CN113132306A - Threat event processing method and device - Google Patents

Threat event processing method and device Download PDF

Info

Publication number
CN113132306A
CN113132306A CN201911406184.0A CN201911406184A CN113132306A CN 113132306 A CN113132306 A CN 113132306A CN 201911406184 A CN201911406184 A CN 201911406184A CN 113132306 A CN113132306 A CN 113132306A
Authority
CN
China
Prior art keywords
threat
events
threat events
event
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911406184.0A
Other languages
Chinese (zh)
Inventor
张睿
叶若曦
朱灿
王禹
李斌
毛斯琪
肖瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou 360 Intelligent Security Technology Co Ltd
Original Assignee
Suzhou 360 Intelligent Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou 360 Intelligent Security Technology Co Ltd filed Critical Suzhou 360 Intelligent Security Technology Co Ltd
Priority to CN201911406184.0A priority Critical patent/CN113132306A/en
Publication of CN113132306A publication Critical patent/CN113132306A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • G06F16/24554Unary operations; Data partitioning operations
    • G06F16/24556Aggregation; Duplicate elimination
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a threat event processing method and device. The method comprises the following steps: obtaining threat event information for a plurality of threat events: identifying threat events corresponding to the same attack node according to threat event information of a plurality of threat events; performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; a security event is aggregated from several threat events. According to the scheme, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; furthermore, the method and the system aggregate the threat events based on the attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, the aggregation precision is further improved, and the processing precision of the threat events is further improved.

