CN113259356A - Threat intelligence and terminal detection response method and system under big data environment - Google Patents

Threat intelligence and terminal detection response method and system under big data environment Download PDF

Info

Publication number
CN113259356A
CN113259356A CN202110555091.5A CN202110555091A CN113259356A CN 113259356 A CN113259356 A CN 113259356A CN 202110555091 A CN202110555091 A CN 202110555091A CN 113259356 A CN113259356 A CN 113259356A
Authority
CN
China
Prior art keywords
data
threat
information
analysis
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110555091.5A
Other languages
Chinese (zh)
Inventor
门嘉平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guolian Tiancheng Information Technology Co ltd
Original Assignee
Beijing Guolian Tiancheng Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guolian Tiancheng Information Technology Co ltd filed Critical Beijing Guolian Tiancheng Information Technology Co ltd
Priority to CN202110555091.5A priority Critical patent/CN113259356A/en
Publication of CN113259356A publication Critical patent/CN113259356A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Abstract

The invention discloses a method and a system for threat intelligence and terminal detection response in a big data environment, wherein the method comprises the following steps: the method comprises the steps of establishing a cloud threat information platform, collecting terminal data, analyzing the data and preventing disposal; the system comprises: the system comprises a terminal data acquisition probe, a big data machine learning analysis platform, a cloud threat information platform and a control center, wherein the big data machine learning analysis platform and the cloud threat information platform respectively comprise a data source layer/controlled layer, a platform layer, an analysis layer, a service layer and an application layer. The invention can carry out correlation analysis on the single attack behaviors, further restore the security event overall view, and effectively detect, defend and dispose unknown threats and APT attacks.

Description

Threat intelligence and terminal detection response method and system under big data environment
Technical Field
The invention relates to the technical field of information security, in particular to a threat intelligence and terminal detection response method and system under a big data environment.
Background
In current enterprises and organizations, most terminals are deployed with terminal protection software to ensure the security of terminals, and avoid intrusion and data leakage, however, the effect is limited. From the reports of the research institute, the number of data leakage events from 2015 to 2016 has increased to 10 ten thousand from 77503, in which data leakage due to terminal security problems occupies nearly 70%.
The reason for this is two points: one is that the current terminal is no longer just a computer of the Windows operating system, and may be any type of machine, including: notebook computers, desktop computers, servers, mobile devices, embedded devices, SCADA systems, and even LOT devices; secondly, the attack mode changes the rough and brute force in the past, becomes more accurate and hidden, the purpose is achieved not by single virus or malicious software infection, but by combining a series of social work reconnaissance, tool customization, vulnerability utilization, implantation penetration and other means (for example, APT attack), the original defense system is similar to a nominal one due to the change of the attack means, the attacks cannot be effectively identified and prevented, and the user suffers great loss in a short time.
The terminal protection system deployed by the current user mainly uses a static defense technology as a main part, combines part of dynamic sandbox technology to defend attack invasion, detects emerging threats by continuously updating a sample library, detects whether malicious behaviors exist or not by the sandbox technology for unknown threats, however, new attack means often use unknown behaviors such as 0day and unknown malicious codes to detect and escape the sandbox through carefully constructed malicious software, and finally successfully permeates to an intranet terminal, and original terminal security software cannot effectively detect and alarm.
A situation awareness platform on the market is mostly built on the basis of a security information and event management platform (SIEM), but the complexity of the SIEM needs to invest a large amount of resources for deployment and maintenance, meanwhile, a large amount of false reports are generated due to the fact that a large amount of useless, incomplete and even misleading information exists in a log input into the SIEM platform and the information correlation capability of the SIEM platform is uneven, and at present, enterprises mainly use the SIEM to meet the requirement of compliance. The effect of establishing a situational awareness center based on this platform is poor.
The attack events have different behavior characteristics at different stages, the behavior characteristics do not necessarily form threats when being separated, and a method and a system which can carry out correlation analysis on the behaviors, further restore the security event overall view and effectively detect, defend and dispose unknown threats and APT attacks are urgently needed.
Disclosure of Invention
In order to solve the problems, the invention discloses a threat intelligence and terminal detection response method and system under a big data environment.
The technical scheme adopted by the invention is as follows: a method for threat intelligence and terminal detection response in big data environment comprises the following steps:
s1, establishing a cloud threat information platform:
s11, collecting threat intelligence generated in open source, business and enterprise through open API, and carrying out standardization and deduplication processing;
s12, performing correlation, analysis and aggregation processing on the collected threat intelligence data by utilizing big data analysis and a machine learning technology to obtain multiple dimensions of attack behaviors of an attacker, and restoring the whole attack event overall picture, including attack generation time, used tools, coding style and vulnerability utilization mode;
s13, sending the aggregated threat information in real time according to the terminal requirements;
s2, acquiring terminal data: acquiring terminal behavior, executing threat response and disposing action data; collecting the collected terminal data and uploading the terminal data in an encryption mode;
s3, data analysis: continuously monitoring terminal behavior data, and carrying out active detection and correlation analysis on the terminal data by combining threat intelligence sent by a cloud threat intelligence platform;
s4, treatment defense: and rapidly responding to the detected security event and rapidly positioning and processing the threat root.
A system for threat intelligence and terminal detection response in a big data environment, comprising:
a terminal data acquisition probe: the system is used for acquiring terminal behavior data in real time and executing threat response and handling actions; the collected terminal behavior data are collected and uploaded in an encryption mode;
big data machine learning analysis platform: receiving data acquired by the probe, performing unified encryption storage, receiving threat information sent from the outside, and performing encryption storage; performing correlation analysis on data acquired by the probe and threat information, monitoring terminal behaviors in real time, continuously finding unknown threats, and sending threat information data to a control center;
cloud threat information platform: the cloud threat information platform is provided with an open API (application programming interface), other security manufacturers are allowed to access the cloud threat information platform, each accessed enterprise transmits threat information generated in the cloud threat information to the cloud threat information platform, the cloud threat information platform carries out standardization and deduplication processing on the threat information, and then uses big data analysis and machine learning technology to carry out association, analysis and aggregation on each threat information so as to obtain multiple dimensions of attack behaviors of attackers and restore the whole attack event overall view, including attack generation time, used tools, coding style and vulnerability utilization mode; meanwhile, the cloud threat information platform also sends the aggregated threat information to an enterprise connected with the cloud threat information platform;
the control center: the control center has the capability of safety response and threat disposal, helps a user to quickly know the current safety event situation through the functions of a threat brain map and safety investigation, positions the threat root and makes correct and timely response and disposal according to the threat degree;
furthermore, the probe can collect data of terminal application installation data, application program processes, file transmission, network access, memory monitoring information and mail log information.
Further, the big data machine learning analysis platform comprises:
data source layer/controlled layer: configuring relevant security facilities and equipment strategies according to the obtained threat information, and inputting the aggregated threat information into firewall, intrusion detection, endpoint security, APT (android platform) prevention, SIEM (security infrastructure agent) and other systems of the enterprise;
platform layer: storing data;
analysis layer: the analysis of threat information content is realized;
and (3) a service layer: receiving threat service from a service layer of the cloud threat information platform, and simultaneously sharing threat information and uploading the threat information to the cloud threat information platform;
an application layer: a client agent system.
Further, high in the clouds threat intelligence platform includes:
data source layer/controlled layer: the system is responsible for docking an information producer system and realizing data collection of network flow, host state, application state, safety equipment, external information, supervision condition and other contents;
platform layer: the data source layer is responsible for uniformly classifying and storing data of the data source layer, classifying the data according to the structure, and analyzing, screening and storing the data at different latitudes according to environment variables;
analysis layer: generating and analyzing multi-dimensional information based on original data, managing and maintaining a system knowledge base, a security knowledge base and a threat knowledge base, analyzing customer requirements and analyzing service strategies; scene analysis of data stored in a platform layer is realized by formulating different security analysis strategies, including security event management analysis, log association analysis, historical track analysis, tracking and tracing analysis, fuzzy vulnerability analysis, malicious behavior analysis, situation prediction analysis and the like;
the data analysis layer is two points of the maximum function of the system, and the analysis layer comprises a multi-dimensional security threat analysis algorithm
A risk association algorithm based on asset, vulnerability and event credibility models;
supporting logic correlation analysis based on time and source/destination IP;
supporting cross correlation analysis of different event types;
host correlation analysis of attack types, applications and system types is supported;
the 8 major types of 83 association analysis rules are built in, and comprise: network scanning, trojan worms, WEB attacks, client attacks, server attacks, brute force attacks, and other types;
and (3) a service layer: providing intelligence mining service, result reporting service, intelligence sharing service and distribution service required by an application system in a loose coupling mode; and finally, realizing content output in two directions of visual display and feedback data conditions by visually displaying the analysis result of the analysis layer and deeply mining the analysis result by combining data application.
An application layer: the application system comprises a threat information mining system, a presentation system, a sharing system and a distribution system, wherein the application system can be accessed by a user through a human-computer interface, the service layer data is summarized and summarized to form threat information, and the threat information is distributed and exchanged.
Furthermore, a platform layer of the cloud threat information platform supports unstructured, structured and semi-structured data storage, provides parallel processing of distributed file storage, and supports highly extensible storage of big data.
Further, the multi-dimensional intelligence generated by the platform layer of the cloud threat intelligence platform comprises APT analysis, security event management, log association analysis, historical track analysis, tracking and tracing analysis, fuzzy vulnerability analysis, malicious behavior analysis and situation prediction analysis.
Further, the types of threat information include malicious program information, IP reputation information, malicious domain name information, phishing links and website information, back-end control server information of the PC botnet, back-end server information of the mobile botnet, mobile malicious program information, and malicious short message information.
The invention has the beneficial effects that: the method and the system perform correlation analysis on the single behavior of the malicious code attack, further restore the security incident complete picture, and help enterprises to effectively detect, defend and dispose unknown threats and APT attacks in time.
Drawings
FIG. 1 illustrates the method steps of the present invention;
FIG. 2 is a schematic diagram of the system of the present invention;
fig. 3 is a schematic structural diagram and a schematic mutual interaction diagram of the cloud threat intelligence platform and the big data machine learning analysis platform according to the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 1 to 3 show a specific embodiment of the present invention: the method is based on a cloud threat information platform, and firstly, the cloud threat information platform needs to be established; the construction of the platform is a long-term process, and the platform allows other security manufacturers to access the platform and call the API to realize linkage by supporting the modes of industry standard, open API and the like. The method comprises the following specific steps:
a. collecting information: the data is standardized and deduplicated by acquiring original data from network traffic, a host, an application state, safety equipment, external information and supervision information through a data source layer/controlled layer of a cloud threat information platform. External intelligence collects threat intelligence, both open source, commercial, and internally generated by the enterprise, through the open API. Threat information is collected in enterprises through emergency response, honeypot technology and other modes.
For external information from an enterprise, different enterprises logging in the platform or different teams in the same enterprise are allowed to share certain information according to conditions, and the enterprises or teams seeing the shared information can participate in the supplementary information together, so that the purposes of information sharing and information enrichment together are achieved.
b. Storing information data: and a platform layer of the cloud threat information platform stores original data and realizes workflow configuration and data real-time processing engine configuration. The platform layer can store unstructured, structured and semi-structured data, provide parallel processing of distributed file storage and support highly extensible storage of large data.
c. Correlation, analysis and aggregation of intelligence: and an analysis layer of the cloud threat information platform realizes multi-dimensional information generation and analysis based on original data, manages and maintains a system knowledge base, a security knowledge base and a threat knowledge base, analyzes customer requirements and analyzes service strategies. The collected threat intelligence data is associated, analyzed and aggregated by utilizing big data analysis and a machine learning technology to obtain a plurality of dimensions of attack behaviors of an attacker, the whole attack event overall picture is restored, the attack event overall picture comprises attack generation time, used tools, coding styles, vulnerability utilization modes, attack objects and how to detect and eliminate the attacks, and meanwhile, multi-dimensional intelligence is generated and comprises APT analysis, security event management, log association analysis, historical track analysis, tracking and tracing analysis, Fuzz vulnerability analysis, malicious behavior analysis and situation prediction analysis. And storing the aggregated threat intelligence and the analysis result of each dimension in a corresponding knowledge base so as to be called and updated in real time.
The standard format of the information provided by the platform is STIX, and the information format can be customized according to the needs of enterprises. The intelligence information is sent to the enterprise through HTTPS. All information is validated through a number of techniques and procedures to ensure timeliness and validity of the information. Threat intelligence information is divided into eight categories:
1. malicious program information: malicious program information that is still very active is currently the most harmful.
2. IP reputation: providing a reputation value for the IP and related information.
3. Malicious domain name information: malicious domain name related information is provided.
4. Phishing links and website information: phishing links and phishing website related information.
5. Information of a back-end control server of the botnet of the PC: botnet information composed of PCs.
6. Information of a mobile botnet back-end server: botnet information composed of mobile devices.
7. Moving the malicious program information: the most harmful at present while very actively moving malware information.
8. Malicious short message information: and moving the malicious short message information.
d. And (3) interactive service: and the service layer of the cloud threat intelligence platform provides intelligence mining service, result reporting service, intelligence sharing service and distribution service required by the application system in a loose coupling mode. Through the intelligence sharing service, different enterprises logging in the platform or different teams in the same enterprise are allowed to share certain intelligence information according to conditions. And the distribution service is used for sending threat information to the enterprise according to the requirement condition of the enterprise, if the existing security solution of the enterprise does not have the function of utilizing the information, the enterprise can deploy a network probe, and the network probe can digest the information and feed the information back to the platform.
e. The application system is characterized in that an application layer of the cloud threat intelligence system provides a threat intelligence mining system, a presentation system, a sharing system and a distribution system.
After the cloud threat information platform is basically established, real-time threat information can be provided for an enterprise to help the enterprise, the enterprise can input the information into security defense equipment for detection and defense, and if an invasion trace is found, the invasion trace can be thoroughly cleared according to a report. The specific method and steps are as follows:
i, acquiring terminal data: acquiring terminal behavior data in real time through a terminal data acquisition probe, and executing threat response and disposal actions; and summarizing the collected terminal behavior data and uploading the terminal behavior data in an encrypted mode.
II, terminal data storage: the big data machine learning analysis platform is also called an enterprise information platform and is an information processing platform distributed in each enterprise, and a platform layer of the big data machine learning analysis platform carries out unified encryption storage on acquired terminal data.
III, receiving and analyzing threat information: a service layer of the big data machine learning analysis platform receives threat information from a cloud threat information platform, and meanwhile, enterprises can also share some information; and the analysis layer of the big data machine learning analysis platform analyzes the threat information content and encrypts and stores the threat information content in the platform layer of the big data machine learning analysis platform.
IV, deployment and monitoring: and a data source layer/controlled layer of the big data machine learning analysis platform configures related security facilities and equipment strategies according to the obtained threat information, and inputs the threat information into a firewall, intrusion detection, endpoint security, APT (android packet), SIEM (security association engine), and other systems of an enterprise.
V, safety event processing: the control center has the capability of safety response and threat disposal, helps a user to quickly know the current safety event situation through the functions of a threat brain map and safety investigation, positions the threat root, and makes correct and timely response and disposal according to the threat degree.
The method and the system continuously monitor the terminal behavior data, actively detect and perform correlation analysis on the terminal data by combining threat information, dispose and defend the detected security threats in real time, and realize quick response to security events and quick positioning of threat roots. The invention aims to help users establish a complete system for detecting and responding unknown threats of the terminal.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (7)

1. A method for threat intelligence and terminal detection response in big data environment is characterized by comprising the following steps:
s1, establishing a cloud threat information platform:
s11, collecting threat intelligence generated in open source, business and enterprise through open API, standardizing and removing duplicate, interacting the open source and business threat intelligence through API interface, and integrating the collected data into threat intelligence base;
and S12, performing association, analysis and aggregation processing on the collected threat intelligence data by utilizing big data analysis and machine learning technology, first performing acute classification on the data according to different types, then performing cluster analysis on results and different behaviors under the same label, and finally aggregating the data by combining the analysis results. Obtaining a plurality of dimensions of attack behaviors of an attacker, and restoring the whole attack event overall appearance, including attack generation time, used tools, coding style and vulnerability utilization mode;
s13, sending the aggregated threat information in real time according to the terminal requirements;
s2, acquiring terminal data: acquiring terminal behavior, executing threat response and disposing action data; collecting the collected terminal data and uploading the terminal data in an encryption mode;
s3, data analysis: continuously monitoring terminal behavior data, and actively detecting and performing correlation analysis on the terminal data by combining threat intelligence sent by a cloud threat intelligence platform, wherein the specific methodology is to perform cluster source tracking on the cloud threat intelligence data and the terminal data, for example, data generated by the same IP (Internet protocol) and data generated by the same target source are aggregated;
s4, treatment defense: and quickly responding to the detected security event, wherein response measures comprise contact disconnection, data transmission prevention and the like, and quickly positioning and processing a threat root (source IP).
2. A system for threat intelligence and terminal detection response in big data environment, comprising:
a terminal data acquisition probe: the system is used for acquiring terminal behavior data in real time and executing threat response and handling actions; the collected terminal behavior data are collected and uploaded in an encryption mode;
big data machine learning analysis platform: receiving data acquired by the probe, performing unified encryption storage, receiving threat information sent from the outside, and performing encryption storage; performing correlation analysis on data acquired by the probe and threat information, monitoring terminal behaviors in real time, continuously finding unknown threats, and sending threat information data to a control center;
cloud threat information platform: the cloud threat information platform is provided with an open API (application programming interface), other security manufacturers are allowed to access the cloud threat information platform, each accessed enterprise transmits threat information generated in the cloud threat information to the cloud threat information platform, the cloud threat information platform carries out standardization and deduplication processing on the threat information, and then uses big data analysis and machine learning technology to carry out association, analysis and aggregation on each threat information so as to obtain multiple dimensions of attack behaviors of attackers and restore the whole attack event overall view, including attack generation time, used tools, coding style and vulnerability utilization mode; meanwhile, the cloud threat information platform also sends the aggregated threat information to an enterprise connected with the cloud threat information platform;
the control center: the control center has the capability of safety response and threat disposal, receives threat information data of the big data machine learning analysis platform, collides with the collected data, discriminates threats in a known environment, forms a threat brain graph by directional communication tracking of source threat IP, records all communication processes of the threat IP in detail, helps a user to quickly know the current safety event condition, positions a threat root and makes correct and timely response and disposal according to the threat degree.
3. The system of threat intelligence and terminal detection response in a big data environment of claim 2, wherein the probe can collect data of terminal application installation data, application process, file transmission, network access, memory monitoring information and mail log information.
4. The system of threat intelligence and terminal detection response in big data environment of claim 2, wherein big data machine learning analysis platform comprises:
data source layer/controlled layer: configuring relevant security facilities and equipment strategies according to the obtained threat information, and inputting the aggregated threat information into firewall, intrusion detection, endpoint security, APT (android platform) prevention, SIEM (security infrastructure agent) and other systems of the enterprise;
platform layer: the data preprocessing realizes that a series of real-time preprocessing processes are completed on the original data of each data source in advance, and after various safety data are acquired in a real-time acquisition/interval acquisition mode and the like, various data are cleaned, associated, compared, integrated, classified and identified and then are uniformly accessed and converged to a distributed database cluster;
analysis layer: the distributed database cluster is used for storing data, the preprocessed structured and unstructured mass data are accessed by distributed storage management and parallel processing technology, a basic resource base, a knowledge base, an object base and a theme base are constructed at the same time, data management and maintenance such as registration cataloging, quality management and data monitoring are carried out on the data, functions such as data caching, data storage, data indexing and data analysis are provided, and data support is provided for application service;
and (3) a service layer: threat services are received from a service layer of the cloud threat information platform, security data resources and computing resources are encapsulated, and the service system is upwards butted with each service system to provide uniform basic services such as general inquiry, full-text retrieval and the like; the data center is connected downwards, threat information can be shared and uploaded to a cloud threat information platform, a uniform supporting platform is provided, and uniform business service is achieved.
5. The system for threat intelligence and terminal detection response in a big data environment of claim 2, wherein a platform layer of the cloud threat intelligence platform supports unstructured, structured and semi-structured data storage, provides distributed file storage, and simultaneously has good system scalability and supports flexible capacity expansion of storage.
6. The system of threat intelligence and terminal detection response in a big data environment of claim 2, wherein the multi-dimensional intelligence generated by the platform layer of the cloud threat intelligence platform comprises APT analysis, security event management, log association analysis, historical trajectory analysis, tracing analysis, Fuzz vulnerability analysis, malicious behavior analysis, and situational prediction analysis.
7. The system for threat intelligence and terminal detection response in big data environment of claim 2, wherein the categories of threat intelligence include malware information, IP reputation information, malicious domain name information, phishing links and website information, back-end control server information of PC botnets, mobile botnet back-end server information, mobile malware information and malicious short message information.
CN202110555091.5A 2021-05-21 2021-05-21 Threat intelligence and terminal detection response method and system under big data environment Pending CN113259356A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110555091.5A CN113259356A (en) 2021-05-21 2021-05-21 Threat intelligence and terminal detection response method and system under big data environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110555091.5A CN113259356A (en) 2021-05-21 2021-05-21 Threat intelligence and terminal detection response method and system under big data environment

Publications (1)

Publication Number Publication Date
CN113259356A true CN113259356A (en) 2021-08-13

Family

ID=77183423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110555091.5A Pending CN113259356A (en) 2021-05-21 2021-05-21 Threat intelligence and terminal detection response method and system under big data environment

Country Status (1)

Country Link
CN (1) CN113259356A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113821802A (en) * 2021-09-30 2021-12-21 中国电子信息产业集团有限公司第六研究所 Security risk assessment method and device, electronic equipment and storage medium
CN115643116A (en) * 2022-12-23 2023-01-24 北京六方云信息技术有限公司 Protection method and system for network equipment, terminal equipment and storage medium
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872454A (en) * 2017-11-04 2018-04-03 公安部第三研究所 A kind of monitoring of ultra-large type internet platform protection based on security rank threat information and analysis system and method based on big data technology
CN109547479A (en) * 2018-12-27 2019-03-29 国网浙江省电力有限公司电力科学研究院 Information integration system and method are threatened in a kind of industrial environment
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
WO2021017614A1 (en) * 2019-07-31 2021-02-04 平安科技(深圳)有限公司 Threat intelligence data collection and processing method and system, apparatus, and storage medium
CN112769821A (en) * 2021-01-07 2021-05-07 中国电子科技集团公司第十五研究所 Threat response method and device based on threat intelligence and ATT & CK

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872454A (en) * 2017-11-04 2018-04-03 公安部第三研究所 A kind of monitoring of ultra-large type internet platform protection based on security rank threat information and analysis system and method based on big data technology
CN109547479A (en) * 2018-12-27 2019-03-29 国网浙江省电力有限公司电力科学研究院 Information integration system and method are threatened in a kind of industrial environment
WO2021017614A1 (en) * 2019-07-31 2021-02-04 平安科技(深圳)有限公司 Threat intelligence data collection and processing method and system, apparatus, and storage medium
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN112769821A (en) * 2021-01-07 2021-05-07 中国电子科技集团公司第十五研究所 Threat response method and device based on threat intelligence and ATT & CK

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈兴蜀 等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113821802A (en) * 2021-09-30 2021-12-21 中国电子信息产业集团有限公司第六研究所 Security risk assessment method and device, electronic equipment and storage medium
CN115643116A (en) * 2022-12-23 2023-01-24 北京六方云信息技术有限公司 Protection method and system for network equipment, terminal equipment and storage medium
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information
CN116074066B (en) * 2022-12-29 2023-07-07 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information

Similar Documents

Publication Publication Date Title
US11902321B2 (en) Secure communication platform for a cybersecurity system
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
CN112651006B (en) Power grid security situation sensing system
CN103563302B (en) Networked asset information management
Radoglou-Grammatikis et al. An anomaly-based intrusion detection system for the smart grid based on cart decision tree
CN111711599A (en) Safety situation perception system based on multivariate mass data fusion association analysis
EP4154143A1 (en) Cyber security for instant messaging across platforms
CN113259356A (en) Threat intelligence and terminal detection response method and system under big data environment
US20190089725A1 (en) Deep Architecture for Learning Threat Characterization
JP2007536646A (en) Pattern discovery method and system in network security system
US9830451B2 (en) Distributed pattern discovery
Grahn et al. Analytics for network security: A survey and taxonomy
Bialas et al. Anomaly detection in network traffic security assurance
WO2022109417A1 (en) Threat mitigation system and method
Hermanowski Open source security information management system supporting it security audit
Rajesh et al. Network forensics investigation in virtual data centers using elk
Laue et al. A siem architecture for advanced anomaly detection
Azmi Bin Mustafa Sulaiman et al. SIEM Network Behaviour Monitoring Framework using Deep Learning Approach for Campus Network Infrastructure
KR102540904B1 (en) A security total management system for weak security management based on big data and a total method of security
CN116827698B (en) Network gateway flow security situation awareness system and method
Mir et al. An Enhanced Implementation of Security Management System (SSMS) using UEBA in Smart Grid based SCADA Systems
Pincovscy et al. Methodology for Cyber Threat Intelligence with Sensor Integration
Roponena et al. Use Cases and Design of an Intelligent Intrusion Detection System.
EP2790355B1 (en) A method of characterizing a computer network
Dasgupta et al. Mining security events in a distributed agent society

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210813