traced.
In the embodiment of the present invention, the area feature information includes at least one item of area feature information, the association strength corresponding to each area can be calculated by the above formula, for each area, the similarity between n items of area feature information in the attack sample to be traced and the area feature information corresponding to the area is respectively determined, and the association strength between the current attack sample to be traced and the area can be correspondingly determined by summing the product of the weight of each item of area feature information and the determined similarity and then averaging the sum. It should be noted that the pre-created area feature library also stores the weight of each item of area feature information in each area in the area.
For example, for the attack triggering event 005, 10 pieces of regional feature information (where n is 10) are obtained in total by performing feature extraction on the to-be-traced attack sample, and the pre-created regional feature library includes 5 regions in total (where j is 1, 2, 3, 4, 5). For the first area (i.e. j is 1), for example, the 5 th item is the common mailbox characteristic information, the weight of the area characteristic information in the first area is determined according to the pre-created area characteristic library, and the similarity between the first area and the second area is determined according to the common mailbox characteristic information stored in the first area in the area characteristic library and the currently acquired 5 th item of area characteristic information. Specifically, when the mailbox characteristic information between the two is only a one-word difference, the similarity can be correspondingly determined to be 95%; when only half of the mailbox characteristic information of the two workpieces is the same, the similarity can be determined to be 50%.
Optionally, in the tracing method based on regional characteristics shown in fig. 1, the step 106 of determining a target region to which at least one attack sample to be traced belongs according to the association strength includes:
determining at least one correlation strength with which the correlation strength is greater than a preset correlation threshold; wherein the association strength comprises the association strength corresponding to each region;
and determining the area corresponding to the at least one correlation strength as the target area.
In the embodiment of the invention, when the association strength between the area characteristic information and each area is greater than a preset association threshold, the area corresponding to the association strength is determined as the target area to which the sample to be subjected to source tracing attack belongs, so that the sample to be subjected to source tracing attack is quickly positioned.
In the embodiment of the present invention, for example, as described in the previous example, for five regions in the region feature library, the correlation strengths of the five regions are P in order from large to small 1 、P 4 、P 2 、P 3 、P 5 When P is 1 、P 4 And when the current attack trigger event is greater than the preset threshold value, determining that the target area to which the current attack trigger event belongs is the first area and the fourth area.
Optionally, the method for creating a pre-created regional feature library includes:
acquiring regional characteristic data, wherein the regional characteristic data comprises regional knowledge data and historical attack samples, and the regional knowledge data comprises regional characteristic information of at least two regions;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information;
determining the area to which each item of area feature information belongs according to the area feature data;
and storing the region feature information and the region to which the region feature information belongs to obtain a region feature library.
In the embodiment of the present invention, it should be noted that the area knowledge data may be directly obtained according to the established facts of each area, where the area knowledge data includes area characteristic information of at least two areas determined according to the established facts, and the historical attack samples are attack samples of known attack areas in a preset time period.
In the embodiment of the invention, regional knowledge data and historical attack samples are obtained in advance, regional characteristic information corresponding to each region is obtained according to cultural factors and geographic factors, and the regional characteristic information and the region to which the regional characteristic information belongs are stored, so that a pre-created regional characteristic library is obtained.
Optionally, in the tracing method based on regional characteristics shown in fig. 1, the at least one item of regional characteristic information includes: language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbol characteristic information;
in step 101, extracting the characteristics of the regional characteristic data according to cultural factors and geographic factors to obtain at least one item of regional characteristic information, including:
performing feature extraction on the regional feature data according to cultural factors to obtain language feature information, name feature information, company feature information and character symbol feature information corresponding to each region;
and extracting the characteristics of the regional characteristic data according to geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information corresponding to each region.
In the embodiment of the invention, the regional characteristic data used for creating the regional characteristic library comprises regional knowledge data and historical attack samples. Specifically, the method comprises the following steps: for the regional knowledge data, performing feature screening on the regional knowledge data according to cultural factors and geographic factors to obtain various regional feature information corresponding to each region; and for the historical attack sample, determining the region to which the historical attack sample belongs, and performing feature extraction on the historical attack sample according to cultural factors and geographic factors to obtain various regional feature information corresponding to the region to which the historical attack sample belongs. Thus, various regional characteristic information obtained by regional knowledge data and historical attack samples and corresponding affiliated regions are integrated and stored, and a regional characteristic library is obtained.
Specifically, feature extraction is performed on the regional feature data according to cultural factors to obtain language feature information, name feature information, company feature information and character symbol feature information corresponding to each region, and feature extraction is performed on the regional feature data according to geographic factors to obtain time zone feature information, network protocol feature information and mail feature information corresponding to each region.
In the embodiment of the invention, the pre-established regional characteristic library provides data support for tracing the subsequent attack samples, and is favorable for quickly and accurately tracing when the attack trigger event is detected. Meanwhile, the regional characteristic information contained in the regional characteristic data determined based on the established facts is richer and more detailed, and the corresponding relation obtained by the historical attack samples is increased, so that the traceability of the regional characteristic library is further increased, and the method is favorable for more accurately tracing the novel attack samples in the follow-up process.
It should be noted that the regional characteristic information corresponding to each attack sample includes a dynamic characteristic and a static characteristic of the attack sample.
Specifically, the cultural characteristics and the computer use characteristics of the region to which the corresponding region knowledge data belongs are collected aiming at the region knowledge data included in the region characteristic data, so that the original region knowledge data can be screened according to the cultural factors and the geographic factors to obtain the corresponding region characteristic information.
Optionally, in the tracing method based on regional characteristics shown in fig. 1, the step 101 performs characteristic extraction on regional characteristic data according to cultural factors and geographic factors to obtain at least one item of regional characteristic information, and includes:
aiming at historical attack samples included in the regional characteristic data, the following steps are executed:
obtaining a file format of the historical attack sample; wherein, the file format includes: executable files, compound documents, scripts, compressed files, mail;
extracting the characteristics of the historical attack sample according to cultural factors to obtain language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information;
and extracting the characteristics of the historical attack sample according to the geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information.
In the embodiment of the invention, the file format corresponding to the attack sample is firstly obtained, wherein the file format can be executable file, compound document, compressed file, mail, script and the like, and the feature extraction is further carried out. For example, methods of feature extraction include, but are not limited to: extracting information such as compiling time, PDB path, resource section character string, embedded characters and the like according to the PE executable file, extracting information such as authors, companies, embedded characters and the like according to the conforming document, and extracting information such as companies, domain names, mail servers and the like according to mails.
Specifically, for the historical attack samples included in the region feature data, feature extraction needs to be performed on the historical attack samples of the known region, including:
a1, collecting cultural characteristics and computer use characteristics of an area where a corresponding historical attack sample belongs, wherein the cultural characteristics and the computer use characteristics comprise network characteristics, language, company name, time zone characteristics and the like;
a2, extracting language characteristic information or character symbol characteristic information according to cultural factors; the language feature information is language information and character information which are extracted according to the historical attack sample and correspond to the region to which the attack sample belongs; the character symbol characteristic information is a special character symbol which is extracted according to a historical attack sample and corresponds to the region to which the character symbol belongs, so that the source tracing can be carried out according to characters contained in the attack sample to be traced; for example, if the character symbol is a chinese comma, "it can be determined that the region to which the attack sample to be traced belongs is china.
A3, extracting time zone characteristic information according to geographic factors; the time zone characteristic information is time zone information which is extracted according to the historical attack samples and corresponds to the region to which the historical attack samples belong, so that the source tracing can be carried out according to the compiling time contained in the attack samples to be traced and the final file modification time;
a4, extracting network protocol characteristic information according to geographic factors; the network protocol characteristic information is network protocol information, access target IP addresses and the like which are extracted according to historical attack samples and are commonly used by attack organizations corresponding to regions to which the attack samples belong, so that the source tracing can be carried out according to network behaviors such as the target IP addresses and the like contained in the attack samples to be traced;
a5, extracting name characteristic information according to cultural factors; the name characteristic information is common names and English abbreviation information which are extracted according to historical attack samples and correspond to the regions to which the name characteristic information belongs, so that the source tracing can be carried out according to the special names contained in the attack samples to be traced;
a6, extracting mail characteristic information according to geographic factors; the mail characteristic information is common mailbox information which is extracted according to a historical attack sample and corresponds to the area to which the mail characteristic information belongs, so that the source tracing can be performed according to a target mailbox address contained in the attack sample to be traced;
a7, extracting company characteristic information according to cultural factors; the company characteristic information is company information which is extracted according to the historical attack sample and corresponds to the region to which the company characteristic information belongs, so that the source tracing can be carried out according to the company attribute and the digital signature information contained in the attack sample to be traced;
in the embodiment of the present invention, a region feature library including, but not limited to, the following region feature information may be created: language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbols. And the region characteristic information of the region can be proved through the subtlety included in the region characteristic library, the region to which the attack sample belongs can be quickly searched and positioned, so that a defense means can be adopted in time, and deeper traceability can be carried out in time, and therefore the traceability efficiency is improved.
Similarly, in the tracing method based on regional characteristics shown in fig. 1, in step 104, feature extraction is performed on at least one attack sample to be traced, so as to obtain regional characteristic information of each attack sample to be traced, including:
aiming at each attack sample to be traced, executing the following steps:
obtaining a file format of the attack sample to be traced; wherein, the file format includes: executable files, compound documents, scripts, compressed files, mail;
extracting the characteristics of the attack sample to be traced according to cultural factors to obtain language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information;
and extracting the characteristics of the attack sample to be traced according to the geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information.
In the embodiment of the invention, when the feature extraction is carried out on each attack sample to be traced, the feature extraction is carried out on the attack sample to be traced according to cultural factors to obtain language feature information, name feature information, company feature information and character symbol feature information; and extracting the characteristics of the attack sample to be traced according to geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information. Therefore, the screening of the regional characteristic information of the attack sample to be traced can be realized according to cultural factors and geographic factors, the redundant characteristic information which has less influence on the tracing result and less information content can be eliminated, the calculation amount in the subsequent tracing process is reduced, and the tracing precision and the reliability of the tracing result based on the regional characteristics are further improved.
In the embodiment of the invention, the above-mentioned modes A1 to A7 can be adopted to obtain the characteristic information of the sample of the attack to be traced.
Optionally, in the tracing method based on regional characteristics shown in fig. 1, after determining the target region to which at least one attack sample to be traced belongs according to the association strength in step 106, the method further includes:
acquiring periodically updated regional characteristic data;
and updating a pre-established regional characteristic library according to the updated regional characteristic data.
In the embodiment of the invention, the pre-created regional characteristic library can be updated by periodically acquiring the latest detected attack sample as the updated regional characteristic data.
In the embodiment of the invention, the current regional characteristic library can be updated in real time, so that the current regional characteristic library is continuously trained by utilizing the periodically updated historical attack samples or regional knowledge data, the searching capability of the regional characteristic library is enhanced, the novel unknown attack means can be subjected to traceability analysis to assist in positioning attack organizations or hacker individuals, the traceability capability of the regional characteristic library is favorably improved, and the traceability efficiency is further improved.
In the embodiment of the invention, the tracing analysis of a plurality of attack samples can be realized through the regional feature library, the tracing difficulty of analysts is reduced, a large amount of data calculation and analysis are not required to be carried out by the analysts, and the tracing efficiency and the intelligence of multi-sample combined attack are improved.
In order to more clearly illustrate the technical solution and the advantages of the present invention, as shown in fig. 2, the following describes in detail a tracing method based on regional characteristics according to an embodiment of the present invention, which specifically includes:
step 201: a regional feature library is created.
Specifically, acquiring regional characteristic data comprising regional knowledge data and historical attack samples; wherein the regional knowledge data comprises regional characteristic information of at least two regions;
for the regional knowledge data, performing feature screening on the regional knowledge data according to cultural factors to obtain language feature information, name feature information, company feature information and character symbol feature information corresponding to each region, and performing feature extraction on the regional knowledge data according to geographic factors to obtain time zone feature information, network protocol feature information and mail feature information corresponding to each region;
corresponding to the historical attack sample, firstly obtaining the region to which the historical attack sample belongs, obtaining the file format of the historical attack sample, extracting the characteristics of the historical attack sample in the file format according to cultural factors, obtaining language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information of the corresponding region, extracting the characteristics of the historical attack sample in the file format according to geographic factors, and obtaining time zone characteristic information, network protocol characteristic information and mail characteristic information of the corresponding region;
storing the regional characteristic information obtained by the regional knowledge data and the historical attack sample and the region to which the regional characteristic information belongs correspondingly to obtain a regional characteristic library; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs, wherein the regional characteristic information comprises but is not limited to language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbol characteristic information.
Step 202: and detecting an attack trigger event and acquiring at least one attack sample to be traced.