Description

Threat event processing method and device
Technical Field
The invention relates to the technical field of security, in particular to a threat event processing method and device.
Background
At present, computer and internet technologies have been developed rapidly. However, security threat issues for terminals and networks (e.g., for enterprise networks, user networks, etc.) are also constantly occurring. In order to ensure the security of the terminal and the network, after threat events for the terminal and the network are detected, the detected threat events are processed one by one.
However, the inventor finds that the following defects exist in the prior art in the implementation process: the mode of processing each threat event one by one in the prior art is adopted, the processing efficiency is very low, and particularly when the number of the threat events is large, the terminal and the network cannot be protected quickly; in addition, in the prior art, a mode of processing the threat event according to the information of the single threat event is adopted, so that the processing mode aiming at each threat event cannot be matched with the actual threat event, the processing efficiency of the threat event is reduced, and the effective protection of the terminal and the network is not facilitated.
Disclosure of Invention
In view of the above, the present invention has been made to provide a threat event processing method and apparatus that overcomes or at least partially solves the above problems.
According to one aspect of the invention, there is provided a threat event processing method, comprising:
obtaining threat event information for a plurality of threat events:
identifying threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
According to another aspect of the present invention, there is provided a threat event processing apparatus comprising:
the threat event acquisition module is suitable for acquiring threat event information of a plurality of threat events:
the identification module is suitable for identifying the threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
an aggregation module adapted to aggregate the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the threat event processing method.
According to yet another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to perform operations corresponding to the threat event processing method.
According to the threat event processing method and device provided by the invention, threat event information of a plurality of threat events is obtained: identifying threat events corresponding to the same attack node according to threat event information of a plurality of threat events; performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; a security event is aggregated from several threat events. According to the scheme, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; furthermore, the method and the system aggregate the threat events based on the attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, the aggregation precision is further improved, and the processing precision of the threat events is further improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow diagram illustrating a threat event processing method according to an embodiment of the invention;
FIG. 2 is a flow diagram illustrating a threat event processing method according to another embodiment of the invention;
FIG. 3 is a flow diagram illustrating a threat event handling method according to yet another embodiment of the invention;
FIG. 4 is a schematic diagram illustrating a threat event processing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computing device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flow chart illustrating a threat event processing method according to an embodiment of the present invention. The threat event processing method provided by the embodiment can be applied to various security platforms (such as a security platform for an enterprise network, or a security platform for a user personal network, etc.). Moreover, the threat event processing method provided by this embodiment can be executed by a computing device with corresponding computing capability, and this embodiment does not limit the specific type of the computing device.
As shown in fig. 1, the method includes:
step S110: threat event information for a plurality of threat events is obtained.
In an actual implementation process, a threat event in an object to be secured (the object may be an enterprise network or the like) is first detected. Optionally, in order to facilitate quick detection of a threat event and further improve the overall execution efficiency of the method, the embodiment may use a corresponding threat detection rule to detect the threat event. The embodiment does not limit the specific types, contents, and the like of the threat detection rules, and a person skilled in the art can select the corresponding threat detection rules according to actual business requirements. In addition, the embodiment also does not limit the specific type of the threat event, for example, the threat event may be a threat event for a terminal or a threat event for a network side; but also threat events directed to certain types of information or applications (e.g., threat events directed to mail, files, and/or text messages, etc.).
Further, after the threat event is detected, the present embodiment may further obtain threat event information of a plurality of threat events in order to facilitate subsequent aggregation processing of the threat events. Optionally, the threat event information may specifically be: asset information (e.g., specific business information, personnel information, etc.), terminal process information, intelligence information (e.g., intelligence interface information, etc.), risk level information, and so forth.
Step S120: and identifying the threat events corresponding to the same attack node according to the threat event information of the plurality of threat events.
Different from a way of processing each detected threat event one by one in the prior art, the embodiment specifically performs aggregation processing on a plurality of threat events based on various attack nodes.
During the process of aggregating a plurality of threat events based on various attack nodes, firstly, the threat events corresponding to the same attack node are identified according to the threat event information of the threat events. The attack node in this embodiment is specifically a must-pass node for most of the attack behaviors. Optionally, the attack node includes at least one of the following nodes: port scanning nodes, vulnerability attack nodes, Trojan implantation nodes, password blasting nodes, key information tampering nodes, high-risk event nodes and the like. In this embodiment, specific attack node types and the like are not limited, and a person skilled in the art can set corresponding attack nodes according to actual service conditions. For example, if the threat event a and the threat event B are both scanning events for the high-risk port X, it is determined that the threat event a and the threat event B correspond to the same attack node.
Step S130: performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
Because the threat events corresponding to the same attack node have the same attack characteristic, the step further aggregates a plurality of threat events according to the identification result obtained in the step S120, and forms a corresponding security event by aggregating a plurality of threat events, so that the processing of the plurality of threat events can be realized by processing one security event, the number of events to be processed is greatly reduced, and the processing efficiency is improved; and when the security event is processed, the processing mode of the security event can be determined according to the threat event information of a plurality of threat events corresponding to the security event, so that the security event can be comprehensively analyzed, and the processing precision is favorably improved.
Therefore, in the embodiment, threat event information of a plurality of threat events is obtained, and threat events corresponding to the same attack node are identified further according to the threat event information of the plurality of threat events; performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events. According to the embodiment, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; further, in this embodiment, threat events are aggregated specifically based on attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, thereby improving aggregation accuracy and further improving processing accuracy of the threat events.
Fig. 2 is a flow chart illustrating a threat event processing method according to another embodiment of the present invention. The threat event processing method provided by this embodiment is specifically directed to further optimization of the method shown in fig. 1.
As shown in fig. 2, the method includes:
step S210: threat event information for a plurality of threat events is obtained.
Step S220: based on a rule model generated in advance, the threat events corresponding to the same attack node are identified according to the threat event information of the threat events, and based on the identification result, the threat events are aggregated to generate at least one security event corresponding to the threat events.
In this embodiment, in order to facilitate aggregation processing of threat events, a corresponding rule model is generated in advance. Wherein, the rule model comprises at least one identification rule and at least one aggregation rule. The identification rule is used for identifying the threat events corresponding to the same attack node, and the aggregation rule is used for carrying out aggregation processing on a plurality of threat events based on the identification result. The identification rules and/or the aggregation rules contained in the rule model can be combined with each other to jointly realize the aggregation of a plurality of threat events into one security event.
Because the identification rules and the aggregation rules in the rule model of the embodiment can be dynamically increased, deleted or changed according to actual business requirements, the identification rules and the aggregation rules in the rule model can meet the aggregation processing requirements of different threat events, and the application range of the method is expanded; and the method can generate matched rule models aiming at different objects to be protected, thereby realizing the customization of the rule models and having higher expandability.
Specifically, the present embodiment accurately aggregates several threat events into one security event by one or more of the following ways:
the first implementation mode comprises the following steps: identifying threat events corresponding to the same attack node according to threat event information of a plurality of threat events; and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node. In the implementation mode, threat events corresponding to the same attack node are directly aggregated into one security event, so that one security event corresponds to one attack node, and further, attack information of the attack node can be acquired in an all-around customized manner through the security event, and specialized processing for each attack node is facilitated. In the actual implementation process, an attack node can correspond to one or more identification rules, and when an attack node can correspond to an identification rule, whether a threat event corresponds to the attack node is determined through matching of threat event information of the threat event and the identification rule; when one attack node can correspond to a plurality of identification rules, threat event information of a threat event is respectively matched with the identification rules, and whether the threat event corresponds to the attack node or not is comprehensively determined according to a matching result and the relationship between the identification rules; after the threat event corresponding to the attack node is determined, further performing aggregation processing on the threat event corresponding to the attack node by using an aggregation rule corresponding to the attack node to generate a corresponding security event.
The second embodiment: identifying threat events corresponding to the same attack node according to threat event information of a plurality of threat events; acquiring a plurality of attack nodes with relevance; and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes. Wherein the plurality of attack nodes with relevance correspond to the same attack scenario. In this embodiment, specifically, threat events corresponding to the same attack scenario are aggregated, so as to generate a security event matched with each attack scenario. By adopting the implementation mode, the generated security event can fully reflect the attack characteristics of the corresponding attack scene, and the special analysis and processing of different attack scenes are facilitated. In a specific implementation process, attack nodes involved in different attack scenarios may be predetermined, for example, in an attack scenario P for the terminal USER1, which generally involves an early high-risk port scanning node (attack node a), a middle high-risk port attack node (attack node B), and a later log washing node (attack node C). The threat events corresponding to the attack node a, the attack node B and the attack node C can be respectively determined according to the identification rules corresponding to the attack node a, the attack node B and the attack node C, and then the aggregation processing is performed according to the aggregation rule corresponding to the attack scenario P to obtain the security event corresponding to the attack scenario P.
Step S230: and generating alarm information corresponding to the security event, and sending the alarm information to the processing node matched with the security event.
To facilitate fast processing of the security event, the present embodiment further generates alarm information corresponding to the security event after the security event is generated. Through the processing in step S210 and step S220, the threat events of large magnitude can be aggregated into the security events of small magnitude, so that the amount of the alarm information corresponding to the security events generated in this step is greatly reduced.
Further, the alarm information can be sent to the processing node matched with the security event according to the pre-stored mapping table of the security event and the processing node, so that the processing node can rapidly process the security event.
Therefore, according to the embodiment, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; further, in this embodiment, threat events are aggregated specifically based on attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, thereby improving aggregation accuracy and further improving processing accuracy of the threat events; in addition, the rule model is adopted to realize the aggregation of threat events, so that the application range of the method is expanded, the customized protection of the object to be protected is conveniently realized, and the method has high expandability; in addition, the embodiment can generate the security event which can embody the characteristics of the attack node and the security event which embodies the characteristics of the attack scene based on the service requirement, so that the specialized processing can be conveniently carried out on each attack node and each attack scene, and the processing precision is improved; in addition, the embodiment also generates the alarm information corresponding to the security event and sends the alarm information to the processing node matched with the security event, which is beneficial to rapidly processing the security event, thereby realizing the timely protection of the object to be protected.
Fig. 3 is a flowchart illustrating a threat event processing method according to another embodiment of the present invention. The threat event processing method provided by this embodiment is specifically directed to further optimization of the method shown in fig. 1.
As shown in fig. 3, the method includes:
step S310: threat event information for a plurality of threat events is obtained.
Step S320: based on a machine learning model trained in advance, the threat events corresponding to the same attack node are identified according to the threat event information of the threat events, and based on the identification result, the threat events are aggregated to generate at least one security event corresponding to the threat events.
In this embodiment, a machine learning model is generated in advance, and the trained machine learning model is obtained through training of threat event information of a historical threat event. In the present embodiment, the specific structure of the machine learning model is not limited. For example, the machine learning model may include an input layer, at least one fully connected layer, and an output layer.
In the process of training a machine learning model by using historical data (specifically threat event information of a historical threat event), data cleaning can be performed on the obtained threat event information of the historical threat event in advance to remove invalid data (such as stop words in the removed data) in the historical data; and further extracting the characteristics of the historical data after the data is cleaned, converting the extracted data characteristics into corresponding characteristic vectors, marking attack node identifications or safety event identifications to which the extracted data characteristics belong for the generated characteristic vectors, and further inputting the generated characteristic vectors into the generated machine learning model for model training. And when evaluation functions such as loss functions and the like in the machine learning model are smaller than a preset threshold value, finishing training and outputting the trained machine learning model.
In the execution process of the step, threat event information of a plurality of threat events can be converted into corresponding input vectors to be input into the trained machine learning model, and in one implementation mode, attack nodes corresponding to the threat events output by the machine learning model can be received; further aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node; or acquiring a plurality of attack nodes with relevance, and performing aggregation processing on threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes; in another embodiment, security events corresponding to respective threat events output by the machine learning model may be directly received, so as to aggregate threat events corresponding to the same security event.
In the embodiment, the aggregation of the threat events can be automatically realized by utilizing the machine learning model, the processing efficiency is high, and the aggregation precision is higher.
Step S330: and generating alarm information corresponding to the security event, and sending the alarm information to the processing node matched with the security event.
Therefore, according to the embodiment, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; further, in this embodiment, threat events are aggregated specifically based on attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, thereby improving aggregation accuracy and further improving processing accuracy of the threat events; in addition, the machine learning model is adopted to realize the aggregation of the threat events, so that the aggregation precision and the aggregation efficiency of the threat events are improved; in addition, the embodiment can generate the security event which can embody the characteristics of the attack node and the security event which embodies the characteristics of the attack scene based on the service requirement, so that the specialized processing can be conveniently carried out on each attack node and each attack scene, and the processing precision is improved; in addition, the embodiment also generates the alarm information corresponding to the security event and sends the alarm information to the processing node matched with the security event, which is beneficial to rapidly processing the security event, thereby realizing the timely protection of the object to be protected.
Fig. 4 is a schematic structural diagram of a threat event processing apparatus according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes: a threat event acquisition module 41, a recognition module 42, and an aggregation module 43.
A threat event acquisition module 41 adapted to acquire threat event information for a plurality of threat events:
an identification module 42 adapted to identify threat events corresponding to the same attack node based on threat event information of the plurality of threat events;
an aggregation module 43 adapted to aggregate the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
Optionally, the aggregation module is further adapted to: and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node.
Optionally, the aggregation module is further adapted to: acquiring a plurality of attack nodes with relevance;
and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes.
Optionally, the multiple attack nodes with relevance correspond to the same attack scenario.
Optionally, the identification module is further adapted to: based on a rule model generated in advance, identifying threat events corresponding to the same attack node according to threat event information of the plurality of threat events;
the aggregation module is further adapted to: and performing aggregation processing on the plurality of threat events based on the recognition result based on a rule model generated in advance to generate at least one security event corresponding to the plurality of threat events.
Optionally, the identification module is further adapted to: based on a machine learning model trained in advance, identifying threat events corresponding to the same attack node according to threat event information of the plurality of threat events;
the aggregation module is further adapted to: and based on a pre-trained machine learning model and recognition results, carrying out aggregation processing on the plurality of threat events to generate at least one security event corresponding to the plurality of threat events.
Optionally, the threat event information includes at least one of the following information:
asset information, terminal process information, intelligence information, and risk level information.
Optionally, the attack node includes at least one of the following nodes:
the system comprises port scanning nodes, vulnerability attack nodes, Trojan embedded nodes, password blasting nodes, key information tampering nodes and high-risk event nodes.
Optionally, the apparatus further comprises: an alert module adapted to generate alert information corresponding to the security event subsequent to the generating of the at least one security event corresponding to the plurality of threat events.
Optionally, the apparatus further comprises: and the sending module is suitable for sending the alarm information to the processing node matched with the safety event after the alarm information corresponding to the safety event is generated.
The specific implementation process of each module in this embodiment may refer to the description of the corresponding part in the method embodiment, which is not described herein again.
Therefore, according to the scheme, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; furthermore, the method and the system aggregate the threat events based on the attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, the aggregation precision is further improved, and the processing precision of the threat events is further improved.
According to one embodiment of the present invention, a non-transitory computer storage medium is provided that stores at least one executable instruction that may perform a threat event processing method of any of the above method embodiments.
Therefore, according to the scheme, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; furthermore, the method and the system aggregate the threat events based on the attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, the aggregation precision is further improved, and the processing precision of the threat events is further improved.
Fig. 5 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with network elements of other devices, such as clients or other servers. The processor 502 is configured to execute the program 510, and may specifically perform the relevant steps in the above method embodiments.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
obtaining threat event information for a plurality of threat events:
identifying threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
acquiring a plurality of attack nodes with relevance;
and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes.
In an alternative embodiment, the plurality of attack nodes with correlation correspond to the same attack scenario.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
based on a rule model generated in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on the identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
based on a machine learning model trained in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on an identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
In an alternative embodiment, the threat event information includes at least one of:
asset information, terminal process information, intelligence information, and risk level information.
In an optional embodiment, the attack node comprises at least one of the following nodes:
the system comprises port scanning nodes, vulnerability attack nodes, Trojan embedded nodes, password blasting nodes, key information tampering nodes and high-risk event nodes.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
generating alert information corresponding to the security event after the generating at least one security event corresponding to the plurality of threat events.
In an alternative embodiment, the program 510 may be specifically configured to cause the processor 502 to perform the following operations:
and after the alarm information corresponding to the security event is generated, sending the alarm information to a processing node matched with the security event.
Therefore, according to the scheme, a large number of threat events can be aggregated into a small number of security events through aggregation processing of the threat events, so that the number of events to be processed is greatly reduced, the processing efficiency is improved, effective processing of the security events is facilitated, and the processing precision is improved; furthermore, the method and the system aggregate the threat events based on the attack nodes, so that a plurality of threat events with the same attack characteristic are aggregated into one security event, the aggregation precision is further improved, and the processing precision of the threat events is further improved.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
The invention discloses: A1. a method of threat event processing, comprising:
obtaining threat event information for a plurality of threat events:
identifying threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
A2. The method of a1, wherein the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node.
A3. The method of a1, wherein the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
acquiring a plurality of attack nodes with relevance;
and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes.
A4. The method of a3, wherein the multiple attack nodes with associations correspond to the same attack scenario.
A5. The method of any of a1-a4, wherein the identifying threat events corresponding to the same attack node from the threat event information of the plurality of threat events, and the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
based on a rule model generated in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on the identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
A6. The method of any of a1-a4, wherein the identifying threat events corresponding to the same attack node from the threat event information of the plurality of threat events, and the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
based on a machine learning model trained in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on an identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
A7. The method of any of a1-a6, wherein the threat event information includes at least one of:
asset information, terminal process information, intelligence information, and risk level information.
A8. The method of any one of a1-a7, wherein the attacking node comprises at least one of:
the system comprises port scanning nodes, vulnerability attack nodes, Trojan embedded nodes, password blasting nodes, key information tampering nodes and high-risk event nodes.
A9. The method of any of a1-A8, wherein, after the generating at least one security event corresponding to the plurality of threat events, the method further comprises:
generating alarm information corresponding to the security event.
A10. The method of a9, wherein, after the generating alert information corresponding to the security event, the method further comprises:
and sending the alarm information to a processing node matched with the security event.
The invention also discloses: B11. a threat event processing apparatus, comprising:
the threat event acquisition module is suitable for acquiring threat event information of a plurality of threat events:
the identification module is suitable for identifying the threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
an aggregation module adapted to aggregate the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
B12. The apparatus of B11, wherein the aggregation module is further adapted to:
and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node.
B13. The apparatus of B11, wherein the aggregation module is further adapted to:
acquiring a plurality of attack nodes with relevance;
and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes.
B14. The apparatus of B13, wherein the multiple attack nodes with associations correspond to a same attack scenario.
B15. The apparatus of any one of B11-B14, wherein the identification module is further adapted to: based on a rule model generated in advance, identifying threat events corresponding to the same attack node according to threat event information of the plurality of threat events;
the aggregation module is further adapted to: and performing aggregation processing on the plurality of threat events based on the recognition result based on a rule model generated in advance to generate at least one security event corresponding to the plurality of threat events.
B16. The apparatus of any one of B11-B14, wherein the identification module is further adapted to: based on a machine learning model trained in advance, identifying threat events corresponding to the same attack node according to threat event information of the plurality of threat events;
the aggregation module is further adapted to: and based on a pre-trained machine learning model and recognition results, carrying out aggregation processing on the plurality of threat events to generate at least one security event corresponding to the plurality of threat events.
B17. The apparatus of any one of B11-B16, wherein the threat event information includes at least one of:
asset information, terminal process information, intelligence information, and risk level information.
B18. The apparatus of any one of B11-B17, wherein the attacking node comprises at least one of:
the system comprises port scanning nodes, vulnerability attack nodes, Trojan embedded nodes, password blasting nodes, key information tampering nodes and high-risk event nodes.
B19. The apparatus of any one of B11-B18, wherein the apparatus further comprises:
an alert module adapted to generate alert information corresponding to the security event subsequent to the generating of the at least one security event corresponding to the plurality of threat events.
B20. The apparatus of B19, wherein the apparatus further comprises:
and the sending module is suitable for sending the alarm information to the processing node matched with the safety event after the alarm information corresponding to the safety event is generated.
The invention also discloses: C21. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the threat event processing method of any one of a1-a 10.
The invention also discloses: D22. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the threat event processing method of any one of a1-a 10.

Claims (10)

1. A method of threat event processing, comprising:
obtaining threat event information for a plurality of threat events:
identifying threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
performing aggregation processing on the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
2. The method of claim 1, wherein the aggregating, based on the identification, the plurality of threat events to generate at least one security event corresponding to the plurality of threat events further comprises:
and aiming at any attack node, carrying out aggregation processing on the threat events corresponding to the attack node to generate a security event corresponding to the attack node.
3. The method of claim 1, wherein the aggregating, based on the identification, the plurality of threat events to generate at least one security event corresponding to the plurality of threat events further comprises:
acquiring a plurality of attack nodes with relevance;
and aggregating the threat events corresponding to the attack nodes to generate security events corresponding to the attack nodes.
4. The method of claim 3, wherein the plurality of attack nodes with associations correspond to a same attack scenario.
5. The method of any of claims 1-4, wherein the identifying threat events corresponding to the same attack node from threat event information for the plurality of threat events, the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
based on a rule model generated in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on the identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
6. The method of any of claims 1-4, wherein the identifying threat events corresponding to the same attack node from threat event information for the plurality of threat events, the aggregating the plurality of threat events based on the identification to generate at least one security event corresponding to the plurality of threat events further comprises:
based on a machine learning model trained in advance, according to threat event information of the plurality of threat events, threat events corresponding to the same attack node are identified, and based on an identification result, the plurality of threat events are subjected to aggregation processing to generate at least one security event corresponding to the plurality of threat events.
7. The method of any of claims 1-6, wherein the threat event information includes at least one of:
asset information, terminal process information, intelligence information, and risk level information.
8. A threat event processing apparatus, comprising:
the threat event acquisition module is suitable for acquiring threat event information of a plurality of threat events:
the identification module is suitable for identifying the threat events corresponding to the same attack node according to the threat event information of the plurality of threat events;
an aggregation module adapted to aggregate the plurality of threat events based on the identification result to generate at least one security event corresponding to the plurality of threat events; wherein a security event is aggregated from a number of threat events.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the threat event processing method of any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the threat event processing method of any one of claims 1 to 7.
CN201911406184.0A 2019-12-31 2019-12-31 Threat event processing method and device Pending CN113132306A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911406184.0A CN113132306A (en) 2019-12-31 2019-12-31 Threat event processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911406184.0A CN113132306A (en) 2019-12-31 2019-12-31 Threat event processing method and device

Publications (1)

Publication Number Publication Date
CN113132306A true CN113132306A (en) 2021-07-16

Family

ID=76768668

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911406184.0A Pending CN113132306A (en) 2019-12-31 2019-12-31 Threat event processing method and device

Country Status (1)

Country Link
CN (1) CN113132306A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826707A (en) * 2022-04-13 2022-07-29 中国人民解放军战略支援部队航天工程大学 Method, apparatus, electronic device and computer readable medium for handling user threats

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826707A (en) * 2022-04-13 2022-07-29 中国人民解放军战略支援部队航天工程大学 Method, apparatus, electronic device and computer readable medium for handling user threats

Similar Documents

Publication Publication Date Title
KR102151862B1 (en) Service processing method and device
CN107872772B (en) Method and device for detecting fraud short messages
KR101879416B1 (en) Apparatus and method for detecting abnormal financial transaction
CN110474903B (en) Trusted data acquisition method and device and block link point
CN110689084B (en) Abnormal user identification method and device
US11170101B2 (en) Observation and classification of device events
CN111641619A (en) Method and device for constructing hacker portrait based on big data and computer equipment
CN112839055B (en) Network application identification method and device for TLS encrypted traffic and electronic equipment
CN113132306A (en) Threat event processing method and device
CN113765850A (en) Internet of things anomaly detection method and device, computing equipment and computer storage medium
US10984105B2 (en) Using a machine learning model in quantized steps for malware detection
CN110781410A (en) Community detection method and device
CN113127878A (en) Risk assessment method and device for threat event
CN109325348B (en) Application security analysis method and device, computing equipment and computer storage medium
CN112087414A (en) Detection method and device for mining trojans
CN113127855A (en) Safety protection system and method
US11594079B2 (en) Methods and apparatus for vehicle arrival notification based on object detection
CN113132312A (en) Processing method and device for threat detection rule
CN113190847A (en) Confusion detection method, device, equipment and storage medium for script file
CN112200711A (en) Training method and system of watermark classification model
CN112836212B (en) Mail data analysis method, phishing mail detection method and device
CN114615092B (en) Network attack sequence generation method, device, equipment and storage medium
CN110471702B (en) Task processing method and device, storage medium and computer equipment
CN110457893B (en) Method and equipment for acquiring account group
CN116488871A (en) Method, device, computer equipment and storage medium for detecting malicious event

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination