CN113079125A - Clue analyzing and verifying system, apparatus and storage medium for network security - Google Patents
Clue analyzing and verifying system, apparatus and storage medium for network security Download PDFInfo
- Publication number
- CN113079125A CN113079125A CN202010004346.4A CN202010004346A CN113079125A CN 113079125 A CN113079125 A CN 113079125A CN 202010004346 A CN202010004346 A CN 202010004346A CN 113079125 A CN113079125 A CN 113079125A
- Authority
- CN
- China
- Prior art keywords
- module
- clue
- analysis
- thread
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 claims abstract description 75
- 238000012795 verification Methods 0.000 claims abstract description 24
- 238000012216 screening Methods 0.000 claims abstract description 13
- 238000009412 basement excavation Methods 0.000 claims abstract description 5
- 238000011160 research Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 7
- 238000012098 association analyses Methods 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000012800 visualization Methods 0.000 claims description 4
- 230000003993 interaction Effects 0.000 abstract description 3
- 238000012545 processing Methods 0.000 abstract description 3
- 230000000007 visual effect Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 12
- 238000000034 method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 241000251468 Actinopterygii Species 0.000 description 1
- 102000002110 C2 domains Human genes 0.000 description 1
- 108050009459 C2 domains Proteins 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 238000012482 interaction analysis Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Evolutionary Computation (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a clue analysis and verification system and device aiming at network security. Wherein the system comprises: the clue studying and judging module is used for showing the state of the clue; the clue expansion module is used for providing clues for deep excavation; the network attack target positioning module is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold value; the clue positioning module is used for positioning the IP address of the network attacker; and the collaborative sharing module is used for sharing the analysis result to all the members of the analysis working group. The clue analysis and verification system and the clue analysis and verification equipment for network security provided by the embodiment of the invention can realize high-efficiency big data processing, perform visual analysis interaction, build a high-efficiency clue analysis tool according to abundant clue data resources, and visually display the analysis result.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a clue analysis and verification system, clue analysis and verification equipment and a storage medium aiming at network security.
Background
Currently, the number of APT attacks with national and organizational backgrounds is increasing, and from 2014 to the present, a plurality of APT events occur in China, and the APT attacks are confirmed to be directed attacks aiming at a plurality of fields of science and technology, education, energy and traffic and affect nearly 30 provinces and cities in the country; more than 10 kinds of discovered killing-free trojans relate to Windows, Mac OS and Android platforms. In response to the network security events, after acquiring relevant attack clues such as a C2 domain name, an IP (Internet protocol), a sample and the like, law enforcement departments need to perform clue research and judgment, expansion, attack source tracing, criminal positioning and the like, but face the problems that an internet data analysis tool is lacked for a long time in the working process, background research and judgment on new clues is performed through correlation analysis, global expansion clues are performed in time and space dimensions and the like. In order to solve the above challenges, a clue analysis and verification system for network security is developed, which can effectively overcome the drawbacks of the related problems, and is a technical problem to be solved in the industry.
Disclosure of Invention
In view of the foregoing problems in the prior art, embodiments of the present invention provide a system, an apparatus, and a storage medium for analyzing and verifying network security.
In a first aspect, an embodiment of the present invention provides a thread analysis and verification system for network security, including: the clue studying and judging module is used for showing the state of the clue; the clue expansion module is used for providing clues for deep excavation; the network attack target positioning module is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold value; the clue positioning module is used for positioning the IP address of the network attacker; and the collaborative sharing module is used for sharing the analysis result to all the members of the analysis working group.
Based on the contents of the above system embodiments, the thread analyzing and verifying system for network security provided in the embodiments of the present invention includes: the clue information display module is used for displaying resources used in network attack; the thread threat judging module is used for judging the threat degree of a thread; the label auxiliary judgment module is used for analyzing the network attack data by adopting a label; and the data support module is used for displaying the data list related to the clue, and sequencing and screening the data list.
On the basis of the contents of the above system embodiments, the thread analyzing and verifying system for network security provided in the embodiments of the present invention includes: the data query module is used for carrying out association query on the network security basic data; the association visualization analysis module is used for performing association analysis on a plurality of clues; and the time axis analyzing and playing module is used for analyzing the time axis of the clue and playing the analysis result.
On the basis of the contents of the above system embodiments, the system for analyzing and verifying clues of network security provided in the embodiments of the present invention includes: the malicious sample source analysis module is used for positioning the same resource locator downloaded by the malicious sample; the malicious sample path analysis module is used for displaying all paths of the malicious sample; and the multi-clue cross comparison module is used for cross comparison of the information of the clues.
Based on the contents of the above system embodiments, the thread analyzing and verifying system for network security provided in the embodiments of the present invention includes: the IP recording module is used for recording the IP address and the attack time of the network attacker; and the IP positioning module is used for positioning the IP address.
On the basis of the contents of the above system embodiments, the system for analyzing and verifying a thread for network security provided in the embodiments of the present invention is used for determining a threat level of the thread, and includes: and judging the threat degree of the clues according to the botnet, the 360-network security research institute and the 360-network shield.
Based on the above system embodiment, the system for analyzing and verifying a thread for network security provided in the embodiment of the present invention is used to present a data list related to the thread, including: and displaying the data list related to the clue according to the 360-degree big data basic resource.
In a second aspect, an embodiment of the present invention provides an electronic device, including:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, and the processor invokes the program instructions to implement the system for analyzing and verifying the clue for the network security provided by any of the various possible implementations of the first aspect.
In a third aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to implement the thread analysis and verification system for network security provided in any one of the various possible implementations of the first aspect.
According to the clue analysis and verification system and the clue analysis and verification equipment for network security, provided by the embodiment of the invention, the clue studying and judging module, the clue expanding module, the network attack target positioning module, the clue positioning module and the collaborative sharing module are integrated, so that efficient big data processing can be realized, visual analysis and interaction can be carried out, an efficient clue analysis tool is built according to abundant clue data resources, and the analysis result is visually displayed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description will be given below to the drawings required for the description of the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a thread analysis and verification system for network security according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data expansion association relationship of a data query module according to an embodiment of the present invention;
fig. 3 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. In addition, technical features of various embodiments or individual embodiments provided by the invention can be arbitrarily combined with each other to form a feasible technical solution, but must be realized by a person skilled in the art, and when the technical solution combination is contradictory or cannot be realized, the technical solution combination is not considered to exist and is not within the protection scope of the present invention.
By depending on massive network security and internet basic data resources accumulated for many years and a highly friendly visual interaction analysis mode, the method can assist a user in developing clue expansion and source tracing work of network security events such as APT (advanced Persistent attack), malicious software and the like, find more clues of the network attack events, evaluate the overall damage of the network security events, and improve the efficiency and success rate of tracing source-tracing attackers. Based on this idea, an embodiment of the present invention provides a thread analysis and verification system for network security, and referring to fig. 1, the system includes: a thread studying and judging module 101 for showing the state of the thread; a thread expansion module 102, configured to provide a thread for deep mining; the network attack target positioning module 103 is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold; a thread positioning module 104, configured to position an IP address of a network attacker; and the collaborative sharing module 105 is used for sharing the analysis result to all the members of the analysis working group. The collaborative sharing module 105 mainly supports securely sharing the analysis result (canvas) to members of the same workgroup through a collaborative sharing function. The receiver can add the received collaborative canvas into the existing canvas and carry out the associated rearrangement, so that the multi-user collaborative analysis work can be smoothly carried out, the analysis result among the account numbers is not isolated any more, and the efficiency of the analysis work is effectively improved by the function.
Based on the content of the foregoing system embodiment, as an optional embodiment, in the system for analyzing and verifying a thread for network security provided in the embodiment of the present invention, the thread studying and determining module includes: the clue information display module is used for displaying resources used in network attack; the thread threat judging module is used for judging the threat degree of a thread; the label auxiliary judgment module is used for analyzing the network attack data by adopting a label; and the data support module is used for displaying the data list related to the clue, and sequencing and screening the data list. Specifically, the clue analysis and verification system for network security provided in the embodiments of the present invention provides a function of studying and judging clues of network security cases, and comprehensively demonstrates the relevant conditions of clues in various ways, such as basic information demonstration, threat judgment, multidimensional data analysis, and the like, to assist users in studying and judging clues. The clue information display module is mainly used for displaying common resources in network attacks such as domain names, IP (Internet protocol), malicious files and the like, the clue multidimensional intelligent analysis and verification platform provides basic information display, and the domain names provide information such as current domain name resolution records, Whois (domain name query) registration information, registration places, dynamic domain names and the like; the IP address provides information such as a home location, an ASN domain (self-organizing self-defining data structure), whether IDC (Internet data center) and an approximately one-month MID function; the malicious sample MD5 value provides information such as file size, sample first discovery time, VirusTotal sample first discovery time, threat level, and detection rate. The thread threat determination module is mainly used for making threat determination on the thread from the aspects of botnet, 360 network security research institutes, 360 net shields and the like based on the safety research results of 360 companies for many years and the manual analysis of professional network security researchers. The label auxiliary judgment module is mainly based on analysis of multiple data sources and a 360-day laboratory research team, deeply analyzes and researches data, and provides 2300 kinds of data labels including APT (advanced persistent threat) organization names, attack types, vulnerability utilization names and other information for domain names, IP (Internet protocol) and malicious files MD 5. The data support module provides presentation in a clue related data list form mainly by means of 360 big data basic resources, and provides functions of sequencing and screening contents in the list. The multidimensional data comprises data such as domain name resolution records, domain name access records, domain name Whois registration information, sample cloud searching and killing logs, opened port information, IP positioning information and the like.
Based on the content of the foregoing system embodiment, as an optional embodiment, the thread analyzing and verifying system for network security provided in the embodiment of the present invention includes: the data query module is used for carrying out association query on the network security basic data; the association visualization analysis module is used for performing association analysis on a plurality of clues; and the time axis analyzing and playing module is used for analyzing the time axis of the clue and playing the analysis result. Specifically, the data expansion association relationship of the data query module can be seen in fig. 2, and the module provides association query of data such as domain name current and historical resolution records, Whois registration information, user domain name access records, client IP, IP addresses, URLs, MIDs, files MD5, sample cloud searching and killing logs and the like based on network security related basic data accumulated over the years. Other data information that is currently and historically associated with the thread may be learned through queries. Wherein, DNS is current and historical domain name resolution record, including domain name, IP and resolution time; the domain name resolution record is a client domain name access record and comprises a client IP, a domain name and time; the opened port query is a port number which is opened and accessed by an IP address, and comprises an IP and a port number; the sample external connection is the network external connection behavior of a malicious sample on a computer and comprises an IP address, a file path, an MID, a URL, a domain name, a client IP, a file MD5 and recording time; the sample source is information such as a source URL downloaded by a malicious sample on a computer and comprises an IP address, a URL, a domain name, files MD5, MID and recording time; whois is the Whois registration information for a domain name, including the domain name, mailbox address, city, province, country, zip code, fax, phone, whoisServer, NameServer, creation time, update time, expiration time, domain name status, sponsor, organization, ID, domain name ID, Hash value and registration name. The association visualization analysis module mainly supports the association analysis function of a plurality of clues: in the query mode, batch query of a plurality of clues is supported; supporting four node layout modes of gravity layout, tree layout, block layout and ring layout in a display mode, and understanding data from different angles; in clue analysis, screening of highlighted data concerned by the label content is supported, and data concerned by a user is quickly positioned. Through the analysis and display mode, the system provides powerful support for a user to quickly find the relationship among clues and mine information behind the clues in a friendly interactive mode. The query result supports manual addition of association relationship through manual study and judgment; the system also provides an automatic analysis function, namely, the inquired result is automatically associated to the clue of the known node to form a relationship network, and further the next step of analysis and judgment is carried out. The time axis analyzing and playing module mainly provides a time axis analyzing function for clues, shows time points and ranges generated by clue association, supports a user to select related clue nodes in a time point or time period mode, and supports a playing function of analyzing results according to time.
Based on the content of the foregoing system embodiment, as an optional embodiment, in the system for analyzing and verifying clues of network security provided in the embodiment of the present invention, the network attack target location module includes: the malicious sample source analysis module is used for positioning the same resource locator downloaded by the malicious sample; the malicious sample path analysis module is used for displaying all paths of the malicious sample; and the multi-clue cross comparison module is used for cross comparison of the information of the clues. Specifically, the network attack target positioning module supports analysis of the influence range of malicious software, and the information can assist a user in judging the damage degree of network attack, positioning all attacked victims, screening high-risk targets in the network attack target positioning module, provide support for the user to control damage and reduce loss in time, and provide support for further screening the victims of the network attack target positioning module. After a certain malicious software is determined, the infected IP (namely, the victim IP) of the malicious software can be found through the query function of 'sample external connection (client IP)' of the product, and the geographical position of the malicious software is obtained through query analysis of the victim IP. Through the statistics of the number of the damaged IPs and the analysis of the geographical position, the influence range of the malicious software can be obtained, and then reasonable disposal measures are taken to control damage. The malicious sample source analysis module mainly supports the display of all network downloading sources of malicious samples, positions sample downloading URLs in modes of water pit attack, fish fork attack and the like, and restores tracks of network attack. The malicious sample path analysis module mainly supports the display of all paths of the malicious sample, can analyze the type of the malicious sample through the information, analyzes the common file behaviors of the malicious sample, and provides support for the analysis of the malicious sample. The multi-clue cross comparison module mainly supports cross comparison of related information of a plurality of clues to find suspicious equipment MID which is simultaneously related with a plurality of data, provides information of network crime suspects for users, and combines the aforementioned label of hackers or black-producing staffs to quickly trace the identity of an attacker.
Based on the content of the foregoing system embodiment, as an optional embodiment, the thread analyzing and verifying system for network security provided in the embodiment of the present invention includes: the IP recording module is used for recording the IP address and the attack time of the network attacker; and the IP positioning module is used for positioning the IP address. Specifically, the clue positioning module mainly supports analysis of IP tracks of equipment of a suspect and a victim of the cyber crime, can directly position the geographical position which appears once based on IP accurate positioning data, and provides support for a user to fall to the ground to search people. The IP recording module is mainly used for checking IP addresses and time information used by equipment which is used for surfing the Internet through IP historical records of the MID after the equipment MID used by the suspect is determined, mastering the whereabouts of the equipment and further analyzing the whereabouts of the suspect. The IP positioning module is mainly used for positioning domestic 2 hundred million IP addresses to specific places, and the error is not more than 500 meters. Through the positioning of the IP, the position of the suspected person of the network attack can be preliminarily researched and judged, and a reference is provided for further tracing and tracing the source of the user.
Based on the content of the foregoing system embodiment, as an optional embodiment, the system for analyzing and verifying a thread for network security provided in the embodiment of the present invention is used for determining a threat level of the thread, and includes: and judging the threat degree of the clues according to the botnet, the 360-network security research institute and the 360-network shield.
Based on the content of the foregoing system embodiment, as an optional embodiment, the system for thread analysis and verification for network security provided in the embodiment of the present invention is configured to present a data list related to a thread, including: and displaying the data list related to the clue according to the 360-degree big data basic resource.
Based on the content of the foregoing system embodiment, as an optional embodiment, the system for analyzing and verifying clues of network security provided in the embodiment of the present invention is used to locate an attacked target, including: and inquiring a target IP attacked by malicious software through sample external connection, and obtaining the geographic position of the target IP through analyzing the target IP.
According to the clue analysis and verification system for network security, provided by the embodiment of the invention, the clue studying and judging module, the clue expanding module, the network attack target positioning module, the clue positioning module and the collaborative sharing module are integrated, so that efficient big data processing can be realized, visualized analysis interaction is carried out, an efficient clue analysis tool is built according to abundant clue data resources, and the analysis result is visually displayed.
The system of the embodiment of the invention is realized by depending on the electronic equipment, so that the related electronic equipment is necessarily introduced. To this end, an embodiment of the present invention provides an electronic apparatus, as shown in fig. 3, including: at least one processor (processor)301, a communication Interface (Communications Interface)304, at least one memory (memory)302 and a communication bus 303, wherein the at least one processor 301, the communication Interface 304 and the at least one memory 302 are configured to communicate with each other via the communication bus 303. The at least one processor 301 may invoke logic instructions in the at least one memory 302 to implement the following system: the clue studying and judging module is used for showing the state of the clue; the clue expansion module is used for providing clues for deep excavation; the network attack target positioning module is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold value; the clue positioning module is used for positioning the IP address of the network attacker; and the collaborative sharing module is used for sharing the analysis result to all the members of the analysis working group.
Furthermore, the logic instructions in the at least one memory 302 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be substantially implemented or contributed to by the prior art, or the technical solution may be implemented in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the system according to the embodiments of the present invention. For example, a system comprising: the clue studying and judging module is used for showing the state of the clue; the clue expansion module is used for providing clues for deep excavation; the network attack target positioning module is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold value; the clue positioning module is used for positioning the IP address of the network attacker; and the collaborative sharing module is used for sharing the analysis result to all the members of the analysis working group. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to implement the methods or systems of the various embodiments or some parts of the embodiments.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. Based on this recognition, each block in the flowchart or block diagrams may represent a module, a program segment, or a portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In this patent, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A system for thread analysis and verification of network security, comprising:
the clue studying and judging module is used for showing the state of the clue;
the clue expansion module is used for providing clues for deep excavation;
the network attack target positioning module is used for positioning an attacked target, evaluating the risk degree of the target and screening out the target with the risk degree exceeding a preset threshold value;
the clue positioning module is used for positioning the IP address of the network attacker;
and the collaborative sharing module is used for sharing the analysis result to all the members of the analysis working group.
2. The system of claim 1, wherein the thread analysis and verification module comprises:
the clue information display module is used for displaying resources used in network attack;
the thread threat judging module is used for judging the threat degree of a thread;
the label auxiliary judgment module is used for analyzing the network attack data by adopting a label;
and the data support module is used for displaying the data list related to the clue, and sequencing and screening the data list.
3. The system for thread analysis and verification for network security as claimed in claim 1, wherein the thread extension module comprises:
the data query module is used for carrying out association query on the network security basic data;
the association visualization analysis module is used for performing association analysis on a plurality of clues;
and the time axis analyzing and playing module is used for analyzing the time axis of the clue and playing the analysis result.
4. A thread analysis and verification system for network security as claimed in claim 1, wherein said cyber attack target location module comprises:
the malicious sample source analysis module is used for positioning the same resource locator downloaded by the malicious sample;
the malicious sample path analysis module is used for displaying all paths of the malicious sample;
and the multi-clue cross comparison module is used for cross comparison of the information of the clues.
5. The system for thread analysis and verification for network security as claimed in claim 1, wherein the thread locating module comprises:
the IP recording module is used for recording the IP address and the attack time of the network attacker;
and the IP positioning module is used for positioning the IP address.
6. A system for thread analysis and verification for network security as claimed in claim 2, wherein said means for determining the threat level of a thread comprises:
and judging the threat degree of the clues according to the botnet, the 360-network security research institute and the 360-network shield.
7. A thread analysis and verification system for network security as claimed in claim 2, wherein said means for presenting a list of data related to a thread comprises:
and displaying the data list related to the clue according to the 360-degree big data basic resource.
8. A thread analysis and verification system for network security as claimed in claim 1, wherein said means for locating an attacked object comprises:
and inquiring a target IP attacked by malicious software through sample external connection, and obtaining the geographic position of the target IP through analyzing the target IP.
9. An electronic device, comprising:
at least one processor, at least one memory, and a communication interface; wherein,
the processor, the memory and the communication interface are communicated with each other;
the memory stores program instructions executable by the processor, which are invoked by the processor to implement the system of any one of claims 1 to 8.
10. A non-transitory computer-readable storage medium storing computer instructions that cause a computer to implement the system of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010004346.4A CN113079125A (en) | 2020-01-03 | 2020-01-03 | Clue analyzing and verifying system, apparatus and storage medium for network security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010004346.4A CN113079125A (en) | 2020-01-03 | 2020-01-03 | Clue analyzing and verifying system, apparatus and storage medium for network security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113079125A true CN113079125A (en) | 2021-07-06 |
Family
ID=76608623
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010004346.4A Pending CN113079125A (en) | 2020-01-03 | 2020-01-03 | Clue analyzing and verifying system, apparatus and storage medium for network security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113079125A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116193432A (en) * | 2023-05-04 | 2023-05-30 | 国网浙江省电力有限公司信息通信分公司 | Information security authentication method and system based on 5G network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120023572A1 (en) * | 2010-07-23 | 2012-01-26 | Q-Track Corporation | Malicious Attack Response System and Associated Method |
| CN102546363A (en) * | 2010-12-21 | 2012-07-04 | 深圳市恒扬科技有限公司 | Message processing method, device and equipment |
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
-
2020
- 2020-01-03 CN CN202010004346.4A patent/CN113079125A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120023572A1 (en) * | 2010-07-23 | 2012-01-26 | Q-Track Corporation | Malicious Attack Response System and Associated Method |
| CN102546363A (en) * | 2010-12-21 | 2012-07-04 | 深圳市恒扬科技有限公司 | Message processing method, device and equipment |
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
Non-Patent Citations (7)
| Title |
|---|
| 星速云小编: "腾讯云高级威胁追溯系统产品优势", 《URL:HTTPS://WWW.XINGSUYUN58.COM/4426.HTML》 * |
| 星速云小编: "腾讯云高级威胁追溯系统产品概述", 《URL:HTTPS://WWW.XINGSUYUN58.COM/4424.HTML》 * |
| 星速云小编: "腾讯云高级威胁追溯系统应用场景", 《HTTPS://WWW.XINGSUYUN58.COM/4427.HTML》 * |
| 汪鑫等: "基于威胁情报平台的恶意URL检测研究", 《计算机科学》 * |
| 白浩: "互联网高级持续性威胁分析取证手段及技术研究", 《电信工程技术与标准化》 * |
| 石孝维: "威胁追溯系统ANTU", 《URL:HTTPS://B2B.HUANGYE88.COM/QIYES6JN09C77733/PRODUCT_15153187.HTML》 * |
| 靳莉亚: "基于威胁情报多维度分析的攻击组织关联与研判系统", 《中国优秀博硕士学位论文全文数据库(硕士)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116193432A (en) * | 2023-05-04 | 2023-05-30 | 国网浙江省电力有限公司信息通信分公司 | Information security authentication method and system based on 5G network |
| CN116193432B (en) * | 2023-05-04 | 2023-07-04 | 国网浙江省电力有限公司信息通信分公司 | Information security authentication method and system based on 5G network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111988339B (en) | Network attack path discovery, extraction and association method based on DIKW model | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| CN109361643B (en) | Deep tracing method for malicious sample | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN103916406B (en) | A kind of APT attack detection methods based on DNS log analysis | |
| KR101070184B1 (en) | System and method for blocking execution of malicious code by automatically crawling and analyzing malicious code through multi-thread site-crawler, and by interworking with network security device | |
| CN110505235B (en) | System and method for detecting malicious request bypassing cloud WAF | |
| CN110691080B (en) | Automatic tracing method, device, equipment and medium | |
| El-Kosairy et al. | Intrusion and ransomware detection system | |
| CN103632084A (en) | Building method for malicious feature data base, malicious object detecting method and device of malicious feature data base | |
| CN113067812B (en) | APT attack event tracing analysis method and device and computer readable medium | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| Starov et al. | Betrayed by your dashboard: Discovering malicious campaigns via web analytics | |
| Hatada et al. | Empowering anti-malware research in Japan by sharing the MWS datasets | |
| CN114205128B (en) | Network attack analysis method, device, electronic equipment and storage medium | |
| Kaushik et al. | An Advanced Approach for performing Cyber Fraud using Banner Grabbing | |
| CN110798429A (en) | Threat pursuing method, device and equipment in network security defense | |
| CN113810395B (en) | Threat information detection method and device and electronic equipment | |
| CN112491873A (en) | Network threat detection method, device, equipment and storage medium based on dictionary tree | |
| CN113645240A (en) | Malicious domain name community mining method based on graph structure | |
| Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
| CN103440454B (en) | A kind of active honeypot detection method based on search engine keywords | |
| CN111224981A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113079125A (en) | Clue analyzing and verifying system, apparatus and storage medium for network security | |
| KR20130096565A (en) | A malware detection system based on correlation analysis using live response techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210706 |