Specifically, performing feature extraction on at least one attack sample to be traced to obtain regional feature information of each attack sample to be traced to the source, including: obtaining the file format of the attack sample to be traced;
extracting the characteristics of the attack sample to be traced in the file format according to cultural factors to obtain language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information;
and performing feature extraction on the attack sample to be traced in the file format according to geographic factors to obtain time zone feature information, network protocol feature information and mail feature information.
Step 203: the strength of association between the region feature information and each region included in the region feature library created in advance is determined.
Specifically, the regional characteristic information of each attack sample to be traced comprises at least one item of regional characteristic information;
determining the strength of association between the regional characteristic information and each region included in a pre-created regional characteristic library, including:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure BDA0002962412800000151
wherein, P j The correlation strength, k, between the area characteristic information for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information for characterizing the ith area in the jth area, A ij The method is used for representing the similarity between the ith item of area characteristic information and the corresponding item of area characteristic information in the jth area, and n is used for representing the total item number of the area characteristic information extracted by at least one attack sample to be traced.
Step 204: and determining a target area to which at least one attack sample to be traced belongs.
Specifically, determining at least one association strength with which the association strength is greater than a preset association threshold; wherein the association strength comprises the association strength corresponding to each region; and determining the area corresponding to the at least one correlation strength as the target area.
Step 205: and updating the pre-created regional feature library.
Specifically, periodically updated regional characteristic data are obtained;
and updating the pre-established regional characteristic library according to the updated regional characteristic data.
As shown in fig. 3 and 4, an embodiment of the present invention provides a tracing apparatus based on regional characteristics. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 3, a hardware structure diagram of a device where a tracing apparatus based on regional characteristics according to an embodiment of the present invention is located is provided, where the device in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3. Taking a software implementation as an example, as shown in fig. 4, as a logical apparatus, the apparatus is formed by reading a corresponding computer program instruction in a non-volatile memory into a memory by a CPU of a device in which the apparatus is located and running the computer program instruction. The tracing device based on the regional characteristics provided by the embodiment comprises:
an obtaining module 401, configured to obtain at least one attack sample to be traced when an attack trigger event is detected;
a feature extraction module 402, configured to perform feature extraction on at least one attack sample to be traced acquired by the acquisition module 401, so as to obtain regional feature information of each attack sample to be traced;
an association strength determining module 403 for determining an association strength between the region feature information obtained by the feature extracting module 402 and each region included in a region feature library created in advance; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs;
and an area determining module 404, configured to determine, according to the association strength determined by the association strength determining module 403, a target area to which at least one attack sample to be traced belongs.
Optionally, on the basis of the tracing apparatus based on regional characteristics shown in fig. 4, the association strength determining module 403 is further configured to perform the following operations:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure BDA0002962412800000161
wherein, P j The correlation strength, k, between the area characteristic information for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information for characterizing the ith area in the jth area, A ij The method is used for representing the similarity between the ith item of area characteristic information and the corresponding item of area characteristic information in the jth area, and n is used for representing the total item number of the area characteristic information extracted by at least one attack sample to be traced.
Optionally, on the basis of the tracing apparatus based on regional characteristics shown in fig. 4, the regional determination module 404 is further configured to perform the following operations:
determining at least one correlation strength with which the correlation strength is greater than a preset correlation threshold; wherein the association strength comprises the association strength corresponding to each region;
and determining the area corresponding to the at least one correlation strength as the target area.
Optionally, on the basis of a tracing apparatus based on regional characteristics shown in fig. 4, the apparatus further includes: a creation module to perform the following operations:
acquiring regional characteristic data, wherein the regional characteristic data comprises regional knowledge data and historical attack samples, and the regional knowledge data comprises regional characteristic information of at least two regions;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information;
determining the area to which each item of area feature information belongs according to the area feature data;
and storing the region feature information and the region to which the region feature information belongs to obtain a region feature library.
Optionally, on the basis of the tracing apparatus based on regional characteristics shown in fig. 4, the at least one item of regional characteristic information includes: language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbol characteristic information;
the creation module is further configured to perform the following operations:
extracting the characteristics of the regional characteristic data according to cultural factors to obtain language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information corresponding to each region;
and extracting the characteristics of the regional characteristic data according to the geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information corresponding to each region.
Optionally, on the basis of the tracing apparatus based on regional characteristics shown in fig. 4, the creating module is further configured to perform the following operations:
aiming at historical attack samples included in the regional characteristic data, the following steps are executed:
acquiring a file format of the historical attack sample; wherein, the file format includes: executable files, compound documents, scripts, compressed files, mail;
extracting the characteristics of the historical attack sample according to cultural factors to obtain language characteristic information, name characteristic information, company characteristic information and character symbol characteristic information;
and extracting the characteristics of the historical attack sample according to the geographic factors to obtain time zone characteristic information, network protocol characteristic information and mail characteristic information.
Optionally, on the basis of the tracing apparatus based on regional features shown in fig. 4, the feature extraction module 403 is further configured to perform the following operations:
aiming at each attack sample to be traced, executing the following steps:
analyzing the attack sample to be traced to obtain an executable file and an email;
extracting features of the executable file according to cultural factors to obtain language feature information, name feature information, company feature information and character symbol feature information;
extracting the characteristics of the executable file according to geographic factors to obtain time zone characteristic information and network protocol characteristic information;
and extracting the characteristics of the mail according to the geographic factors to obtain the mail characteristic information.
Optionally, on the basis of a tracing apparatus based on regional characteristics shown in fig. 4, the apparatus further includes an updating module, where the updating module is configured to perform the following operations:
acquiring periodically updated regional characteristic data;
and updating the pre-established regional characteristic library according to the updated regional characteristic data.
It is to be understood that the schematic structure in the embodiment of the present invention does not specifically limit a tracing apparatus based on regional characteristics. In other embodiments of the present invention, a traceability device based on regional characteristics may include more or fewer components than those shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
An embodiment of the present invention further provides a tracing apparatus based on regional characteristics, including: at least one memory area and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine-readable program to execute a tracing method based on regional features in any embodiment of the present invention.
An embodiment of the present invention further provides a computer-readable medium, where a computer instruction is stored on the computer-readable medium, and when the computer instruction is executed by a processor, the processor is enabled to execute a tracing method based on regional features in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
In summary, when an attack trigger event is detected, the method and the device for tracing based on the regional characteristics perform feature extraction on at least one to-be-traced attack sample acquired by the current attack trigger event, acquire regional characteristic information corresponding to each to-be-traced attack sample, determine the association strength between the regional characteristic information and each region included in a pre-created regional characteristic library, and finally determine a target region to which the to-be-traced attack sample belongs according to the association strength. The invention has at least the following beneficial effects: by comparing the obtained regional characteristic information of the attack sample to be traced with the pre-established regional characteristic library, the target region to which the attack sample of the current attack trigger event belongs can be quickly and accurately positioned, including the attack organization to which the attack sample belongs or the specific region to which the attacker belongs, so that the difficulty of manual tracing is reduced, and the efficiency of tracing analysis is further improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: ROM, RAM, magnetic or optical disks, etc. that can store program codes.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A tracing method based on regional characteristics is characterized by comprising the following steps:
detecting an attack trigger event;
obtaining at least one attack sample to be traced;
performing feature extraction on the at least one attack sample to be traced to obtain regional feature information of each attack sample to be traced; the regional characteristic information of each attack sample to be traced comprises at least one item of regional characteristic information;
determining the correlation strength between the region feature information and each region included in a pre-created region feature library; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs;
determining a target area to which the at least one attack sample to be traced belongs according to the association strength;
the determining the association strength between the region feature information and each region included in a pre-created region feature library includes:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure DEST_PATH_IMAGE001
wherein, P j The correlation strength k between the area characteristic information used for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information for characterizing the ith area in the jth area, A ij The similarity between the ith item of area characteristic information and the corresponding item of area characteristic information in the jth area is characterized, and the n is used for characterizing the total item number of the area characteristic information extracted by the at least one attack sample to be traced.
2. The method according to claim 1, wherein the determining a target area to which the at least one attack sample to be traced belongs according to the correlation strength comprises:
determining at least one association strength with which the association strength is greater than a preset association threshold; wherein the association strength comprises the association strength corresponding to each region;
and determining the area corresponding to the at least one association strength as a target area.
3. The method according to claim 1, wherein the method for creating the pre-created regional feature library comprises:
acquiring regional characteristic data, wherein the regional characteristic data comprise regional knowledge data and historical attack samples, and the regional knowledge data comprise regional characteristic information of at least two regions;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information;
determining the area to which each item of area feature information belongs according to the area feature data;
and storing the region feature information and the region to which the region feature information belongs to obtain a region feature library.
4. The method of claim 3, wherein the at least one item of regional characteristic information comprises: language characteristic information, time zone characteristic information, network protocol characteristic information, name characteristic information, mail characteristic information, company characteristic information and character symbol characteristic information;
performing feature extraction on the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information, wherein the feature extraction comprises the following steps:
extracting the characteristics of the regional characteristic data according to the cultural factors to obtain the language characteristic information, the name characteristic information, the company characteristic information and the character symbol characteristic information corresponding to each region;
and extracting the characteristics of the regional characteristic data according to the geographic factors to obtain the time zone characteristic information, the network protocol characteristic information and the mail characteristic information corresponding to each region.
5. The method of claim 4, wherein the extracting the feature of the regional feature data according to cultural factors and geographic factors to obtain at least one item of regional feature information comprises:
for historical attack samples included in the region feature data, executing:
acquiring a file format of the historical attack sample; wherein the file format comprises: executable files, compound documents, scripts, compressed files, mail;
extracting the characteristics of the historical attack sample according to the cultural factors to obtain the language characteristic information, the name characteristic information, the company characteristic information and the character symbol characteristic information;
and extracting the characteristics of the historical attack sample according to the geographic factors to obtain the time zone characteristic information, the network protocol characteristic information and the mail characteristic information.
6. The method according to any one of claims 3 to 5, further comprising, after said determining a target region to which the at least one attack sample to be traced belongs according to the correlation strength, the steps of:
acquiring the periodically updated regional characteristic data;
and updating the pre-established regional characteristic library according to the updated regional characteristic data.
7. A tracing apparatus based on regional characteristics is characterized by comprising:
the system comprises an acquisition module, a source tracing module and a source tracing module, wherein the acquisition module is used for acquiring at least one attack sample to be traced when an attack trigger event is detected;
the characteristic extraction module is used for extracting the characteristics of the at least one attack sample to be traced acquired by the acquisition module to obtain the regional characteristic information of each attack sample to be traced; the regional characteristic information of each attack sample to be traced comprises at least one item of regional characteristic information;
an association strength determination module configured to determine an association strength between the region feature information obtained by the feature extraction module and each region included in a region feature library created in advance; the regional characteristic library stores regional characteristic information and a corresponding relation between the regional characteristic information and a region to which the regional characteristic information belongs;
the region determining module is used for determining a target region to which the at least one attack sample to be traced belongs according to the correlation strength determined by the correlation strength determining module;
the association strength determination module is further configured to perform the following operations:
performing correlation strength operation on the obtained regional characteristic information of each attack sample to be traced, wherein a correlation strength formula corresponding to each region is as follows:
Figure DEST_PATH_IMAGE002
wherein, P j The correlation strength k between the area characteristic information for characterizing each attack sample to be traced and the jth area i The corresponding weight of the characteristic information of the ith area in the jth area, A ij The method is used for representing the similarity between the ith item of area characteristic information and the corresponding item of area characteristic information in the jth area, and n is used for representing the total item number of the area characteristic information extracted by at least one attack sample to be traced.
8. A tracing apparatus based on regional characteristics is characterized by comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor, configured to invoke the machine readable program, to perform the method of any of claims 1 to 6.
9. Computer readable medium, characterized in that it has stored thereon computer instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
CN202110241596.4A 2021-03-04 2021-03-04 Tracing method and device based on regional characteristics Active CN112839061B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110241596.4A CN112839061B (en) 2021-03-04 2021-03-04 Tracing method and device based on regional characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110241596.4A CN112839061B (en) 2021-03-04 2021-03-04 Tracing method and device based on regional characteristics

Publications (2)

Publication Number Publication Date
CN112839061A CN112839061A (en) 2021-05-25
CN112839061B true CN112839061B (en) 2022-11-25

Family

ID=75934579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110241596.4A Active CN112839061B (en) 2021-03-04 2021-03-04 Tracing method and device based on regional characteristics

Country Status (1)

Country Link
CN (1) CN112839061B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116468032B (en) * 2023-03-07 2024-04-16 北京智慧星光信息技术股份有限公司 Information tracing method, device and equipment based on self-media information
CN116883026B (en) * 2023-09-06 2023-12-26 深圳市深信信息技术有限公司 Agricultural product origin tracing method and system based on big data

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7302705B1 (en) * 2000-08-30 2007-11-27 International Business Machines Corporation Method and apparatus for tracing a denial-of-service attack back to its source
US8281400B1 (en) * 2002-07-23 2012-10-02 Juniper Networks, Inc. Systems and methods for identifying sources of network attacks
CN106685803A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Method and system of tracing APT attack event based on phishing mail
CN110336808A (en) * 2019-06-28 2019-10-15 南瑞集团有限公司 A kind of attack source tracing method and system towards electric power industry control network
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN111193749A (en) * 2020-01-03 2020-05-22 北京明略软件系统有限公司 Attack tracing method and device, electronic equipment and storage medium
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN111935192A (en) * 2020-10-12 2020-11-13 腾讯科技(深圳)有限公司 Network attack event tracing processing method, device, equipment and storage medium
CN112333196A (en) * 2020-11-10 2021-02-05 恒安嘉新(北京)科技股份公司 Attack event tracing method and device, electronic equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7302705B1 (en) * 2000-08-30 2007-11-27 International Business Machines Corporation Method and apparatus for tracing a denial-of-service attack back to its source
US8281400B1 (en) * 2002-07-23 2012-10-02 Juniper Networks, Inc. Systems and methods for identifying sources of network attacks
CN106685803A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Method and system of tracing APT attack event based on phishing mail
WO2020107446A1 (en) * 2018-11-30 2020-06-04 北京比特大陆科技有限公司 Method and apparatus for obtaining attacker information, device, and storage medium
CN110336808A (en) * 2019-06-28 2019-10-15 南瑞集团有限公司 A kind of attack source tracing method and system towards electric power industry control network
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN111193749A (en) * 2020-01-03 2020-05-22 北京明略软件系统有限公司 Attack tracing method and device, electronic equipment and storage medium
CN111935192A (en) * 2020-10-12 2020-11-13 腾讯科技(深圳)有限公司 Network attack event tracing processing method, device, equipment and storage medium
CN112333196A (en) * 2020-11-10 2021-02-05 恒安嘉新(北京)科技股份公司 Attack event tracing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112839061A (en) 2021-05-25

Similar Documents

Publication Publication Date Title
US11973799B2 (en) Domain name processing systems and methods
Pouget et al. Honeypot-based forensics
CN112839061B (en) Tracing method and device based on regional characteristics
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN110177114A (en) The recognition methods of network security threats index, unit and computer readable storage medium
CN111869176B (en) System and method for malware signature generation
CN111988341B (en) Data processing method, device, computer system and storage medium
CN111723371A (en) Method for constructing detection model of malicious file and method for detecting malicious file
CN109600382B (en) Webshell detection method and device and HMM model training method and device
CN112866292B (en) Attack behavior prediction method and device for multi-sample combination attack
CN113067812A (en) APT attack event tracing analysis method, device and computer readable medium
CN107423285B (en) Company abbreviation recognition method and system based on text rule
CN114024761A (en) Network threat data detection method and device, storage medium and electronic equipment
CN112214737B (en) Method, system, device and medium for identifying picture-based fraudulent webpage
CN112822220B (en) Multi-sample combination attack-oriented tracing method and device
CN113726826B (en) Threat information generation method and device
CN113962218A (en) Illegal application identification method, device and equipment and readable storage medium
CN114238974A (en) Malicious Office document detection method and device, electronic equipment and storage medium
CN115314271A (en) Access request detection method, system and computer storage medium
CN107229865B (en) Method and device for analyzing Webshell intrusion reason
CN113935022A (en) Homologous sample capturing method and device, electronic equipment and storage medium
CN111177301B (en) Method and system for identifying and extracting key information
CN113434860A (en) Virus detection method and device, computing equipment and storage medium
CN111079145B (en) Malicious program detection method based on graph processing
CN114422341A (en) Industrial control asset identification method and system based on fingerprint characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road)

Applicant after: Antan Technology Group Co.,Ltd.

Address before: Room 506, 162 Hongqi Street, Nangang 17 building, high tech entrepreneurship center, high tech Industrial Development Zone, Songbei District, Harbin City, Heilongjiang Province

Applicant before: Harbin Antian Science and Technology Group Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant