CN113259356A - Threat intelligence and terminal detection response method and system under big data environment - Google Patents
Threat intelligence and terminal detection response method and system under big data environment Download PDFInfo
- Publication number
- CN113259356A CN113259356A CN202110555091.5A CN202110555091A CN113259356A CN 113259356 A CN113259356 A CN 113259356A CN 202110555091 A CN202110555091 A CN 202110555091A CN 113259356 A CN113259356 A CN 113259356A
- Authority
- CN
- China
- Prior art keywords
- data
- threat
- information
- analysis
- platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2471—Distributed queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Abstract
The invention discloses a method and a system for threat intelligence and terminal detection response in a big data environment, wherein the method comprises the following steps: the method comprises the steps of establishing a cloud threat information platform, collecting terminal data, analyzing the data and preventing disposal; the system comprises: the system comprises a terminal data acquisition probe, a big data machine learning analysis platform, a cloud threat information platform and a control center, wherein the big data machine learning analysis platform and the cloud threat information platform respectively comprise a data source layer/controlled layer, a platform layer, an analysis layer, a service layer and an application layer. The invention can carry out correlation analysis on the single attack behaviors, further restore the security event overall view, and effectively detect, defend and dispose unknown threats and APT attacks.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a threat intelligence and terminal detection response method and system under a big data environment.
Background
In current enterprises and organizations, most terminals are deployed with terminal protection software to ensure the security of terminals, and avoid intrusion and data leakage, however, the effect is limited. From the reports of the research institute, the number of data leakage events from 2015 to 2016 has increased to 10 ten thousand from 77503, in which data leakage due to terminal security problems occupies nearly 70%.
The reason for this is two points: one is that the current terminal is no longer just a computer of the Windows operating system, and may be any type of machine, including: notebook computers, desktop computers, servers, mobile devices, embedded devices, SCADA systems, and even LOT devices; secondly, the attack mode changes the rough and brute force in the past, becomes more accurate and hidden, the purpose is achieved not by single virus or malicious software infection, but by combining a series of social work reconnaissance, tool customization, vulnerability utilization, implantation penetration and other means (for example, APT attack), the original defense system is similar to a nominal one due to the change of the attack means, the attacks cannot be effectively identified and prevented, and the user suffers great loss in a short time.
The terminal protection system deployed by the current user mainly uses a static defense technology as a main part, combines part of dynamic sandbox technology to defend attack invasion, detects emerging threats by continuously updating a sample library, detects whether malicious behaviors exist or not by the sandbox technology for unknown threats, however, new attack means often use unknown behaviors such as 0day and unknown malicious codes to detect and escape the sandbox through carefully constructed malicious software, and finally successfully permeates to an intranet terminal, and original terminal security software cannot effectively detect and alarm.
A situation awareness platform on the market is mostly built on the basis of a security information and event management platform (SIEM), but the complexity of the SIEM needs to invest a large amount of resources for deployment and maintenance, meanwhile, a large amount of false reports are generated due to the fact that a large amount of useless, incomplete and even misleading information exists in a log input into the SIEM platform and the information correlation capability of the SIEM platform is uneven, and at present, enterprises mainly use the SIEM to meet the requirement of compliance. The effect of establishing a situational awareness center based on this platform is poor.
The attack events have different behavior characteristics at different stages, the behavior characteristics do not necessarily form threats when being separated, and a method and a system which can carry out correlation analysis on the behaviors, further restore the security event overall view and effectively detect, defend and dispose unknown threats and APT attacks are urgently needed.
Disclosure of Invention
In order to solve the problems, the invention discloses a threat intelligence and terminal detection response method and system under a big data environment.
The technical scheme adopted by the invention is as follows: a method for threat intelligence and terminal detection response in big data environment comprises the following steps:
s1, establishing a cloud threat information platform:
s11, collecting threat intelligence generated in open source, business and enterprise through open API, and carrying out standardization and deduplication processing;
s12, performing correlation, analysis and aggregation processing on the collected threat intelligence data by utilizing big data analysis and a machine learning technology to obtain multiple dimensions of attack behaviors of an attacker, and restoring the whole attack event overall picture, including attack generation time, used tools, coding style and vulnerability utilization mode;
s13, sending the aggregated threat information in real time according to the terminal requirements;
s2, acquiring terminal data: acquiring terminal behavior, executing threat response and disposing action data; collecting the collected terminal data and uploading the terminal data in an encryption mode;
s3, data analysis: continuously monitoring terminal behavior data, and carrying out active detection and correlation analysis on the terminal data by combining threat intelligence sent by a cloud threat intelligence platform;
s4, treatment defense: and rapidly responding to the detected security event and rapidly positioning and processing the threat root.
A system for threat intelligence and terminal detection response in a big data environment, comprising:
a terminal data acquisition probe: the system is used for acquiring terminal behavior data in real time and executing threat response and handling actions; the collected terminal behavior data are collected and uploaded in an encryption mode;
big data machine learning analysis platform: receiving data acquired by the probe, performing unified encryption storage, receiving threat information sent from the outside, and performing encryption storage; performing correlation analysis on data acquired by the probe and threat information, monitoring terminal behaviors in real time, continuously finding unknown threats, and sending threat information data to a control center;
cloud threat information platform: the cloud threat information platform is provided with an open API (application programming interface), other security manufacturers are allowed to access the cloud threat information platform, each accessed enterprise transmits threat information generated in the cloud threat information to the cloud threat information platform, the cloud threat information platform carries out standardization and deduplication processing on the threat information, and then uses big data analysis and machine learning technology to carry out association, analysis and aggregation on each threat information so as to obtain multiple dimensions of attack behaviors of attackers and restore the whole attack event overall view, including attack generation time, used tools, coding style and vulnerability utilization mode; meanwhile, the cloud threat information platform also sends the aggregated threat information to an enterprise connected with the cloud threat information platform;
the control center: the control center has the capability of safety response and threat disposal, helps a user to quickly know the current safety event situation through the functions of a threat brain map and safety investigation, positions the threat root and makes correct and timely response and disposal according to the threat degree;
furthermore, the probe can collect data of terminal application installation data, application program processes, file transmission, network access, memory monitoring information and mail log information.
Further, the big data machine learning analysis platform comprises:
data source layer/controlled layer: configuring relevant security facilities and equipment strategies according to the obtained threat information, and inputting the aggregated threat information into firewall, intrusion detection, endpoint security, APT (android platform) prevention, SIEM (security infrastructure agent) and other systems of the enterprise;
platform layer: storing data;
analysis layer: the analysis of threat information content is realized;
and (3) a service layer: receiving threat service from a service layer of the cloud threat information platform, and simultaneously sharing threat information and uploading the threat information to the cloud threat information platform;
an application layer: a client agent system.
Further, high in the clouds threat intelligence platform includes:
data source layer/controlled layer: the system is responsible for docking an information producer system and realizing data collection of network flow, host state, application state, safety equipment, external information, supervision condition and other contents;
platform layer: the data source layer is responsible for uniformly classifying and storing data of the data source layer, classifying the data according to the structure, and analyzing, screening and storing the data at different latitudes according to environment variables;
analysis layer: generating and analyzing multi-dimensional information based on original data, managing and maintaining a system knowledge base, a security knowledge base and a threat knowledge base, analyzing customer requirements and analyzing service strategies; scene analysis of data stored in a platform layer is realized by formulating different security analysis strategies, including security event management analysis, log association analysis, historical track analysis, tracking and tracing analysis, fuzzy vulnerability analysis, malicious behavior analysis, situation prediction analysis and the like;
the data analysis layer is two points of the maximum function of the system, and the analysis layer comprises a multi-dimensional security threat analysis algorithm
A risk association algorithm based on asset, vulnerability and event credibility models;
supporting logic correlation analysis based on time and source/destination IP;
supporting cross correlation analysis of different event types;
host correlation analysis of attack types, applications and system types is supported;
the 8 major types of 83 association analysis rules are built in, and comprise: network scanning, trojan worms, WEB attacks, client attacks, server attacks, brute force attacks, and other types;
and (3) a service layer: providing intelligence mining service, result reporting service, intelligence sharing service and distribution service required by an application system in a loose coupling mode; and finally, realizing content output in two directions of visual display and feedback data conditions by visually displaying the analysis result of the analysis layer and deeply mining the analysis result by combining data application.
An application layer: the application system comprises a threat information mining system, a presentation system, a sharing system and a distribution system, wherein the application system can be accessed by a user through a human-computer interface, the service layer data is summarized and summarized to form threat information, and the threat information is distributed and exchanged.
Furthermore, a platform layer of the cloud threat information platform supports unstructured, structured and semi-structured data storage, provides parallel processing of distributed file storage, and supports highly extensible storage of big data.
Further, the multi-dimensional intelligence generated by the platform layer of the cloud threat intelligence platform comprises APT analysis, security event management, log association analysis, historical track analysis, tracking and tracing analysis, fuzzy vulnerability analysis, malicious behavior analysis and situation prediction analysis.
Further, the types of threat information include malicious program information, IP reputation information, malicious domain name information, phishing links and website information, back-end control server information of the PC botnet, back-end server information of the mobile botnet, mobile malicious program information, and malicious short message information.
The invention has the beneficial effects that: the method and the system perform correlation analysis on the single behavior of the malicious code attack, further restore the security incident complete picture, and help enterprises to effectively detect, defend and dispose unknown threats and APT attacks in time.
Drawings
FIG. 1 illustrates the method steps of the present invention;
FIG. 2 is a schematic diagram of the system of the present invention;
fig. 3 is a schematic structural diagram and a schematic mutual interaction diagram of the cloud threat intelligence platform and the big data machine learning analysis platform according to the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 1 to 3 show a specific embodiment of the present invention: the method is based on a cloud threat information platform, and firstly, the cloud threat information platform needs to be established; the construction of the platform is a long-term process, and the platform allows other security manufacturers to access the platform and call the API to realize linkage by supporting the modes of industry standard, open API and the like. The method comprises the following specific steps:
a. collecting information: the data is standardized and deduplicated by acquiring original data from network traffic, a host, an application state, safety equipment, external information and supervision information through a data source layer/controlled layer of a cloud threat information platform. External intelligence collects threat intelligence, both open source, commercial, and internally generated by the enterprise, through the open API. Threat information is collected in enterprises through emergency response, honeypot technology and other modes.
For external information from an enterprise, different enterprises logging in the platform or different teams in the same enterprise are allowed to share certain information according to conditions, and the enterprises or teams seeing the shared information can participate in the supplementary information together, so that the purposes of information sharing and information enrichment together are achieved.
b. Storing information data: and a platform layer of the cloud threat information platform stores original data and realizes workflow configuration and data real-time processing engine configuration. The platform layer can store unstructured, structured and semi-structured data, provide parallel processing of distributed file storage and support highly extensible storage of large data.
c. Correlation, analysis and aggregation of intelligence: and an analysis layer of the cloud threat information platform realizes multi-dimensional information generation and analysis based on original data, manages and maintains a system knowledge base, a security knowledge base and a threat knowledge base, analyzes customer requirements and analyzes service strategies. The collected threat intelligence data is associated, analyzed and aggregated by utilizing big data analysis and a machine learning technology to obtain a plurality of dimensions of attack behaviors of an attacker, the whole attack event overall picture is restored, the attack event overall picture comprises attack generation time, used tools, coding styles, vulnerability utilization modes, attack objects and how to detect and eliminate the attacks, and meanwhile, multi-dimensional intelligence is generated and comprises APT analysis, security event management, log association analysis, historical track analysis, tracking and tracing analysis, Fuzz vulnerability analysis, malicious behavior analysis and situation prediction analysis. And storing the aggregated threat intelligence and the analysis result of each dimension in a corresponding knowledge base so as to be called and updated in real time.
The standard format of the information provided by the platform is STIX, and the information format can be customized according to the needs of enterprises. The intelligence information is sent to the enterprise through HTTPS. All information is validated through a number of techniques and procedures to ensure timeliness and validity of the information. Threat intelligence information is divided into eight categories:
1. malicious program information: malicious program information that is still very active is currently the most harmful.
2. IP reputation: providing a reputation value for the IP and related information.
3. Malicious domain name information: malicious domain name related information is provided.
4. Phishing links and website information: phishing links and phishing website related information.
5. Information of a back-end control server of the botnet of the PC: botnet information composed of PCs.
6. Information of a mobile botnet back-end server: botnet information composed of mobile devices.
7. Moving the malicious program information: the most harmful at present while very actively moving malware information.
8. Malicious short message information: and moving the malicious short message information.
d. And (3) interactive service: and the service layer of the cloud threat intelligence platform provides intelligence mining service, result reporting service, intelligence sharing service and distribution service required by the application system in a loose coupling mode. Through the intelligence sharing service, different enterprises logging in the platform or different teams in the same enterprise are allowed to share certain intelligence information according to conditions. And the distribution service is used for sending threat information to the enterprise according to the requirement condition of the enterprise, if the existing security solution of the enterprise does not have the function of utilizing the information, the enterprise can deploy a network probe, and the network probe can digest the information and feed the information back to the platform.
e. The application system is characterized in that an application layer of the cloud threat intelligence system provides a threat intelligence mining system, a presentation system, a sharing system and a distribution system.
After the cloud threat information platform is basically established, real-time threat information can be provided for an enterprise to help the enterprise, the enterprise can input the information into security defense equipment for detection and defense, and if an invasion trace is found, the invasion trace can be thoroughly cleared according to a report. The specific method and steps are as follows:
i, acquiring terminal data: acquiring terminal behavior data in real time through a terminal data acquisition probe, and executing threat response and disposal actions; and summarizing the collected terminal behavior data and uploading the terminal behavior data in an encrypted mode.
II, terminal data storage: the big data machine learning analysis platform is also called an enterprise information platform and is an information processing platform distributed in each enterprise, and a platform layer of the big data machine learning analysis platform carries out unified encryption storage on acquired terminal data.
III, receiving and analyzing threat information: a service layer of the big data machine learning analysis platform receives threat information from a cloud threat information platform, and meanwhile, enterprises can also share some information; and the analysis layer of the big data machine learning analysis platform analyzes the threat information content and encrypts and stores the threat information content in the platform layer of the big data machine learning analysis platform.
IV, deployment and monitoring: and a data source layer/controlled layer of the big data machine learning analysis platform configures related security facilities and equipment strategies according to the obtained threat information, and inputs the threat information into a firewall, intrusion detection, endpoint security, APT (android packet), SIEM (security association engine), and other systems of an enterprise.
V, safety event processing: the control center has the capability of safety response and threat disposal, helps a user to quickly know the current safety event situation through the functions of a threat brain map and safety investigation, positions the threat root, and makes correct and timely response and disposal according to the threat degree.
The method and the system continuously monitor the terminal behavior data, actively detect and perform correlation analysis on the terminal data by combining threat information, dispose and defend the detected security threats in real time, and realize quick response to security events and quick positioning of threat roots. The invention aims to help users establish a complete system for detecting and responding unknown threats of the terminal.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A method for threat intelligence and terminal detection response in big data environment is characterized by comprising the following steps:
s1, establishing a cloud threat information platform:
s11, collecting threat intelligence generated in open source, business and enterprise through open API, standardizing and removing duplicate, interacting the open source and business threat intelligence through API interface, and integrating the collected data into threat intelligence base;
and S12, performing association, analysis and aggregation processing on the collected threat intelligence data by utilizing big data analysis and machine learning technology, first performing acute classification on the data according to different types, then performing cluster analysis on results and different behaviors under the same label, and finally aggregating the data by combining the analysis results. Obtaining a plurality of dimensions of attack behaviors of an attacker, and restoring the whole attack event overall appearance, including attack generation time, used tools, coding style and vulnerability utilization mode;
s13, sending the aggregated threat information in real time according to the terminal requirements;
s2, acquiring terminal data: acquiring terminal behavior, executing threat response and disposing action data; collecting the collected terminal data and uploading the terminal data in an encryption mode;
s3, data analysis: continuously monitoring terminal behavior data, and actively detecting and performing correlation analysis on the terminal data by combining threat intelligence sent by a cloud threat intelligence platform, wherein the specific methodology is to perform cluster source tracking on the cloud threat intelligence data and the terminal data, for example, data generated by the same IP (Internet protocol) and data generated by the same target source are aggregated;
s4, treatment defense: and quickly responding to the detected security event, wherein response measures comprise contact disconnection, data transmission prevention and the like, and quickly positioning and processing a threat root (source IP).
2. A system for threat intelligence and terminal detection response in big data environment, comprising:
a terminal data acquisition probe: the system is used for acquiring terminal behavior data in real time and executing threat response and handling actions; the collected terminal behavior data are collected and uploaded in an encryption mode;
big data machine learning analysis platform: receiving data acquired by the probe, performing unified encryption storage, receiving threat information sent from the outside, and performing encryption storage; performing correlation analysis on data acquired by the probe and threat information, monitoring terminal behaviors in real time, continuously finding unknown threats, and sending threat information data to a control center;
cloud threat information platform: the cloud threat information platform is provided with an open API (application programming interface), other security manufacturers are allowed to access the cloud threat information platform, each accessed enterprise transmits threat information generated in the cloud threat information to the cloud threat information platform, the cloud threat information platform carries out standardization and deduplication processing on the threat information, and then uses big data analysis and machine learning technology to carry out association, analysis and aggregation on each threat information so as to obtain multiple dimensions of attack behaviors of attackers and restore the whole attack event overall view, including attack generation time, used tools, coding style and vulnerability utilization mode; meanwhile, the cloud threat information platform also sends the aggregated threat information to an enterprise connected with the cloud threat information platform;
the control center: the control center has the capability of safety response and threat disposal, receives threat information data of the big data machine learning analysis platform, collides with the collected data, discriminates threats in a known environment, forms a threat brain graph by directional communication tracking of source threat IP, records all communication processes of the threat IP in detail, helps a user to quickly know the current safety event condition, positions a threat root and makes correct and timely response and disposal according to the threat degree.
3. The system of threat intelligence and terminal detection response in a big data environment of claim 2, wherein the probe can collect data of terminal application installation data, application process, file transmission, network access, memory monitoring information and mail log information.
4. The system of threat intelligence and terminal detection response in big data environment of claim 2, wherein big data machine learning analysis platform comprises:
data source layer/controlled layer: configuring relevant security facilities and equipment strategies according to the obtained threat information, and inputting the aggregated threat information into firewall, intrusion detection, endpoint security, APT (android platform) prevention, SIEM (security infrastructure agent) and other systems of the enterprise;
platform layer: the data preprocessing realizes that a series of real-time preprocessing processes are completed on the original data of each data source in advance, and after various safety data are acquired in a real-time acquisition/interval acquisition mode and the like, various data are cleaned, associated, compared, integrated, classified and identified and then are uniformly accessed and converged to a distributed database cluster;
analysis layer: the distributed database cluster is used for storing data, the preprocessed structured and unstructured mass data are accessed by distributed storage management and parallel processing technology, a basic resource base, a knowledge base, an object base and a theme base are constructed at the same time, data management and maintenance such as registration cataloging, quality management and data monitoring are carried out on the data, functions such as data caching, data storage, data indexing and data analysis are provided, and data support is provided for application service;
and (3) a service layer: threat services are received from a service layer of the cloud threat information platform, security data resources and computing resources are encapsulated, and the service system is upwards butted with each service system to provide uniform basic services such as general inquiry, full-text retrieval and the like; the data center is connected downwards, threat information can be shared and uploaded to a cloud threat information platform, a uniform supporting platform is provided, and uniform business service is achieved.
5. The system for threat intelligence and terminal detection response in a big data environment of claim 2, wherein a platform layer of the cloud threat intelligence platform supports unstructured, structured and semi-structured data storage, provides distributed file storage, and simultaneously has good system scalability and supports flexible capacity expansion of storage.
6. The system of threat intelligence and terminal detection response in a big data environment of claim 2, wherein the multi-dimensional intelligence generated by the platform layer of the cloud threat intelligence platform comprises APT analysis, security event management, log association analysis, historical trajectory analysis, tracing analysis, Fuzz vulnerability analysis, malicious behavior analysis, and situational prediction analysis.
7. The system for threat intelligence and terminal detection response in big data environment of claim 2, wherein the categories of threat intelligence include malware information, IP reputation information, malicious domain name information, phishing links and website information, back-end control server information of PC botnets, mobile botnet back-end server information, mobile malware information and malicious short message information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110555091.5A CN113259356A (en) | 2021-05-21 | 2021-05-21 | Threat intelligence and terminal detection response method and system under big data environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110555091.5A CN113259356A (en) | 2021-05-21 | 2021-05-21 | Threat intelligence and terminal detection response method and system under big data environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113259356A true CN113259356A (en) | 2021-08-13 |
Family
ID=77183423
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110555091.5A Pending CN113259356A (en) | 2021-05-21 | 2021-05-21 | Threat intelligence and terminal detection response method and system under big data environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113259356A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113821802A (en) * | 2021-09-30 | 2021-12-21 | 中国电子信息产业集团有限公司第六研究所 | Security risk assessment method and device, electronic equipment and storage medium |
CN115643116A (en) * | 2022-12-23 | 2023-01-24 | 北京六方云信息技术有限公司 | Protection method and system for network equipment, terminal equipment and storage medium |
CN116074066A (en) * | 2022-12-29 | 2023-05-05 | 广西南宁英福泰科信息科技有限公司 | Intelligent monitoring blocking method and system for retrieval threat information |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107872454A (en) * | 2017-11-04 | 2018-04-03 | 公安部第三研究所 | A kind of monitoring of ultra-large type internet platform protection based on security rank threat information and analysis system and method based on big data technology |
CN109547479A (en) * | 2018-12-27 | 2019-03-29 | 国网浙江省电力有限公司电力科学研究院 | Information integration system and method are threatened in a kind of industrial environment |
CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
CN112769821A (en) * | 2021-01-07 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | Threat response method and device based on threat intelligence and ATT & CK |
-
2021
- 2021-05-21 CN CN202110555091.5A patent/CN113259356A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107872454A (en) * | 2017-11-04 | 2018-04-03 | 公安部第三研究所 | A kind of monitoring of ultra-large type internet platform protection based on security rank threat information and analysis system and method based on big data technology |
CN109547479A (en) * | 2018-12-27 | 2019-03-29 | 国网浙江省电力有限公司电力科学研究院 | Information integration system and method are threatened in a kind of industrial environment |
WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
CN111800395A (en) * | 2020-06-18 | 2020-10-20 | 云南电网有限责任公司信息中心 | Threat information defense method and system |
CN112769821A (en) * | 2021-01-07 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | Threat response method and device based on threat intelligence and ATT & CK |
Non-Patent Citations (1)
Title |
---|
陈兴蜀 等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113821802A (en) * | 2021-09-30 | 2021-12-21 | 中国电子信息产业集团有限公司第六研究所 | Security risk assessment method and device, electronic equipment and storage medium |
CN115643116A (en) * | 2022-12-23 | 2023-01-24 | 北京六方云信息技术有限公司 | Protection method and system for network equipment, terminal equipment and storage medium |
CN116074066A (en) * | 2022-12-29 | 2023-05-05 | 广西南宁英福泰科信息科技有限公司 | Intelligent monitoring blocking method and system for retrieval threat information |
CN116074066B (en) * | 2022-12-29 | 2023-07-07 | 广西南宁英福泰科信息科技有限公司 | Intelligent monitoring blocking method and system for retrieval threat information |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11902321B2 (en) | Secure communication platform for a cybersecurity system | |
US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
CN112651006B (en) | Power grid security situation sensing system | |
CN103563302B (en) | Networked asset information management | |
Radoglou-Grammatikis et al. | An anomaly-based intrusion detection system for the smart grid based on cart decision tree | |
CN111711599A (en) | Safety situation perception system based on multivariate mass data fusion association analysis | |
EP4154143A1 (en) | Cyber security for instant messaging across platforms | |
CN113259356A (en) | Threat intelligence and terminal detection response method and system under big data environment | |
US20190089725A1 (en) | Deep Architecture for Learning Threat Characterization | |
JP2007536646A (en) | Pattern discovery method and system in network security system | |
US9830451B2 (en) | Distributed pattern discovery | |
Grahn et al. | Analytics for network security: A survey and taxonomy | |
Bialas et al. | Anomaly detection in network traffic security assurance | |
WO2022109417A1 (en) | Threat mitigation system and method | |
Hermanowski | Open source security information management system supporting it security audit | |
Rajesh et al. | Network forensics investigation in virtual data centers using elk | |
Laue et al. | A siem architecture for advanced anomaly detection | |
Azmi Bin Mustafa Sulaiman et al. | SIEM Network Behaviour Monitoring Framework using Deep Learning Approach for Campus Network Infrastructure | |
KR102540904B1 (en) | A security total management system for weak security management based on big data and a total method of security | |
CN116827698B (en) | Network gateway flow security situation awareness system and method | |
Mir et al. | An Enhanced Implementation of Security Management System (SSMS) using UEBA in Smart Grid based SCADA Systems | |
Pincovscy et al. | Methodology for Cyber Threat Intelligence with Sensor Integration | |
Roponena et al. | Use Cases and Design of an Intelligent Intrusion Detection System. | |
EP2790355B1 (en) | A method of characterizing a computer network | |
Dasgupta et al. | Mining security events in a distributed agent society |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210813 |