CN113055395A - Security detection method, device, equipment and storage medium - Google Patents

Security detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN113055395A
CN113055395A CN202110327189.5A CN202110327189A CN113055395A CN 113055395 A CN113055395 A CN 113055395A CN 202110327189 A CN202110327189 A CN 202110327189A CN 113055395 A CN113055395 A CN 113055395A
Authority
CN
China
Prior art keywords
detection
information
security
safety
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110327189.5A
Other languages
Chinese (zh)
Other versions
CN113055395B (en
Inventor
龚炜林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110327189.5A priority Critical patent/CN113055395B/en
Publication of CN113055395A publication Critical patent/CN113055395A/en
Application granted granted Critical
Publication of CN113055395B publication Critical patent/CN113055395B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The application discloses a safety detection method, which is applied to a safety detection platform, wherein the safety detection platform comprises a plurality of safety detection engines, and the safety detection method comprises the following steps: any one safety detection engine carries out safety detection on the received information to be detected based on the detection elements to obtain a detection result; and updating the information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements. By applying the technical scheme provided by the application, higher detection efficiency can be ensured, network congestion is effectively avoided, the occurrence of the condition of missing report and false report can be reduced, and the normal operation of user services is ensured. The application also discloses a safety detection device, equipment and a storage medium, which have corresponding technical effects.

Description

Security detection method, device, equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security detection method, apparatus, device, and storage medium.
Background
With the rapid development of computer technology and network technology, the application range of networks is wider and wider, and the network security problem is concerned more and more.
The network security problem is mainly reflected in the security of information such as network traffic, and the like, the security of the information such as the network traffic is detected, so that the security of the information such as the network traffic is ensured, and the normal operation of user services can be ensured to a greater extent.
Therefore, how to perform effective security detection on information such as network traffic is a technical problem that needs to be solved urgently by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a safety detection method, a safety detection device, a safety detection equipment and a storage medium, so that the safety detection of information such as network flow and the like can be effectively carried out, the detection efficiency and the accuracy can be improved, and the normal operation of user services can be guaranteed.
In order to solve the technical problem, the application provides the following technical scheme:
a security detection method is applied to a security detection platform, the security detection platform comprises a plurality of security detection engines, and the security detection method comprises the following steps:
any one safety detection engine carries out safety detection on the received information to be detected based on the detection elements to obtain a detection result;
and updating an information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
In a specific embodiment of the present application, the information to be detected includes a plurality of detection elements, and the updating the information base according to the detection result includes:
taking various network elements under the detection results corresponding to various detection elements as combination elements;
updating an information base based on the combined elements.
In a specific embodiment of the present application, the performing security detection on the received information to be detected based on the detection element includes:
determining a corresponding detection level based on the suspicious degree of the detection element of the received information to be detected;
and carrying out safety detection on the information to be detected based on the detection level.
In a specific embodiment of the present application, the performing security detection on the received information to be detected based on the detection element includes:
searching an information group corresponding to a detection element included in received information to be detected in an information base, wherein the information base comprises a plurality of information groups, different information groups comprise different network elements, and the network elements correspond to the detection element one by one;
and carrying out safety detection on the information to be detected based on the searched information group.
In a specific embodiment of the present application, the detection result is: the step of updating the information base according to the detection result includes:
determining whether the information of the detection elements including the information to be detected in a set time period is safe information;
and if so, adding the network elements corresponding to the detection elements of the information to be detected into a white information base included in the information base.
In a specific embodiment of the present application, the security detection platform includes a security detection engine obtained by training a machine learning model, and the security detection method further includes:
establishing a baseline based on historical data corresponding to the information base;
obtaining training data based on the baseline;
and training the machine learning model by using the training data to obtain a safety detection engine.
In one embodiment of the present application, the network element includes a domain name, a link address, or a network address.
A safety detection device is applied to a safety detection platform, the safety detection platform comprises a plurality of safety detection engines, and the safety detection device comprises:
the information security detection module is used for triggering any one security detection engine to perform security detection on the received information to be detected based on the detection elements to obtain a detection result;
and the information base updating module is used for updating the information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
A safety inspection device, operable on a safety inspection platform, comprising:
a memory for storing a computer program;
a processor for implementing the steps of any of the above described security detection methods when executing the computer program.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the security detection method of any of the above.
By applying the technical scheme provided by the embodiment of the application, any one of the safety detection engines in the safety detection platform can perform safety detection on the received information to be detected based on the detection elements to obtain the detection result, and then the information base is updated according to the detection result, so that any one of the safety detection engines in the safety detection platform can perform safety detection on the received information to be detected based on the updated information base and the detection elements. Each safety detection engine in the safety detection platform can play a detection role, higher detection efficiency can be guaranteed in a scene with larger network flow, network congestion can be effectively avoided, and each safety detection engine can update the information base and maintain the information base together, so that the safety detection of information to be detected based on the information base and detection elements is more accurate, the occurrence of the condition of missing report and misinformation is reduced, and the normal operation of user services can be guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a security inspection platform in an embodiment of the present application;
FIG. 2 is a flow chart of an embodiment of a security detection method;
FIG. 3 is a schematic structural diagram of a safety inspection device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a security detection apparatus in an embodiment of the present application.
Detailed Description
The core of the application is to provide a safety detection method which can be applied to a safety detection platform. The security detection platform may include various security detection engines, such as a UEBA (User and entity behavioral analysis) engine, a rules engine, and so on.
In practical applications, a security detection platform may be deployed at an exit, an entrance, etc. of a network. The security detection platform comprises a plurality of security detection engines, each security detection engine can perform security detection on network traffic waiting detection information, and the types of information to be detected, which are aimed at by different security detection engines, can be different. During normal operation of a network system and normal operation of user services, various generated information can be collected by the information collection equipment and then transmitted to the safety detection platform as information to be detected. The safety detection platform comprises a plurality of safety detection engines, and can determine which safety detection engine to perform safety detection on the information to be detected according to the type of the information to be detected.
As shown in fig. 1, the security detection platform includes a security detection engine a, a security detection engine B, a security detection engine C, and the like, and the multiple security detection engines maintain the information base together.
Any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the detection elements to obtain a detection result, and then update the information base according to the detection result, so that any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the updated information base and the detection elements. Each safety detection engine in the safety detection platform can play a detection role, higher detection efficiency can be guaranteed in a scene with larger network flow, network congestion can be effectively avoided, and each safety detection engine can update the information base and maintain the information base together, so that the safety detection of information to be detected based on the information base and detection elements is more accurate, the occurrence of the condition of missing report and misinformation is reduced, and the normal operation of user services can be guaranteed.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 2, there is shown a flowchart of an implementation of a security detection method provided in an embodiment of the present application, where the method may include the following steps:
s210: and any one of the safety detection engines carries out safety detection on the received information to be detected based on the detection elements to obtain a detection result.
In practical applications, different types of security detection engines aim at different types of information to be detected. After the information to be detected reaches the security detection platform, it can be determined which security detection engine is used for security detection based on the type of the information to be detected.
After receiving the information to be detected, any one of the security detection engines in the security detection platform can perform security detection on the information to be detected based on the detection elements to obtain a detection result. The detection element may include a domain name, a link address, or a network address.
S220: and updating the information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
In the embodiment of the application, the information base can record network elements of information such as network traffic and the like, and information such as whether the information is safe and suspicious.
The network element may include a domain name, a link address, or a network address. The network elements correspond to the detection elements one to one. The link address may be a URL (uniform resource locator) address, and the network address may be an IP (Internet Protocol) address.
The security detection platform includes a plurality of security detection engines that can collectively maintain a repository of information. After any one of the security detection engines performs security detection on the received information to be detected based on the detection elements to obtain a detection result, the information base can be updated according to the detection result. Specifically, various information recorded in the information base may be updated. Therefore, any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the updated information base and the detection elements.
The multiple security detection engines maintain the information base together. For any one safety detection engine, when the safety detection engine performs safety detection on information to be detected, the detection conditions of other safety detection engines on the associated information of the information to be detected can be known through the information base, and according to the relevant information recorded in the information base, whether the safety detection on the information to be detected is needed or not can be rapidly determined, or the safety detection of what degree is performed, so that the detection efficiency can be improved. Moreover, different safety detection engines have different detection capabilities, and detection results of various safety detection engines for some associated information can be shared through the information base, so that the detection accuracy of each safety detection engine can be improved, and the occurrence of false alarm and missed alarm can be reduced.
By applying the method provided by the embodiment of the application, any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the detection element to obtain a detection result, and then update the information base according to the detection result, so that any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the updated information base and the detection element. Each safety detection engine in the safety detection platform can play a detection role, higher detection efficiency can be guaranteed in a scene with larger network flow, network congestion can be effectively avoided, and each safety detection engine can update the information base and maintain the information base together, so that the safety detection of information to be detected based on the information base and detection elements is more accurate, the occurrence of the condition of missing report and misinformation is reduced, and the normal operation of user services can be guaranteed.
In an embodiment of the present application, the information to be detected may include a plurality of detection elements, and the updating the information base according to the detection result may include the following steps:
the method comprises the following steps: taking various network elements under the detection results corresponding to various detection elements as combination elements;
step two: the information base is updated based on the combined elements.
In the embodiment of the application, for any one of the security detection engines in the security detection platform, the received information to be detected is subjected to security detection based on the detection elements to obtain a detection result, and if the information to be detected includes multiple detection elements, the information to be detected can be subjected to security detection based on each detection element respectively to obtain a detection result corresponding to each detection element.
The detection elements correspond to the network elements one to one, the obtained detection result corresponding to each detection element comprises a plurality of network elements, the plurality of network elements under the detection results corresponding to the various detection elements can be used as combination elements, and then the information base is updated based on the combination elements.
By way of example, the combination element may be a domain name, a link address, and a network address, and the information base may be updated based on the combination element, and information having the domain name, the link address, and the network address may be recorded in the information base.
In an embodiment of the application, for any one of the security detection engines in the security detection platform, after receiving the information to be detected, the security detection engine may extract a detection element of the information to be detected, query, in the information base, a network element corresponding to the detection element, and determine whether a corresponding network element exists in the information base.
If the corresponding network element exists in the information base, the safety judgment of the information related to the information to be detected is indicated. Whether to perform security detection on the information to be detected can be determined based on the information base.
Specifically, whether to perform security detection on the information to be detected can be determined according to the security information of the network element corresponding to the information to be detected recorded in the information base.
If the security information of the network element corresponding to the information to be detected recorded in the information base indicates that the network element is secure, it can be considered that the security detection of the information to be detected is unnecessary, and the security detection of the information to be detected can be ignored, so as to save the detection time and improve the detection efficiency.
If the security information of the network element corresponding to the information to be detected recorded in the information base indicates that the network element is unsafe, the information to be detected can be considered to have a threat, and the information to be detected can be further detected.
The safety detection platform comprises a plurality of safety detection engines which commonly maintain an information base, whether the received information to be detected is subjected to safety detection or not is judged, the safety detection is not directly carried out on each received information to be detected, and the detection efficiency can be improved.
In an embodiment of the present application, the information base may include a white information base, in which network elements confirmed as safe are recorded, and if a network element corresponding to the information to be detected exists in the white information base, security detection of the information to be detected may be omitted.
That is to say, if the network element corresponding to the information to be detected exists in the white information base, it indicates that the associated information of the information to be detected has been confirmed to be safe information before, in this case, the information to be detected can be directly confirmed to be safe information, and the safety detection of the information to be detected can be ignored. Therefore, the detection time can be saved, and the detection efficiency can be improved.
For example, a security detection engine, such as the UEBA engine, which detects that the access period of the domain name www.xxx.com is normal and that the access period is reasonable in the actual environment, may add www.xxx.com to the white information base; another security detection engine ignores subsequent complex security detection when it queries www.xxx.com that it already exists in the white information base when performing DGA (Domain name generation Algorithm) Domain name detection.
In an embodiment of the present application, the information base may include a black information base, in which network elements that have been confirmed to have threats are recorded, and if a network element corresponding to the information to be detected exists in the black information base, it may be determined that security detection is to be performed on the information to be detected.
That is to say, if the network element corresponding to the information to be detected exists in the black information base, it indicates that the information associated with the information to be detected has been confirmed to be information with a threat before, and in this case, it may be determined that the information to be detected is subjected to security detection. The information to be detected of the network elements existing in the black information base is further safely detected, the occurrence of false alarm missing can be reduced, the detection accuracy is improved, and the safety of a network system is guaranteed.
For example, a security detection engine, such as UEBA engine, detects that http:// k.k.k.k/download is an abnormal access and records it in the black information base; when the other security detection engine carries out webshell detection, the fact that http:// k.k.k.k/download already exists in the black information base is inquired, and the full-amount complex analysis can be carried out on the http:// k.k.k.k.k/download.
In a specific embodiment of the present application, the performing security detection on the received information to be detected based on the detection element may include the following steps:
the method comprises the following steps: determining a corresponding detection level based on the suspicious degree of the detection element of the received information to be detected;
step two: and carrying out safety detection on the information to be detected based on the detection level.
For convenience of description, the above two steps are combined for illustration.
In the embodiment of the present application, the network elements recorded in the information base may correspond to corresponding suspicion degrees. The calculation rule of the suspicious degree can be set and adjusted according to the actual situation. For example, for a network element, the more times the network element is determined to be threatening within a set period of time, the higher the suspiciousness of the network element, and vice versa. Alternatively, the more security detection engines that determine that the network element is threatening, the higher the suspicion degree of the network element, and vice versa.
After receiving the information to be detected, any one of the security detection engines can determine the suspiciousness of the detection elements of the information to be detected. The detection elements correspond to the network elements one to one, and the suspiciousness of the corresponding detection elements can be obtained through the suspiciousness of the network elements in the information base. Different suspicions may correspond to different detection levels. If the suspicious degree of the detection element is low, the lower detection level can be used for carrying out safety detection on the information to be detected, and if the suspicious degree of the detection element is higher, the higher detection level can be used for carrying out safety detection on the information to be detected.
For example, if the security detection engine performs security detection on the information to be detected through feature analysis, the security detection engine may perform security detection on the information to be detected using fewer features if it is determined that a lower detection level is used, and perform security detection on the information to be detected using more features if it is determined that a higher detection level is used.
Therefore, the detection accuracy is improved, and the detection efficiency is improved.
In practical application, the information bases can include a black information base and a white information base, and for different types of security detection engines, the corresponding black information base and/or white information base can be loaded based on practical use scenes. In addition, different black and/or white databases may also be maintained for different usage scenarios. Any one of the safety detection engines in the safety detection platform can load the black information base according to the actual detection purpose so as to hit the black data quickly and perform key detection, thereby improving the detection accuracy, and meanwhile, the white information base can be loaded according to the actual detection purpose so as to remove the white data quickly and improve the detection performance.
In an embodiment of the application, after receiving the information to be detected, any one of the security detection engines determines that the network element corresponding to the information to be detected does not exist in the information base, which indicates that the security detection engine itself or another security detection engine has not performed security detection on the associated information of the information to be detected. In this case, the security detection engine may perform security detection on the information to be detected to obtain a detection result.
After the security detection engine performs security detection on the information to be detected, if the information to be detected is determined to be the security information, the security detection engine does not perform any limiting operation on the information to be detected, and if the information to be detected is determined to have a threat, the information to be detected can be reported to the defense system, so that the defense system performs operations such as interception on the information to be detected.
After the detection result of the information to be detected is obtained, the network element and the related safety state information corresponding to the information to be detected can be recorded in the information base, and the information base is updated. Therefore, after any one of the security detection engines in the subsequent security detection platform receives the new information to be detected, whether the corresponding information to be detected is to be detected or not can be determined based on the information base, so that the detection accuracy and the detection efficiency are improved.
In practical application, under the condition that the information base comprises a black information base and a white information base, if the information to be detected is determined to be safety information, the network element corresponding to the information to be detected can be added into the white information base, and if the information to be detected is determined to have a threat, the network element corresponding to the information to be detected can be added into the black information base, and meanwhile, corresponding safety state information is recorded.
In an embodiment of the present application, the performing security detection on the received information to be detected based on the detection element may include the following steps:
the first step is as follows: searching an information group corresponding to a detection element included in received information to be detected in an information base, wherein the information base includes a plurality of information groups, different information groups include different network elements, and the network elements correspond to the detection element one to one;
the second step is that: and carrying out safety detection on the information to be detected based on the searched information group.
For convenience of description, the above two steps are combined for illustration.
In the embodiment of the application, the information base comprises a plurality of information groups, different information groups comprise different network elements, and the network elements correspond to the detection elements one to one. For example, the information base includes information group 1 and information group 2, the network element included in the information group 1 is a domain name, and the network element included in the information group 2 is a link address.
After receiving the information to be detected, any security detection engine in the security detection platform can search an information group corresponding to a detection element included in the received information to be detected in the information base, and then perform security detection on the information to be detected based on the searched information group, so that the method is more targeted, and the detection efficiency can be improved.
In one embodiment of the present application, the detection result is: the information to be detected is safety information, and the information base is updated according to the detection result, and the method comprises the following steps:
determining whether the information of the detection elements including the information to be detected in a set time period is all safe information;
and if so, adding the network element corresponding to the detection element of the information to be detected into a white information base included in the information base.
In this embodiment of the present application, any one of the security detection engines in the security detection platform performs security detection on the received information to be detected to obtain a detection result, and if the detection result is: if the information to be detected is the safety information, whether the information of the detection element including the information to be detected is the safety information within the set time period can be further determined. The set time period can be set and adjusted according to actual conditions. If the information of the detection elements including the information to be detected is all safety information within the set time period, the information to be detected can be considered to be absolutely safe, and the network elements corresponding to the detection elements of the information to be detected can be added into the white information base included in the information base. When any subsequent security detection engine receives the information associated with the information to be detected, the security of the information can be directly determined through the white information base, and further security detection is not needed.
For example, a security detection engine detects that network traffic with a network element http:// x.x.x.x/download has not had any threat for the last 7 days, and may record the network element into a white information base.
In an embodiment of the present application, the security detection platform includes a security detection engine obtained for training the machine learning model, and the method may further include the following steps:
the method comprises the following steps: establishing a baseline based on historical data corresponding to the information base;
step two: obtaining training data based on a baseline;
step three: and training the machine learning model by using the training data to obtain the safety detection engine.
For convenience of description, the above three steps are combined for illustration.
In the embodiment of the application, a security detection engine obtained by training a machine learning model can be included in the security detection platform.
The safety detection platform comprises a plurality of safety detection engines which commonly maintain an information base, and the information base is continuously updated. A baseline may be established based on historical data corresponding to the information base. Information such as which IP always accesses which web site, or at what time, can be known from the baseline. Training data may be obtained based on the baseline. And then training the machine learning model by using the training data, such as retraining or incremental training, to obtain the safety detection model. The machine learning model is self-improved, the detection accuracy of the target safety detection engine is improved, the detection effect is improved, and the actual flow environment is maximally adapted.
For example, when the UEBA engine carries out historical access modeling, because the network element exists in a white information base, the access of http:// x.x.x.x/download can be fully trusted, a base line can be established based on 7-day traffic data, training data is obtained based on the base line, and a machine learning model based on the base line is trained.
Corresponding to the above method embodiments, the present application further provides a security detection apparatus, which is applied to a security detection platform, where the security detection platform includes multiple security detection engines, and the security detection apparatus described below and the security detection method described above may be referred to in correspondence.
Referring to fig. 3, the apparatus includes the following modules:
the information security detection module 310 is configured to trigger any one of the security detection engines to perform security detection on the received information to be detected based on the detection element to obtain a detection result;
and the information base updating module 320 is configured to update the information base according to the detection result, so that any one of the security detection engines in the security detection platform performs security detection on the received information to be detected based on the updated information base and the detection elements.
By applying the device provided by the embodiment of the application, any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the detection element to obtain a detection result, and then update the information base according to the detection result, so that any one of the security detection engines in the security detection platform can perform security detection on the received information to be detected based on the updated information base and the detection element. Each safety detection engine in the safety detection platform can play a detection role, higher detection efficiency can be guaranteed in a scene with larger network flow, network congestion can be effectively avoided, and each safety detection engine can update the information base and maintain the information base together, so that the safety detection of information to be detected based on the information base and detection elements is more accurate, the occurrence of the condition of missing report and misinformation is reduced, and the normal operation of user services can be guaranteed.
In a specific embodiment of the present application, the information to be detected includes a plurality of detection elements, and the information base updating module 320 is configured to:
taking various network elements under the detection results corresponding to various detection elements as combination elements;
the information base is updated based on the combined elements.
In one embodiment of the present application, the information security detection module 310 is configured to:
determining a corresponding detection level based on the suspicious degree of the detection element of the received information to be detected;
and carrying out safety detection on the information to be detected based on the detection level.
In one embodiment of the present application, the information security detection module 310 is configured to:
searching an information group corresponding to a detection element included in received information to be detected in an information base, wherein the information base includes a plurality of information groups, different information groups include different network elements, and the network elements correspond to the detection element one to one;
and carrying out safety detection on the information to be detected based on the searched information group.
In one embodiment of the present application, the detection result is: the information to be detected is safety information, and the information base updating module 320 is configured to:
determining whether the information of the detection elements including the information to be detected in a set time period is all safe information;
and if so, adding the network element corresponding to the detection element of the information to be detected into a white information base included in the information base.
In a specific embodiment of the present application, the security detection platform includes a security detection engine for training the machine learning model, and the security detection apparatus further includes a model training module for:
establishing a baseline based on historical data corresponding to the information base;
obtaining training data based on a baseline;
and training the machine learning model by using the training data to obtain the safety detection engine.
In one embodiment of the present application, the network element includes a domain name, a link address, or a network address.
Corresponding to the above method embodiment, an embodiment of the present application further provides a security detection device, operating on a security detection platform, where the security detection device includes:
a memory for storing a computer program;
and the processor is used for realizing the steps of the security detection method when executing the computer program.
As shown in fig. 4, which is a schematic view of a composition structure of the security detection apparatus, the security detection apparatus may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the security detection method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
any one safety detection engine carries out safety detection on the received information to be detected based on the detection elements to obtain a detection result;
and updating the information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as an information interaction function and a security detection function), and the like; the data storage area can store data created in the using process, such as information data to be detected, safety information data and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 12 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 4 does not constitute a limitation of the safety detection device in the embodiment of the present application, and in practical applications, the safety detection device may include more or less components than those shown in fig. 4, or some components may be combined.
Corresponding to the above method embodiments, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above security detection method.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. A security detection method is applied to a security detection platform, wherein the security detection platform comprises a plurality of security detection engines, and the security detection method comprises the following steps:
any one safety detection engine carries out safety detection on the received information to be detected based on the detection elements to obtain a detection result;
and updating an information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
2. The security detection method according to claim 1, wherein the information to be detected includes a plurality of detection elements, and the updating the information base according to the detection result includes:
taking various network elements under the detection results corresponding to various detection elements as combination elements;
updating an information base based on the combined elements.
3. The security detection method according to claim 1, wherein the security detection of the received information to be detected based on the detection element includes:
determining a corresponding detection level based on the suspicious degree of the detection element of the received information to be detected;
and carrying out safety detection on the information to be detected based on the detection level.
4. The security detection method according to claim 1, wherein the security detection of the received information to be detected based on the detection element includes:
searching an information group corresponding to a detection element included in received information to be detected in an information base, wherein the information base comprises a plurality of information groups, different information groups comprise different network elements, and the network elements correspond to the detection element one by one;
and carrying out safety detection on the information to be detected based on the searched information group.
5. The security detection method according to claim 1, wherein the detection result is: the step of updating the information base according to the detection result includes:
determining whether the information of the detection elements including the information to be detected in a set time period is safe information;
and if so, adding the network elements corresponding to the detection elements of the information to be detected into a white information base included in the information base.
6. The security detection method according to claim 5, wherein a security detection engine obtained by training a machine learning model is included in the security detection platform, and the security detection method further includes:
establishing a baseline based on historical data corresponding to the information base;
obtaining training data based on the baseline;
and training the machine learning model by using the training data to obtain a safety detection engine.
7. The security detection method according to any one of claims 2 to 8, wherein the network element comprises a domain name, a link address or a network address.
8. A safety detection device is applied to a safety detection platform, the safety detection platform comprises a plurality of safety detection engines, and the safety detection device comprises:
the information security detection module is used for triggering any one security detection engine to perform security detection on the received information to be detected based on the detection elements to obtain a detection result;
and the information base updating module is used for updating the information base according to the detection result so that any one safety detection engine in the safety detection platform carries out safety detection on the received information to be detected based on the updated information base and the detection elements.
9. A safety inspection device, operable on a safety inspection platform, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the security detection method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the security detection method according to any one of claims 1 to 7.
CN202110327189.5A 2021-03-26 2021-03-26 Security detection method, device, equipment and storage medium Active CN113055395B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110327189.5A CN113055395B (en) 2021-03-26 2021-03-26 Security detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110327189.5A CN113055395B (en) 2021-03-26 2021-03-26 Security detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113055395A true CN113055395A (en) 2021-06-29
CN113055395B CN113055395B (en) 2023-09-05

Family

ID=76515618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110327189.5A Active CN113055395B (en) 2021-03-26 2021-03-26 Security detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113055395B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235914A (en) * 2013-04-27 2013-08-07 上海海事大学 Cloud malice detection engine identification method
CN105099821A (en) * 2015-07-30 2015-11-25 北京奇虎科技有限公司 Flow monitoring method and apparatus based on cloud virtual environment
CN106657019A (en) * 2016-11-24 2017-05-10 华为技术有限公司 Network security protection method and device
CN107563201A (en) * 2017-09-08 2018-01-09 北京奇虎科技有限公司 Association sample lookup method, device and server based on machine learning
CN109413016A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of rule-based message detecting method and device
US10320813B1 (en) * 2015-04-30 2019-06-11 Amazon Technologies, Inc. Threat detection and mitigation in a virtualized computing environment
US20190340353A1 (en) * 2018-05-07 2019-11-07 Entit Software Llc Machine learning-based security threat investigation guidance
CN110602029A (en) * 2019-05-15 2019-12-20 上海云盾信息技术有限公司 Method and system for identifying network attack
CN111988265A (en) * 2019-05-23 2020-11-24 深信服科技股份有限公司 Network traffic attack identification method, firewall system and related components

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235914A (en) * 2013-04-27 2013-08-07 上海海事大学 Cloud malice detection engine identification method
US10320813B1 (en) * 2015-04-30 2019-06-11 Amazon Technologies, Inc. Threat detection and mitigation in a virtualized computing environment
CN105099821A (en) * 2015-07-30 2015-11-25 北京奇虎科技有限公司 Flow monitoring method and apparatus based on cloud virtual environment
CN106657019A (en) * 2016-11-24 2017-05-10 华为技术有限公司 Network security protection method and device
CN107563201A (en) * 2017-09-08 2018-01-09 北京奇虎科技有限公司 Association sample lookup method, device and server based on machine learning
CN109413016A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of rule-based message detecting method and device
US20190340353A1 (en) * 2018-05-07 2019-11-07 Entit Software Llc Machine learning-based security threat investigation guidance
CN110602029A (en) * 2019-05-15 2019-12-20 上海云盾信息技术有限公司 Method and system for identifying network attack
CN111988265A (en) * 2019-05-23 2020-11-24 深信服科技股份有限公司 Network traffic attack identification method, firewall system and related components

Also Published As

Publication number Publication date
CN113055395B (en) 2023-09-05

Similar Documents

Publication Publication Date Title
US11863587B2 (en) Webshell detection method and apparatus
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN111818103B (en) Traffic-based tracing attack path method in network target range
CN105553917B (en) Method and system for detecting webpage bugs
KR100732689B1 (en) Web Security Method and apparatus therefor
CN110677438A (en) Attack chain construction method, device, equipment and medium
CN103918222A (en) System and method for detection of denial of service attacks
CN103379099A (en) Hostile attack identification method and system
CN103685294A (en) Method and device for identifying attack sources of denial of service attack
CN114363036B (en) Network attack path acquisition method and device and electronic equipment
CN110719299A (en) Honeypot construction method, device, equipment and medium for defending network attack
CN113259392B (en) Network security attack and defense method, device and storage medium
CN101901232A (en) Method and device for processing webpage data
CN111628990A (en) Attack recognition method and device and server
CN109428857B (en) Detection method and device for malicious detection behaviors
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN114244564B (en) Attack defense method, device, equipment and readable storage medium
CN113810381B (en) Crawler detection method, web application cloud firewall device and storage medium
CN114257403A (en) False alarm detection method, equipment and readable storage medium
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN111885088A (en) Log monitoring method and device based on block chain
CN115001789B (en) Method, device, equipment and medium for detecting collapse equipment
CN113055395B (en) Security detection method, device, equipment and storage medium
CN113032787A (en) System vulnerability detection method and device
CN113806732B (en) Webpage tampering detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant