CN113132312A - Processing method and device for threat detection rule - Google Patents
Processing method and device for threat detection rule Download PDFInfo
- Publication number
- CN113132312A CN113132312A CN201911412288.2A CN201911412288A CN113132312A CN 113132312 A CN113132312 A CN 113132312A CN 201911412288 A CN201911412288 A CN 201911412288A CN 113132312 A CN113132312 A CN 113132312A
- Authority
- CN
- China
- Prior art keywords
- rule
- threat detection
- category
- classification
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a method and a device for processing a threat detection rule. The method comprises the following steps: extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; each rule category corresponds to at least one threat detection rule; for each rule category in at least one rule category, determining an attack scenario corresponding to the rule category; applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category; and verifying and adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category. By adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage overhead and the system overhead are reduced.
Description
Technical Field
The invention relates to the technical field of security, in particular to a method and a device for processing a threat detection rule.
Background
With the continuous development of science and technology and society, the appearance of various computers or internet products brings great convenience to the work and life of people. However, security threat issues for computer or internet products are also constantly occurring. Therefore, in order to facilitate timely handling of the security threat problem and reduce user loss, detection of the security threat problem is usually implemented by corresponding threat detection rules.
However, the inventor finds that the following defects exist in the prior art in the implementation process: in the prior art, expressions aiming at the same threat detection rule are different, so that management and use of the threat detection rule are not facilitated, and waste of storage resources and system resources is easily caused.
Disclosure of Invention
In view of the above, the present invention has been made to provide a method and apparatus for processing a threat detection rule that overcomes or at least partially solves the above problems.
According to an aspect of the present invention, there is provided a method for processing a threat detection rule, including:
extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category;
applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and based on the threat detection result corresponding to each threat detection rule in the rule category, verifying and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
According to another aspect of the present invention, there is provided a threat detection rule processing apparatus, including:
the pre-classification module is suitable for extracting the rule name of the threat detection rule and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
the attack scene determining module is suitable for determining an attack scene corresponding to at least one rule category in the pre-classification result aiming at each rule category in the rule categories;
the detection result acquisition module is suitable for applying at least one threat detection rule corresponding to the rule category to the attack scene so as to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and the verification adjusting module is suitable for verifying and adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category so as to obtain a final classification result.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the processing method of the threat detection rule.
According to still another aspect of the present invention, a computer storage medium is provided, in which at least one executable instruction is stored, and the executable instruction causes a processor to execute operations corresponding to the processing method of the threat detection rule.
According to the processing method and the device of the threat detection rule, firstly, the rule name of the threat detection rule is extracted, and the threat detection rule is pre-classified based on the extracted rule name of the threat detection rule so as to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule; further aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category; applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category; and finally, based on the threat detection result corresponding to each threat detection rule in the rule category, checking and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result. By adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage overhead and the system overhead are reduced.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow diagram illustrating a method for processing threat detection rules, according to an embodiment of the invention;
FIG. 2 is a flow diagram illustrating a method for processing threat detection rules, according to another embodiment of the invention;
FIG. 3 is a functional block diagram of a threat detection rule processing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart illustrating a processing method of a threat detection rule according to an embodiment of the present invention, where the method is applied to a computing device with corresponding processing capability, and the present embodiment does not limit the type of the computing device. For example, the method may be used as an application software to run in a mobile terminal device (such as a mobile phone, a tablet computer, a smart watch, and the like), and may also run in a fixed computing device such as a server side and the like.
As shown in fig. 1, the method comprises the steps of:
step S110, extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result.
In this embodiment, threat detection rules can be accurately classified, where the embodiment does not limit the specific types of the threat detection rules, for example, the threat detection rules may be threat detection rules for a terminal or threat detection rules for a network side; but also threat detection rules for a certain type of specific information or application, such as threat detection rules for mail, short messages, etc.
In a specific implementation process, since the rule name can reflect the core content of the threat detection rule, the rule name of the threat detection rule is extracted first in the present application, and the specific rule name extraction manner is not limited in this embodiment.
Further, the threat detection rules are pre-classified based on the extracted rule names of the threat detection rules to obtain a pre-classification result. Specifically, after extracting the rule name of the threat detection rule, the embodiment first performs pre-classification of the threat detection rule by using the rule name. Wherein the pre-classification result is not the final classification result. At least one rule category is included in the pre-classification result, each rule category corresponding to at least one threat detection rule.
The preliminary classification of the threat detection rules can be realized through the step, and in order to further improve the classification accuracy of the threat detection rules, the embodiment further performs verification adjustment on the pre-classification result through the subsequent steps S120 to S140 to obtain a final classification result.
Step S120, for each rule category in at least one rule category in the pre-classification result, determining an attack scenario corresponding to the rule category.
In the process of checking and adjusting the pre-classification result, the embodiment first configures a corresponding attack scenario for each rule category in at least one rule category in the pre-classification result (for example, an attack scenario corresponding to a "port attack" rule category may be "the number of attacks on a certain port exceeds a preset threshold"). The attack scenarios are capable of simulating true attack behavior, and one rule class may correspond to one or more attack scenarios. The present embodiment does not limit the configuration manner of the attack scenario corresponding to each rule category, and a person skilled in the art can configure a corresponding attack scenario for a corresponding rule category according to an actual service condition.
Step S130, applying at least one threat detection rule corresponding to the rule category to the attack scenario to obtain a threat detection result corresponding to each threat detection rule in the rule category.
After the attack scenario corresponding to the rule category is determined, the threat detection rules corresponding to the rule category may be run in the attack scenario, so as to obtain a threat detection result corresponding to each threat detection rule in the rule category.
For example, the attack scenario corresponding to the "port attack" rule category is that "the number of attacks on a certain port exceeds a preset threshold", and in the pre-classification result, the "port attack" rule category corresponds to the threat detection rule a, the threat detection rule B, and the threat detection rule C, and in this step, in the operating environment where "the number of attacks on a certain port exceeds the preset threshold", the threat detection rule a, the threat detection rule B, and the threat detection rule C are respectively used for threat detection, so as to obtain corresponding threat detection results respectively.
In an optional implementation manner, in the process of checking and adjusting the pre-classification result, in order to avoid an influence on an actual object to be threat detected, and improve user experience, in this embodiment, at least one threat detection rule corresponding to the rule category may be applied to the attack scenario in a sandbox environment, so as to obtain a threat detection result corresponding to each threat detection rule in the rule category.
Step S140, based on the threat detection result corresponding to each threat detection rule in the rule category, checking and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
After the threat detection result corresponding to each threat detection rule in the rule category is obtained, matching the threat detection result of each threat detection rule in the rule category with the standard detection result corresponding to the rule category, so that the classification of the threat detection rules in the rule category can be verified and adjusted according to the matching result to obtain a final classification result.
Along the above example, if the threat detection result corresponding to the threat detection rule a matches the standard detection result corresponding to the "port attack" rule category, it is determined that the pre-classification result of the threat detection rule a is accurate, thereby dividing the threat detection rule a into the "port attack" rule category; and if the threat detection result corresponding to the threat detection rule B is not matched with the standard detection result corresponding to the port attack rule category, determining that the pre-classification result of the threat detection rule B is wrong, so that the threat detection rule B is not divided into the port attack rule category any more.
Therefore, in the embodiment, the rule name of the threat detection rule is extracted at first, and the threat detection rule is pre-classified based on the extracted rule name of the threat detection rule to obtain a pre-classification result; and further verifying the pre-classification result through the threat detection result of the threat detection rule corresponding to the rule class in the pre-classification result in the corresponding attack scene, so as to obtain the final classification result. Therefore, by adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage overhead and the system overhead are reduced.
Fig. 2 is a flowchart illustrating a processing method of a threat detection rule according to another embodiment of the present invention, where the method is applied to a computing device with corresponding processing capability, and the present embodiment does not limit the type of the computing device. For example, the method may be implemented as an application software running in a mobile terminal device (e.g., a mobile phone, a tablet computer, a smart watch, etc.), or may be implemented in a fixed computing device such as a server, and the processing method of the threat detection rule provided in this embodiment is directed to further optimization of the method shown in fig. 1.
As shown in fig. 2, the method comprises the steps of:
and step S210, extracting the rule name of the threat detection rule, and performing pre-classification on the threat detection rule by adopting a machine learning model based on the extracted rule name of the threat detection rule.
In the embodiment, in order to improve the accuracy of the pre-classification result, the rule names of the extracted threat detection rules are pre-classified in a machine learning manner. The pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule.
In the process of pre-classifying threat detection rules by adopting a machine learning model, firstly, the machine learning model is constructed. The specific type of the machine learning model is not limited in this embodiment, and for example, the machine learning model may be constructed by using a supervised machine learning algorithm. The machine learning model may include an input layer, a connection layer, and an output layer, and the specific number of connection layers is not limited in this embodiment. In the initial machine learning model training process, training samples can be configured in advance, the samples can comprise positive samples and/or negative samples, and the trained machine learning model is obtained through training of the training samples when the loss function value is smaller than a preset loss threshold value.
Furthermore, in the process of pre-classifying by using the trained machine learning model, the extracted rule name of the threat detection rule can be converted into a corresponding feature vector, and then the corresponding feature vector is input into the trained machine learning model, so that the pre-classification of the threat detection rule is realized.
Step S220, for each rule category in at least one rule category in the pre-classification result, determining an attack scenario corresponding to the rule category, and applying at least one threat detection rule corresponding to the rule category to the attack scenario to obtain a threat detection result corresponding to each threat detection rule in the rule category.
The specific implementation process of this step may refer to the descriptions of the corresponding parts in step S120 and step S130, which is not described herein again.
In an alternative embodiment, if, in the pre-classification result, a rule class corresponds to multiple threat detection rules, wherein the threat detection results of more than a predetermined percentage (e.g. 90 percent) or a predetermined number of threat detection rules are the same, but the threat detection results of the threat detection rules exceeding the preset proportion or the preset number are different from the standard threat detection results corresponding to the rule categories, feeding back corresponding abnormal information for adjusting the standard threat detection result corresponding to the rule category, or adjusting the rule category name, and further clustering the threat detection rules exceeding the preset proportion or the preset number into a new rule category, and obtaining the category name of the new rule category according to the rule names of the threat detection rules exceeding the preset proportion or the preset number.
Step S230, based on the threat detection result corresponding to each threat detection rule in the rule category, checking and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
If the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification check of the threat detection rule is successful, and taking the pre-classification category of the threat detection rule as the final classification; if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule. Optionally, after the final classification result is obtained, a corresponding category label may be assigned to each threat detection rule, so as to facilitate subsequent management and use of the threat detection rules.
Optionally, in the process of determining that the pre-classification verification of the threat detection rule is unsuccessful and adjusting the classification of the threat detection rule, in order to quickly and accurately re-determine the classification of the threat detection rule, the classification of the threat detection rule may be adjusted according to the matching degree between the threat detection result corresponding to the threat detection rule and the other rule categories, and/or according to the matching degree between the rule name of the threat detection rule and the other rule categories. For example, the final classification of the threat detection rule may be determined by a weighted sum manner according to the matching degree of the threat detection result corresponding to the threat detection rule with other rule categories and the weight value of the threat detection result, and the matching degree of the rule name of the threat detection rule with other rule categories and the weight value of the rule name; or after partial deletion or supplement is carried out on the rule name of the threat detection rule (such as corresponding special symbols are removed), the rule name is put into the machine learning model again for pre-classification, and further verification and adjustment are carried out according to the pre-classification result.
In an optional implementation manner, after the final classification result is obtained, the classification result of the threat detection rule after being verified and adjusted may be further fed back to the machine learning model in step S210, so that the machine learning model can adaptively adjust its relevant parameters, so as to achieve the purpose of optimizing the machine learning model and improving the accuracy of the subsequent pre-classification result.
In yet another optional implementation manner, after the final classification result of the threat detection rule is obtained, in order to further reduce the system storage overhead and improve the convenience of using the threat detection rule by the user, in this embodiment, the duplicate removal processing may be performed on the threat detection rule included in the rule category in response to a situation that the threat detection rule corresponding to the rule category includes multiple threat detection rules. In an actual implementation process, in a final classification result of this embodiment, rule names of threat detection rules corresponding to the same rule category have similarity, and threat detection results of threat detection rules corresponding to the same rule category are the same, that is, it indicates that a plurality of threat detection rules corresponding to the same rule category in this embodiment are only different in expression manner, and their functions are often the same. Based on this, in this embodiment, only one threat detection rule in the rule category may be retained, and other threat detection rules in the rule category may be subjected to elimination processing, so that after deduplication processing, only one threat detection rule is included in the same rule category.
Therefore, in the embodiment, the rule name of the threat detection rule is extracted at first, and the threat detection rule is pre-classified by using a machine learning model based on the extracted rule name of the threat detection rule so as to obtain an accurate pre-classification result; and further verifying the pre-classification result through the threat detection result of the threat detection rule corresponding to the rule class in the pre-classification result in the corresponding attack scene, so as to obtain the final classification result. By adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage cost and the system cost are reduced; in addition, the embodiment can perform duplicate removal processing on the threat detection results in the same rule category, further save system storage overhead, and improve the use convenience of the threat detection rules.
Fig. 3 is a functional block diagram of a threat detection rule processing apparatus according to an embodiment of the present invention. As shown in fig. 3, the apparatus includes: the system comprises a pre-classification module 31, an attack scene determination module 32, a detection result acquisition module 33 and a check adjustment module 34.
The pre-classification module 31 is adapted to extract the rule name of the threat detection rule, and pre-classify the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
the attack scenario determination module 32 is adapted to determine, for each rule category in at least one rule category in the pre-classification result, an attack scenario corresponding to the rule category;
a detection result obtaining module 33, adapted to apply at least one threat detection rule corresponding to the rule category to the attack scenario to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and the verification adjusting module 34 is adapted to perform verification adjustment on the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category to obtain a final classification result.
Optionally, the pre-classification module 31 is further adapted to: and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
Optionally, the pre-classification module 31 is further adapted to: converting the rule name of the extracted threat detection rule into a corresponding feature vector; inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
Optionally, the apparatus further comprises: a feedback module (not shown in the figure) adapted to feed back the classification result of the threat detection rule after the verification adjustment on the classification of the threat detection rule in the rule category to the machine learning model to optimize the machine learning model.
Optionally, the check adjusting module 34 is further adapted to: if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
Optionally, the check adjusting module 34 is further adapted to: and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
Optionally, the apparatus further comprises: and a deduplication module (not shown in the figure), adapted to perform deduplication processing on the threat detection rules included in the rule category if the threat detection rules corresponding to the rule category include multiple pieces after the classification of the threat detection rules in the rule category is verified and adjusted.
The specific implementation process of each device in this embodiment may refer to the description of the corresponding part in the method embodiment of fig. 1 and/or fig. 2, which is not described herein again.
Therefore, in the embodiment, the rule name of the threat detection rule is extracted at first, and the threat detection rule is pre-classified based on the extracted rule name of the threat detection rule to obtain a pre-classification result; and further verifying the pre-classification result through the threat detection result of the threat detection rule corresponding to the rule class in the pre-classification result in the corresponding attack scene, so as to obtain the final classification result. Therefore, accurate classification of the threat detection rules can be achieved by adopting the scheme, management of the threat detection rules is facilitated, and storage overhead and system overhead are reduced.
According to one embodiment of the invention, a non-transitory computer storage medium is provided that stores at least one executable instruction that may perform a method of processing a threat detection rule in any of the method embodiments described above.
The executable instructions may be specifically configured to cause the processor to:
extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category;
applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and based on the threat detection result corresponding to each threat detection rule in the rule category, verifying and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
converting the rule name of the extracted threat detection rule into a corresponding feature vector;
inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
and feeding back the classification result of the threat detection rule after the verification and the adjustment to the machine learning model so as to optimize the machine learning model.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
In an alternative embodiment, the executable instructions may be specifically configured to cause the processor to:
and if the threat detection rule corresponding to the rule type comprises a plurality of threat detection rules, carrying out deduplication processing on the threat detection rule contained in the rule type.
Therefore, in the embodiment, the rule name of the threat detection rule is extracted at first, and the threat detection rule is pre-classified by using a machine learning model based on the extracted rule name of the threat detection rule so as to obtain an accurate pre-classification result; and further verifying the pre-classification result through the threat detection result of the threat detection rule corresponding to the rule class in the pre-classification result in the corresponding attack scene, so as to obtain the final classification result. By adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage cost and the system cost are reduced; in addition, the embodiment can perform duplicate removal processing on the threat detection results in the same rule category, further save system storage overhead, and improve the use convenience of the threat detection rules.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. Processor 402, configured to execute program 410, may specifically perform relevant steps in the above-described processing method embodiments for threat detection rules.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category;
applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and based on the threat detection result corresponding to each threat detection rule in the rule category, verifying and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
converting the rule name of the extracted threat detection rule into a corresponding feature vector;
inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
and feeding back the classification result of the threat detection rule after the verification and the adjustment to the machine learning model so as to optimize the machine learning model.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
In an alternative embodiment, the program 410 may be specifically configured to cause the processor 402 to perform the following operations:
and if the threat detection rule corresponding to the rule type comprises a plurality of threat detection rules, carrying out deduplication processing on the threat detection rule contained in the rule type.
Therefore, in the embodiment, the rule name of the threat detection rule is extracted at first, and the threat detection rule is pre-classified by using a machine learning model based on the extracted rule name of the threat detection rule so as to obtain an accurate pre-classification result; and further verifying the pre-classification result through the threat detection result of the threat detection rule corresponding to the rule class in the pre-classification result in the corresponding attack scene, so as to obtain the final classification result. By adopting the scheme, the threat detection rules can be accurately classified, so that the threat detection rules are conveniently managed, and the storage cost and the system cost are reduced; in addition, the embodiment can perform duplicate removal processing on the threat detection results in the same rule category, further save system storage overhead, and improve the use convenience of the threat detection rules.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
The invention discloses: A1. a method of processing threat detection rules, comprising:
extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category;
applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and based on the threat detection result corresponding to each threat detection rule in the rule category, verifying and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
A2. The method of a1, wherein the pre-classifying threat detection rules based on the rule name of the extracted threat detection rule further comprises:
and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
A3. The method of a2, wherein the pre-classifying threat detection rules based on the rule name of the extracted threat detection rule further comprises:
converting the rule name of the extracted threat detection rule into a corresponding feature vector;
inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
A4. The method of a2 or A3, wherein after the check-adjusting the classification of the threat detection rules in the rule category, the method further comprises:
and feeding back the classification result of the threat detection rule after the verification and the adjustment to the machine learning model so as to optimize the machine learning model.
A5. The method of any of a1-a4, wherein the check-adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category further comprises:
if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
A6. The method of a5, wherein the adjusting the classification of the threat detection rule further comprises:
and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
A7. The method of any of a1-a6, wherein, after the check-adjusting the classification of the threat detection rules in the rule category, the method further comprises:
and if the threat detection rule corresponding to the rule type comprises a plurality of threat detection rules, carrying out deduplication processing on the threat detection rule contained in the rule type.
The invention also discloses: B8. a processing device of threat detection rules, comprising:
the pre-classification module is suitable for extracting the rule name of the threat detection rule and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
the attack scene determining module is suitable for determining an attack scene corresponding to at least one rule category in the pre-classification result aiming at each rule category in the rule categories;
the detection result acquisition module is suitable for applying at least one threat detection rule corresponding to the rule category to the attack scene so as to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and the verification adjusting module is suitable for verifying and adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category so as to obtain a final classification result.
B9. The apparatus of B8, wherein the pre-classification module is further adapted to: and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
B10. The apparatus of B9, wherein the pre-classification module is further adapted to: converting the rule name of the extracted threat detection rule into a corresponding feature vector;
inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
B11. The apparatus of B9 or B10, wherein the apparatus further comprises:
and the feedback module is suitable for feeding back the classification result of the threat detection rule after the verification and the adjustment are carried out on the classification of the threat detection rule in the rule category to the machine learning model so as to optimize the machine learning model.
B12. The apparatus of any one of B8-B11, wherein the check adjustment module is further adapted to:
if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
B13. The apparatus of B12, wherein the check adjustment module is further adapted to:
and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
B14. The apparatus of any one of B8-B13, wherein the apparatus further comprises:
and the deduplication module is suitable for performing deduplication processing on the threat detection rules contained in the rule category if the threat detection rules corresponding to the rule category contain a plurality of pieces after verifying and adjusting the classification of the threat detection rules in the rule category.
The invention also discloses: C15. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the threat detection rule processing method of any one of a1-a 7.
The invention also discloses: D16. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of processing threat detection rules as described in any one of a1-a 7.
Claims (10)
1. A method of processing threat detection rules, comprising:
extracting the rule name of the threat detection rule, and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
aiming at each rule category in at least one rule category in the pre-classification result, determining an attack scene corresponding to the rule category;
applying at least one threat detection rule corresponding to the rule category to the attack scene to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and based on the threat detection result corresponding to each threat detection rule in the rule category, verifying and adjusting the classification of the threat detection rules in the rule category to obtain a final classification result.
2. The method of claim 1, wherein the pre-classifying threat detection rules based on the rule names of the extracted threat detection rules further comprises:
and based on the extracted rule name of the threat detection rule, adopting a machine learning model to perform pre-classification on the threat detection rule.
3. The method of claim 2, wherein the pre-classifying threat detection rules based on the rule names of the extracted threat detection rules further comprises:
converting the rule name of the extracted threat detection rule into a corresponding feature vector;
inputting the feature vectors into the machine learning model to pre-classify threat detection rules.
4. The method of claim 2 or 3, wherein after said check-adjusting the classification of threat detection rules in the rule category, the method further comprises:
and feeding back the classification result of the threat detection rule after the verification and the adjustment to the machine learning model so as to optimize the machine learning model.
5. The method of any of claims 1-4, wherein the check-adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category further comprises:
if the threat detection result corresponding to the threat detection rule in the rule category is matched with the rule category, determining that the pre-classification verification of the threat detection rule is successful;
if the threat detection result corresponding to the threat detection rule in the rule category is not matched with the rule category, determining that the pre-classification verification of the threat detection rule is unsuccessful, and adjusting the classification of the threat detection rule.
6. The method of claim 5, wherein said adjusting the classification of the threat detection rule further comprises:
and adjusting the classification of the threat detection rule according to the matching degree of the threat detection result corresponding to the threat detection rule and other rule categories and/or according to the matching degree of the rule name of the threat detection rule and other rule categories.
7. The method of any of claims 1-6, wherein after the check-adjusting the classification of the threat detection rules in the rule category, the method further comprises:
and if the threat detection rule corresponding to the rule type comprises a plurality of threat detection rules, carrying out deduplication processing on the threat detection rule contained in the rule type.
8. A processing device of threat detection rules, comprising:
the pre-classification module is suitable for extracting the rule name of the threat detection rule and pre-classifying the threat detection rule based on the extracted rule name of the threat detection rule to obtain a pre-classification result; the pre-classification result comprises at least one rule category, and each rule category corresponds to at least one threat detection rule;
the attack scene determining module is suitable for determining an attack scene corresponding to at least one rule category in the pre-classification result aiming at each rule category in the rule categories;
the detection result acquisition module is suitable for applying at least one threat detection rule corresponding to the rule category to the attack scene so as to obtain a threat detection result corresponding to each threat detection rule in the rule category;
and the verification adjusting module is suitable for verifying and adjusting the classification of the threat detection rules in the rule category based on the threat detection result corresponding to each threat detection rule in the rule category so as to obtain a final classification result.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the processing method of the threat detection rule according to any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of processing a threat detection rule according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911412288.2A CN113132312A (en) | 2019-12-31 | 2019-12-31 | Processing method and device for threat detection rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911412288.2A CN113132312A (en) | 2019-12-31 | 2019-12-31 | Processing method and device for threat detection rule |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113132312A true CN113132312A (en) | 2021-07-16 |
Family
ID=76770316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911412288.2A Pending CN113132312A (en) | 2019-12-31 | 2019-12-31 | Processing method and device for threat detection rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132312A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531306A (en) * | 2022-04-24 | 2022-05-24 | 北京安博通金安科技有限公司 | Real-time detection method and system based on threat behaviors |
-
2019
- 2019-12-31 CN CN201911412288.2A patent/CN113132312A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531306A (en) * | 2022-04-24 | 2022-05-24 | 北京安博通金安科技有限公司 | Real-time detection method and system based on threat behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105389722B (en) | Malicious order identification method and device | |
| CN111404887B (en) | Service processing method and device | |
| CN105426356B (en) | A kind of target information recognition methods and device | |
| CN108021806B (en) | Malicious installation package identification method and device | |
| CN110149266B (en) | Junk mail identification method and device | |
| EP2715565B1 (en) | Dynamic rule reordering for message classification | |
| CN108491866B (en) | Pornographic picture identification method, electronic device and readable storage medium | |
| CN110647896B (en) | Phishing page identification method based on logo image and related equipment | |
| CN111260220B (en) | Group control equipment identification method and device, electronic equipment and storage medium | |
| CN110647895B (en) | Phishing page identification method based on login box image and related equipment | |
| CN111931809A (en) | Data processing method and device, storage medium and electronic equipment | |
| CN111273891A (en) | Business decision method and device based on rule engine and terminal equipment | |
| CN113887615A (en) | Image processing method, apparatus, device and medium | |
| CN110650108A (en) | Fishing page identification method based on icon and related equipment | |
| CN111666816A (en) | Method, device and equipment for detecting state of logistics piece | |
| CN113132312A (en) | Processing method and device for threat detection rule | |
| CN109753646B (en) | Article attribute identification method and electronic equipment | |
| CN111259207A (en) | Short message identification method, device and equipment | |
| CN115348184B (en) | Internet of things data security event prediction method and system | |
| CN113127878A (en) | Risk assessment method and device for threat event | |
| CN110598115A (en) | Sensitive webpage identification method and system based on artificial intelligence multi-engine | |
| CN113888760B (en) | Method, device, equipment and medium for monitoring violation information based on software application | |
| CN115713669A (en) | Image classification method and device based on inter-class relation, storage medium and terminal | |
| CN109359274A (en) | The method, device and equipment that the character string of a kind of pair of Mass production is identified | |
| US8219667B2 (en) | Automated identification of computing system resources based on computing resource DNA |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |