CN113609234A - Network entity behavior association construction method and system - Google Patents
Network entity behavior association construction method and system Download PDFInfo
- Publication number
- CN113609234A CN113609234A CN202110671288.5A CN202110671288A CN113609234A CN 113609234 A CN113609234 A CN 113609234A CN 202110671288 A CN202110671288 A CN 202110671288A CN 113609234 A CN113609234 A CN 113609234A
- Authority
- CN
- China
- Prior art keywords
- threat
- network entity
- network
- behavior
- extracting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/288—Entity relationship models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network entity behavior association construction method and a system, which belong to the field of network security, focus on entity behavior association under a network air threat framework, adopt a real-time calculation combined with an offline calculation mode, realize entity relationship extraction by integrating flow logs, multi-source threat information and fragmented alarm logs, perform network air threat technology tactical mapping by means of the network air threat framework aiming at common entity behaviors such as domain names, mailboxes, IP (Internet protocol), certificates, samples, URLs (uniform resource locators) in a network space, realize network entity behavior association construction by using a distributed graph data fusion technology, fully utilize threat information and vulnerability knowledge data, and comprehensively sense network space threats.
Description
Technical Field
The invention belongs to the field of network security, and particularly provides a network-to-air threat mapping and network entity behavior association construction method based on flow logs and multi-source information.
Background
In recent years, various new attacks have appeared in networks, in which Advanced Persistent Threat events (APT) frequently occur, and have a serious impact on security. The network air threat behavior body behind the APT organization is a source of network space attack activities, particularly, the ultra-high-capacity network air threat behavior body is subjected to systematic, instrumented and large-scale attack means through engineering, the means for avoiding tracking and tracing is increasingly advanced, and the method has the characteristics of difficult tracking, difficult reproduction of attack scenes and processes and difficult tracing of an attack chain. The existing monitoring and analyzing means has the following problems: information islands exist among all safety monitoring systems, the alarm fragmentation degree is high, and effective correlation cannot be carried out; the threat description is unclear, the analysis of an attack target and a victim is incomplete, and the manual analysis cost is high.
A plurality of network security analysis teams introduce a network empty threat framework in network security event analysis so as to describe network attack and defense capacity, wherein a structured threat information expression (STIX) describes network empty threat information from the aspects of 12 components such as attack mode, attack activity, action and the like. Aiming at the structural language description of STIX 2.0, knowledge bases such as an ATT & CK framework, a CAPEC attack mode, a CWE and the like are respectively constructed by the MITRE company and comprise about 40 tactics, technology and weakness of thousand-level scale and attack mode of hundred-level scale, researchers can study and know various network threat conditions and provide reference for formulating a security defense strategy, but as the network air threat framework does not integrate a flow log, multi-source threat information and security alarm to construct network entity behavior association, attack chain tracing and attack scene restoration cannot be realized.
Disclosure of Invention
The invention aims to focus entity behavior association under a network-air threat framework, realize entity relationship extraction by combining real-time calculation with an offline calculation mode and integrating flow logs, multi-source threat information and fragmented alarm logs, carry out network-air threat technology tactical mapping by means of the network-air threat framework aiming at common entity behaviors such as domain names, mailboxes, IP (Internet protocol), certificates, samples, URLs (uniform resource locators) and the like in a network space, realize network entity behavior association construction by utilizing a distributed graph data fusion technology, and fully utilize threat information and vulnerability knowledge data to comprehensively sense network space threats.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a network entity behavior association construction method comprises the following steps:
1) extracting the label and behavior relation of the network entity in real time: extracting a network entity and a behavior relation thereof from a structured flow log stored in a data center in real time, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
2) extracting labels and behavior relations of the network entities offline: extracting a network entity and a behavior relation thereof from a structured traffic log stored in a data center in an off-line manner, extracting a network entity threat label from event alarm data stored in the data center in an off-line manner, and extracting the threat label and a risk label of the network entity from multi-source information data in an off-line manner;
3) mapping the real-time and offline extracted network entity behavior relation to obtain a specific network empty threat frame technical item based on an ATT & CK network empty threat frame, so as to realize network entity threat standardization description;
4) taking a pre-constructed network entity behavior association model as a reference, wherein the model comprises possible behavior relations among network entities, and associating the labels of the network entities with the behavior relations by using a distributed graph data calculation engine to realize the behavior association fusion of the network entities;
5) and storing and managing the result of the network entity behavior association fusion by using a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
Further, the network entities include IP, sample, URL, certificate, domain name, and mailbox.
Further, the multi-source intelligence data includes local intelligence, intelligence interface services, and public intelligence data packets.
Further, the possible behavior relationships between the network entities included in the network entity behavior association model include: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
Further, real-time automatic disambiguation of the network entity threat tag and the risk tag is performed according to a specificity rule and a universality rule, wherein the specificity rule is a unified disambiguation rule performed for standard threat tags in different network-air threat frameworks, and the universality rule is a universality disambiguation rule performed for alias names or short names of the threat tags.
A network entity behavior association building system, comprising:
the real-time extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in real time based on streaming, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
the offline extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in an offline manner based on spark, extracting a threat tag of the network entity from event alarm data stored in the data center in an offline manner, and extracting the threat tag and a risk tag of the network entity from multi-source information data in an offline manner;
the network air threat mapping module is used for mapping the real-time and offline extracted network entity behavior relation to obtain a specific network air threat box technical item based on an ATT & CK network air threat frame, so as to realize network entity threat standardization description;
the fusion association building module is used for associating the labels of the network entities with the behavior relations by utilizing a distributed graph data calculation engine based on spark and taking a network entity behavior association model as a reference, wherein the model comprises various possible behavior relations among the network entities, so that the network entity behavior association fusion is realized;
and the association storage retrieval module is used for storing and managing the result of the network entity behavior association fusion by utilizing a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
Further, the fusion association building module is further configured to perform real-time automatic disambiguation on the network entity threat tag and the risk tag according to a specificity rule and a universality rule, where the specificity rule is a unified disambiguation rule performed on standard threat tags in different network-air threat frameworks, and the universality rule is a universality disambiguation rule performed on alias names or short names of the threat tags.
The invention uses a network entity relation extraction technology, starts with threat alarm of a data center, extracts event threat labels of entities such as domain names, mailboxes, IP, certificates, samples, URLs and the like in a network space, supplements the network space entity behavior relation by associating flow logs, supplements entity threat labels and risk label information by integrating multi-source threat information (including threat labels and vulnerability threats), and disambiguates the multi-source labels in real time. The method uses a network entity behavior network empty threat mapping technology, is based on an ATT & CK network empty threat frame, and utilizes a distributed real-time processing technology to map the extracted network space entity behaviors to obtain a specific network empty threat frame technical item, thereby realizing network entity threat standardization description. The invention uses the distributed network entity association fusion technology, aims at the extracted network space entity label and entity behavior association, utilizes a distributed graph data calculation engine to carry out network entity association construction and entity behavior association fusion, supports entity label attribute and relation attribute updating, and can support single and batch entity label and entity behavior association addition and updating.
The method provided by the invention has the following advantages and effects:
1. entity tags are automatically disambiguated. Through the scheme of combining the specificity rule and the universality rule, the automatic disambiguation of the entity label can be realized. Threat tag normalization can be automatically implemented for multi-source entity behavior tags and threat tags.
2. And real-time network air threat mapping is supported. The technical and tactical mapping of flow logs and message alarm logs is realized through a network entity behavior network air threat mapping technology, all tactical stages of a network air threat frame are supported to be mapped and covered, a real-time computing engine is used for carrying out real-time technical and tactical mapping, real-time increase of technical and tactical mapping rules is supported, and distributed network entity behavior network air threat frame technical and tactical mapping is supported.
Drawings
Fig. 1 is an overall architecture diagram of a network entity behavior association building system according to an embodiment.
Fig. 2 is a network entity behavior association model of an embodiment.
Fig. 3 is a flowchart of a method for constructing a network entity behavior association according to an embodiment.
Detailed Description
In order to make the technical solution of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
The embodiment discloses a method and a system for constructing network entity behavior association, which are specifically described as follows:
1. system architecture
The architecture of the whole system is shown in fig. 1, and mainly comprises a real-time extraction module, an offline extraction module, a network-to-air threat mapping module, a fusion association construction module, an association storage management module and the like. The real-time extraction module mainly reads flow logs and multi-source information data in a data center message queue, and extracts a network entity, a threat tag and a behavior relation based on a streaming real-time calculation framework; the offline extraction module mainly reads a flow log and an event alarm stored in the hive of the data center, extracts a network entity, a threat tag and a behavior relation, and extracts the threat tag and a risk tag of the network entity based on a spark offline calculation framework; the threat frame mapping module maps the network entity behavior network empty threat technical item labels based on the extracted network entity behavior relation by using a network empty threat frame model; the fusion association building module disambiguates the network entity label based on spark, combines the synonymous or conflict label and builds entity behavior association; and the association storage management module performs storage management on the network entity label and the behavior association relation by using a distributed graph data storage management engine and provides retrieval service.
2. Network entity behavior association model
The invention pre-constructs a common network entity behavior association model comprising IP, domain name, URL, mailbox, sample, certificate and the like, as shown in FIG. 2, the model comprises various possible behavior relations among network entities, wherein the key behavior relation conditions taking corresponding entities as the center are as follows:
IP: taking an IP as a center, the relation of communication or attack and the like exists between the IP and the IP, the relation of horse-entering or horse-releasing and the like exists between the IP and a sample, the relation of access or bearing and the like exists between the IP and a domain name, the relation of deploying illegal certificates on a malicious IP entity exists between the IP and the certificates, the access relation exists between the IP and a URL, and the access or attack relation exists between the IP and a mailbox;
sample preparation: taking a sample as a center, wherein a derivative or pull relationship exists between the sample and the sample, a release or return connection relationship exists between the sample and an IP, a propagation or return connection relationship exists between the sample and a URL, a propagation or return connection relationship exists between the sample and a domain name, and a propagation relationship exists between the sample and a mailbox;
URL: taking a URL as a center, wherein a Refer link relationship exists between the URL and the URL, a back link or propagation relationship exists between the URL and a sample, a mounting or extracting construction relationship exists between the URL and a domain name, and a malicious mail phishing link relationship exists between the URL and a mailbox;
certificate: taking a certificate as a center, domain name Whois information containing a legal certificate attribution relationship exists between the certificate and a domain name, and an illegal certificate deploying relationship exists between the certificate and an IP;
domain name: taking a domain name as a center, a relation of back connection or transmission and the like exists between the domain name and a sample, a relation of extraction or mounting and the like exists between the domain name and a URL, domain name Whois information exists between the domain name and a mailbox and contains a registered manufacturer mailbox relation, domain name Whois information exists between the domain name and a certificate and contains a legal certificate attribution relation, and a bearing or access relation exists between the domain name and an IP;
mail box: the method is characterized in that a mailbox is used as a center, domain name Whois information between the mailbox and a domain name comprises a registered manufacturer mailbox relationship, an access or attack incidence relationship exists between the mailbox and an IP, a malicious mail containing phishing link incidence relationship exists between the mailbox and a URL, and a propagation relationship exists between the mailbox and a sample.
3. Network entity behavior association construction process
The network entity behavior association construction process is shown in fig. 3, based on flow logs and event alarms stored in a data center, and by combining multisource intelligence data such as local intelligence, intelligence interface service, public intelligence data packets and the like, entity relationship extraction, network-air threat frame mapping, label fusion and behavior association construction are realized by using distributed real-time and offline calculation modules, and graph structure network entity behavior association relationship storage, retrieval and management are realized by means of a distributed graph data storage management engine.
The construction process mainly comprises the following steps:
1) extracting the network entity relationship in real time: extracting a network entity and a behavior relation thereof in real time from a structured flow log stored in a data center by using a real-time computing module, extracting a network entity threat tag in real time from event alarm data stored in the data center, and extracting the threat tag of the network entity in real time from multi-source threat information;
2) extracting the network entity relationship offline: the method comprises the steps that an offline computing module is used for extracting a network entity and behavior relation thereof from a structured flow log stored in a data center in an offline mode, extracting a network entity threat label from event alarm data stored in the data center in an offline mode, and extracting the threat label and a risk label of the network entity from multi-source information data in an offline mode;
3) network entity behavior network space threat mapping: by means of a network space threat model, a real-time computing module is used for realizing network entity behavior mapping based on the extracted network entity behavior relation to obtain a specific network space threat frame technical item, and network entity threat standardization description is realized;
4) network entity threat tag and risk tag disambiguation: by utilizing a fusion association building module, the automatic disambiguation of the network entity threat and the risk label can be realized through a scheme of combining a specificity rule and a universality rule, wherein the specificity rule is a rule for carrying out unified disambiguation on standard threat labels in different network-air threat frames, the universality rule is a disambiguation rule aiming at alias names of the threat labels or the disambiguation rule for short, the universality rule, the multi-source entity network risk label and the threat label can automatically realize the standardization of the entity label;
5) and (3) network entity behavior association fusion: associating the disambiguated network entity threat and risk label with the network entity behavior by means of a distributed graph data calculation engine according to a pre-constructed network entity behavior association model, so as to realize network entity behavior association fusion;
6) network entity behavior association database: and utilizing a distributed graph relation data storage management engine to provide uniform storage management for the network entity behavior association fusion result and construct entity behavior association graph data retrieval service.
The above embodiments are only intended to illustrate the technical solution of the present invention, but not to limit it, and a person skilled in the art can modify the technical solution of the present invention or substitute it with an equivalent, and the protection scope of the present invention is subject to the claims.
Claims (10)
1. A network entity behavior association construction method is characterized by comprising the following steps:
1) extracting the label and behavior relation of the network entity in real time: extracting a network entity and a behavior relation thereof from a structured flow log stored in a data center in real time, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
2) extracting labels and behavior relations of the network entities offline: extracting a network entity and a behavior relation thereof from a structured traffic log stored in a data center in an off-line manner, extracting a network entity threat label from event alarm data stored in the data center in an off-line manner, and extracting the threat label and a risk label of the network entity from multi-source information data in an off-line manner;
3) mapping the real-time and offline extracted network entity behavior relation to obtain a specific network empty threat frame technical item based on an ATT & CK network empty threat frame, so as to realize network entity threat standardization description;
4) taking a pre-constructed network entity behavior association model as a reference, wherein the model comprises possible behavior relations among network entities, and associating the labels of the network entities with the behavior relations by using a distributed graph data calculation engine to realize the behavior association fusion of the network entities;
5) and storing and managing the result of the network entity behavior association fusion by using a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
2. The method of claim 1, wherein the network entity comprises an IP, a sample, a URL, a certificate, a domain name, and a mailbox.
3. The method of claim 1, wherein the multi-source intelligence data comprises local intelligence, intelligence interface services, and public intelligence data packets.
4. The method of claim 1, wherein the network entity behavioral association model comprises possible behavioral relationships between network entities including: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
5. The method of claim 1, wherein the real-time automated disambiguation of the network entity threat signatures and risk signatures is performed according to specificity rules and universality rules, wherein the specificity rules are unified disambiguation rules performed on standard threat signatures in different cyberkat threat frameworks, and the universality rules are generalized disambiguation rules performed on threat signature aliases or short names.
6. A network entity behavior association building system, comprising:
the real-time extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in real time based on streaming, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
the offline extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in an offline manner based on spark, extracting a threat tag of the network entity from event alarm data stored in the data center in an offline manner, and extracting the threat tag and a risk tag of the network entity from multi-source information data in an offline manner;
the network air threat mapping module is used for mapping the real-time and offline extracted network entity behavior relation to obtain a specific network air threat box technical item based on an ATT & CK network air threat frame, so as to realize network entity threat standardization description;
the fusion association building module is used for associating the labels of the network entities with the behavior relations by utilizing a distributed graph data calculation engine based on spark and taking a network entity behavior association model as a reference, wherein the model comprises various possible behavior relations among the network entities, so that the network entity behavior association fusion is realized;
and the association storage retrieval module is used for storing and managing the result of the network entity behavior association fusion by utilizing a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
7. The system of claim 6, wherein the network entities include IP, sample, URL, certificate, domain name, and mailbox.
8. The system of claim 6, wherein the multi-source intelligence data comprises local intelligence, intelligence interface services, and public intelligence data packets.
9. The system of claim 6, wherein the fusion association building module is further configured to automatically disambiguate the network entity threat tags and the risk tags in real time according to a specificity rule and a universality rule, wherein the specificity rule is a unified disambiguation rule performed on standard threat tags in different net-space threat frameworks, and the universality rule is a universal disambiguation rule performed on alias names or short names of the threat tags.
10. The system of claim 6, wherein the network entity behavioral association model comprises possible behavioral relationships between network entities including: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110671288.5A CN113609234B (en) | 2021-06-17 | 2021-06-17 | Method and system for constructing network entity behavior association |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110671288.5A CN113609234B (en) | 2021-06-17 | 2021-06-17 | Method and system for constructing network entity behavior association |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113609234A true CN113609234A (en) | 2021-11-05 |
CN113609234B CN113609234B (en) | 2023-08-29 |
Family
ID=78336552
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110671288.5A Active CN113609234B (en) | 2021-06-17 | 2021-06-17 | Method and system for constructing network entity behavior association |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113609234B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113961969A (en) * | 2021-12-22 | 2022-01-21 | 北京金睛云华科技有限公司 | Security threat collaborative modeling method and system |
CN114884703A (en) * | 2022-04-19 | 2022-08-09 | 南京航空航天大学 | Advanced persistent threat detection method based on threat intelligence and message delivery model |
CN114915452A (en) * | 2022-04-11 | 2022-08-16 | 中国信息通信研究院 | Method, system and storage medium for calibrating network entity threat tag |
CN116319077A (en) * | 2023-05-15 | 2023-06-23 | 鹏城实验室 | Network attack detection method and device, equipment, storage medium and product |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
US10438001B1 (en) * | 2018-12-31 | 2019-10-08 | Arceo Labs Inc. | Identification, prediction, and assessment of cyber security risk |
CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
CN112769821A (en) * | 2021-01-07 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | Threat response method and device based on threat intelligence and ATT & CK |
CN112818131A (en) * | 2021-02-01 | 2021-05-18 | 亚信科技(成都)有限公司 | Method, system and storage medium for constructing graph of threat information |
-
2021
- 2021-06-17 CN CN202110671288.5A patent/CN113609234B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
US10438001B1 (en) * | 2018-12-31 | 2019-10-08 | Arceo Labs Inc. | Identification, prediction, and assessment of cyber security risk |
CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
CN112769821A (en) * | 2021-01-07 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | Threat response method and device based on threat intelligence and ATT & CK |
CN112818131A (en) * | 2021-02-01 | 2021-05-18 | 亚信科技(成都)有限公司 | Method, system and storage medium for constructing graph of threat information |
Non-Patent Citations (4)
Title |
---|
GBADEBO AYOADE等: "automated threat report classification over multi-source data", 2018 IEEE 4TH INTERNATIONAL CONFERENCE ON COLLABORATION AND INTERNET COMPUTING, pages 236 - 245 * |
刘汉生;唐洪玉;薄明霞;牛剑锋;李天博;李玲晓;: "基于机器学习的多源威胁情报质量评价方法", 电信科学, vol. 36, no. 01, pages 119 - 126 * |
贾焰等: "基于人工智能的网络空间安全防御战略研究", 中国工程科学, vol. 23, no. 3, pages 98 - 105 * |
陈瑞东;张小松;牛伟纳;蓝皓月;: "APT攻击检测与反制技术体系的研究", 电子科技大学学报, vol. 48, no. 06, pages 870 - 879 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113961969A (en) * | 2021-12-22 | 2022-01-21 | 北京金睛云华科技有限公司 | Security threat collaborative modeling method and system |
CN114915452A (en) * | 2022-04-11 | 2022-08-16 | 中国信息通信研究院 | Method, system and storage medium for calibrating network entity threat tag |
CN114884703A (en) * | 2022-04-19 | 2022-08-09 | 南京航空航天大学 | Advanced persistent threat detection method based on threat intelligence and message delivery model |
CN114884703B (en) * | 2022-04-19 | 2023-02-28 | 南京航空航天大学 | Advanced persistent threat detection method based on threat intelligence and message delivery model |
CN116319077A (en) * | 2023-05-15 | 2023-06-23 | 鹏城实验室 | Network attack detection method and device, equipment, storage medium and product |
CN116319077B (en) * | 2023-05-15 | 2023-08-22 | 鹏城实验室 | Network attack detection method and device, equipment, storage medium and product |
Also Published As
Publication number | Publication date |
---|---|
CN113609234B (en) | 2023-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113609234A (en) | Network entity behavior association construction method and system | |
AU2019403265B2 (en) | Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time | |
US11431738B2 (en) | Multistage analysis of emails to identify security threats | |
US11032312B2 (en) | Programmatic discovery, retrieval, and analysis of communications to identify abnormal communication activity | |
US10867034B2 (en) | Method for detecting a cyber attack | |
US9602530B2 (en) | System and method for predicting impending cyber security events using multi channel behavioral analysis in a distributed computing environment | |
CN107172022B (en) | APT threat detection method and system based on intrusion path | |
CA2840992C (en) | Syntactical fingerprinting | |
CN109413109A (en) | Heaven and earth integrated network oriented security state analysis method based on finite-state machine | |
RU2634209C1 (en) | System and method of autogeneration of decision rules for intrusion detection systems with feedback | |
CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
US20220286432A1 (en) | Discovering email account compromise through assessments of digital activities | |
CN109962927B (en) | Anti-attack method based on threat intelligence | |
CN103067387B (en) | A kind of anti-phishing monitoring system and method | |
Vaarandi et al. | Using security logs for collecting and reporting technical security metrics | |
CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
CN114598499A (en) | Network risk behavior analysis method combined with business application | |
Tazaki et al. | MATATABI: multi-layer threat analysis platform with Hadoop | |
CN114510710A (en) | Honeypot attack event identification system and method based on XSS and SQL injection | |
CN110278213B (en) | Network security log key information extraction method and system | |
CN110855602B (en) | Internet of things cloud platform event identification method and system | |
CN112487419A (en) | Computer network information security event processing method | |
KR101929522B1 (en) | STIX Conversion Apparatus and Method thereof | |
CN110933064A (en) | Method and system for determining user behavior track |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |