CN113609234A - Network entity behavior association construction method and system - Google Patents

Network entity behavior association construction method and system Download PDF

Info

Publication number
CN113609234A
CN113609234A CN202110671288.5A CN202110671288A CN113609234A CN 113609234 A CN113609234 A CN 113609234A CN 202110671288 A CN202110671288 A CN 202110671288A CN 113609234 A CN113609234 A CN 113609234A
Authority
CN
China
Prior art keywords
threat
network entity
network
behavior
extracting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110671288.5A
Other languages
Chinese (zh)
Other versions
CN113609234B (en
Inventor
韩志辉
贺铮
王宏宇
严寒冰
丁丽
李志辉
吕志泉
郭晶
贾子骁
肖崇蕙
虞宇琪
张腾
谭兴邦
亓子森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202110671288.5A priority Critical patent/CN113609234B/en
Publication of CN113609234A publication Critical patent/CN113609234A/en
Application granted granted Critical
Publication of CN113609234B publication Critical patent/CN113609234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/288Entity relationship models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network entity behavior association construction method and a system, which belong to the field of network security, focus on entity behavior association under a network air threat framework, adopt a real-time calculation combined with an offline calculation mode, realize entity relationship extraction by integrating flow logs, multi-source threat information and fragmented alarm logs, perform network air threat technology tactical mapping by means of the network air threat framework aiming at common entity behaviors such as domain names, mailboxes, IP (Internet protocol), certificates, samples, URLs (uniform resource locators) in a network space, realize network entity behavior association construction by using a distributed graph data fusion technology, fully utilize threat information and vulnerability knowledge data, and comprehensively sense network space threats.

Description

Network entity behavior association construction method and system
Technical Field
The invention belongs to the field of network security, and particularly provides a network-to-air threat mapping and network entity behavior association construction method based on flow logs and multi-source information.
Background
In recent years, various new attacks have appeared in networks, in which Advanced Persistent Threat events (APT) frequently occur, and have a serious impact on security. The network air threat behavior body behind the APT organization is a source of network space attack activities, particularly, the ultra-high-capacity network air threat behavior body is subjected to systematic, instrumented and large-scale attack means through engineering, the means for avoiding tracking and tracing is increasingly advanced, and the method has the characteristics of difficult tracking, difficult reproduction of attack scenes and processes and difficult tracing of an attack chain. The existing monitoring and analyzing means has the following problems: information islands exist among all safety monitoring systems, the alarm fragmentation degree is high, and effective correlation cannot be carried out; the threat description is unclear, the analysis of an attack target and a victim is incomplete, and the manual analysis cost is high.
A plurality of network security analysis teams introduce a network empty threat framework in network security event analysis so as to describe network attack and defense capacity, wherein a structured threat information expression (STIX) describes network empty threat information from the aspects of 12 components such as attack mode, attack activity, action and the like. Aiming at the structural language description of STIX 2.0, knowledge bases such as an ATT & CK framework, a CAPEC attack mode, a CWE and the like are respectively constructed by the MITRE company and comprise about 40 tactics, technology and weakness of thousand-level scale and attack mode of hundred-level scale, researchers can study and know various network threat conditions and provide reference for formulating a security defense strategy, but as the network air threat framework does not integrate a flow log, multi-source threat information and security alarm to construct network entity behavior association, attack chain tracing and attack scene restoration cannot be realized.
Disclosure of Invention
The invention aims to focus entity behavior association under a network-air threat framework, realize entity relationship extraction by combining real-time calculation with an offline calculation mode and integrating flow logs, multi-source threat information and fragmented alarm logs, carry out network-air threat technology tactical mapping by means of the network-air threat framework aiming at common entity behaviors such as domain names, mailboxes, IP (Internet protocol), certificates, samples, URLs (uniform resource locators) and the like in a network space, realize network entity behavior association construction by utilizing a distributed graph data fusion technology, and fully utilize threat information and vulnerability knowledge data to comprehensively sense network space threats.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a network entity behavior association construction method comprises the following steps:
1) extracting the label and behavior relation of the network entity in real time: extracting a network entity and a behavior relation thereof from a structured flow log stored in a data center in real time, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
2) extracting labels and behavior relations of the network entities offline: extracting a network entity and a behavior relation thereof from a structured traffic log stored in a data center in an off-line manner, extracting a network entity threat label from event alarm data stored in the data center in an off-line manner, and extracting the threat label and a risk label of the network entity from multi-source information data in an off-line manner;
3) mapping the real-time and offline extracted network entity behavior relation to obtain a specific network empty threat frame technical item based on an ATT & CK network empty threat frame, so as to realize network entity threat standardization description;
4) taking a pre-constructed network entity behavior association model as a reference, wherein the model comprises possible behavior relations among network entities, and associating the labels of the network entities with the behavior relations by using a distributed graph data calculation engine to realize the behavior association fusion of the network entities;
5) and storing and managing the result of the network entity behavior association fusion by using a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
Further, the network entities include IP, sample, URL, certificate, domain name, and mailbox.
Further, the multi-source intelligence data includes local intelligence, intelligence interface services, and public intelligence data packets.
Further, the possible behavior relationships between the network entities included in the network entity behavior association model include: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
Further, real-time automatic disambiguation of the network entity threat tag and the risk tag is performed according to a specificity rule and a universality rule, wherein the specificity rule is a unified disambiguation rule performed for standard threat tags in different network-air threat frameworks, and the universality rule is a universality disambiguation rule performed for alias names or short names of the threat tags.
A network entity behavior association building system, comprising:
the real-time extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in real time based on streaming, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
the offline extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in an offline manner based on spark, extracting a threat tag of the network entity from event alarm data stored in the data center in an offline manner, and extracting the threat tag and a risk tag of the network entity from multi-source information data in an offline manner;
the network air threat mapping module is used for mapping the real-time and offline extracted network entity behavior relation to obtain a specific network air threat box technical item based on an ATT & CK network air threat frame, so as to realize network entity threat standardization description;
the fusion association building module is used for associating the labels of the network entities with the behavior relations by utilizing a distributed graph data calculation engine based on spark and taking a network entity behavior association model as a reference, wherein the model comprises various possible behavior relations among the network entities, so that the network entity behavior association fusion is realized;
and the association storage retrieval module is used for storing and managing the result of the network entity behavior association fusion by utilizing a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
Further, the fusion association building module is further configured to perform real-time automatic disambiguation on the network entity threat tag and the risk tag according to a specificity rule and a universality rule, where the specificity rule is a unified disambiguation rule performed on standard threat tags in different network-air threat frameworks, and the universality rule is a universality disambiguation rule performed on alias names or short names of the threat tags.
The invention uses a network entity relation extraction technology, starts with threat alarm of a data center, extracts event threat labels of entities such as domain names, mailboxes, IP, certificates, samples, URLs and the like in a network space, supplements the network space entity behavior relation by associating flow logs, supplements entity threat labels and risk label information by integrating multi-source threat information (including threat labels and vulnerability threats), and disambiguates the multi-source labels in real time. The method uses a network entity behavior network empty threat mapping technology, is based on an ATT & CK network empty threat frame, and utilizes a distributed real-time processing technology to map the extracted network space entity behaviors to obtain a specific network empty threat frame technical item, thereby realizing network entity threat standardization description. The invention uses the distributed network entity association fusion technology, aims at the extracted network space entity label and entity behavior association, utilizes a distributed graph data calculation engine to carry out network entity association construction and entity behavior association fusion, supports entity label attribute and relation attribute updating, and can support single and batch entity label and entity behavior association addition and updating.
The method provided by the invention has the following advantages and effects:
1. entity tags are automatically disambiguated. Through the scheme of combining the specificity rule and the universality rule, the automatic disambiguation of the entity label can be realized. Threat tag normalization can be automatically implemented for multi-source entity behavior tags and threat tags.
2. And real-time network air threat mapping is supported. The technical and tactical mapping of flow logs and message alarm logs is realized through a network entity behavior network air threat mapping technology, all tactical stages of a network air threat frame are supported to be mapped and covered, a real-time computing engine is used for carrying out real-time technical and tactical mapping, real-time increase of technical and tactical mapping rules is supported, and distributed network entity behavior network air threat frame technical and tactical mapping is supported.
Drawings
Fig. 1 is an overall architecture diagram of a network entity behavior association building system according to an embodiment.
Fig. 2 is a network entity behavior association model of an embodiment.
Fig. 3 is a flowchart of a method for constructing a network entity behavior association according to an embodiment.
Detailed Description
In order to make the technical solution of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
The embodiment discloses a method and a system for constructing network entity behavior association, which are specifically described as follows:
1. system architecture
The architecture of the whole system is shown in fig. 1, and mainly comprises a real-time extraction module, an offline extraction module, a network-to-air threat mapping module, a fusion association construction module, an association storage management module and the like. The real-time extraction module mainly reads flow logs and multi-source information data in a data center message queue, and extracts a network entity, a threat tag and a behavior relation based on a streaming real-time calculation framework; the offline extraction module mainly reads a flow log and an event alarm stored in the hive of the data center, extracts a network entity, a threat tag and a behavior relation, and extracts the threat tag and a risk tag of the network entity based on a spark offline calculation framework; the threat frame mapping module maps the network entity behavior network empty threat technical item labels based on the extracted network entity behavior relation by using a network empty threat frame model; the fusion association building module disambiguates the network entity label based on spark, combines the synonymous or conflict label and builds entity behavior association; and the association storage management module performs storage management on the network entity label and the behavior association relation by using a distributed graph data storage management engine and provides retrieval service.
2. Network entity behavior association model
The invention pre-constructs a common network entity behavior association model comprising IP, domain name, URL, mailbox, sample, certificate and the like, as shown in FIG. 2, the model comprises various possible behavior relations among network entities, wherein the key behavior relation conditions taking corresponding entities as the center are as follows:
IP: taking an IP as a center, the relation of communication or attack and the like exists between the IP and the IP, the relation of horse-entering or horse-releasing and the like exists between the IP and a sample, the relation of access or bearing and the like exists between the IP and a domain name, the relation of deploying illegal certificates on a malicious IP entity exists between the IP and the certificates, the access relation exists between the IP and a URL, and the access or attack relation exists between the IP and a mailbox;
sample preparation: taking a sample as a center, wherein a derivative or pull relationship exists between the sample and the sample, a release or return connection relationship exists between the sample and an IP, a propagation or return connection relationship exists between the sample and a URL, a propagation or return connection relationship exists between the sample and a domain name, and a propagation relationship exists between the sample and a mailbox;
URL: taking a URL as a center, wherein a Refer link relationship exists between the URL and the URL, a back link or propagation relationship exists between the URL and a sample, a mounting or extracting construction relationship exists between the URL and a domain name, and a malicious mail phishing link relationship exists between the URL and a mailbox;
certificate: taking a certificate as a center, domain name Whois information containing a legal certificate attribution relationship exists between the certificate and a domain name, and an illegal certificate deploying relationship exists between the certificate and an IP;
domain name: taking a domain name as a center, a relation of back connection or transmission and the like exists between the domain name and a sample, a relation of extraction or mounting and the like exists between the domain name and a URL, domain name Whois information exists between the domain name and a mailbox and contains a registered manufacturer mailbox relation, domain name Whois information exists between the domain name and a certificate and contains a legal certificate attribution relation, and a bearing or access relation exists between the domain name and an IP;
mail box: the method is characterized in that a mailbox is used as a center, domain name Whois information between the mailbox and a domain name comprises a registered manufacturer mailbox relationship, an access or attack incidence relationship exists between the mailbox and an IP, a malicious mail containing phishing link incidence relationship exists between the mailbox and a URL, and a propagation relationship exists between the mailbox and a sample.
3. Network entity behavior association construction process
The network entity behavior association construction process is shown in fig. 3, based on flow logs and event alarms stored in a data center, and by combining multisource intelligence data such as local intelligence, intelligence interface service, public intelligence data packets and the like, entity relationship extraction, network-air threat frame mapping, label fusion and behavior association construction are realized by using distributed real-time and offline calculation modules, and graph structure network entity behavior association relationship storage, retrieval and management are realized by means of a distributed graph data storage management engine.
The construction process mainly comprises the following steps:
1) extracting the network entity relationship in real time: extracting a network entity and a behavior relation thereof in real time from a structured flow log stored in a data center by using a real-time computing module, extracting a network entity threat tag in real time from event alarm data stored in the data center, and extracting the threat tag of the network entity in real time from multi-source threat information;
2) extracting the network entity relationship offline: the method comprises the steps that an offline computing module is used for extracting a network entity and behavior relation thereof from a structured flow log stored in a data center in an offline mode, extracting a network entity threat label from event alarm data stored in the data center in an offline mode, and extracting the threat label and a risk label of the network entity from multi-source information data in an offline mode;
3) network entity behavior network space threat mapping: by means of a network space threat model, a real-time computing module is used for realizing network entity behavior mapping based on the extracted network entity behavior relation to obtain a specific network space threat frame technical item, and network entity threat standardization description is realized;
4) network entity threat tag and risk tag disambiguation: by utilizing a fusion association building module, the automatic disambiguation of the network entity threat and the risk label can be realized through a scheme of combining a specificity rule and a universality rule, wherein the specificity rule is a rule for carrying out unified disambiguation on standard threat labels in different network-air threat frames, the universality rule is a disambiguation rule aiming at alias names of the threat labels or the disambiguation rule for short, the universality rule, the multi-source entity network risk label and the threat label can automatically realize the standardization of the entity label;
5) and (3) network entity behavior association fusion: associating the disambiguated network entity threat and risk label with the network entity behavior by means of a distributed graph data calculation engine according to a pre-constructed network entity behavior association model, so as to realize network entity behavior association fusion;
6) network entity behavior association database: and utilizing a distributed graph relation data storage management engine to provide uniform storage management for the network entity behavior association fusion result and construct entity behavior association graph data retrieval service.
The above embodiments are only intended to illustrate the technical solution of the present invention, but not to limit it, and a person skilled in the art can modify the technical solution of the present invention or substitute it with an equivalent, and the protection scope of the present invention is subject to the claims.

Claims (10)

1. A network entity behavior association construction method is characterized by comprising the following steps:
1) extracting the label and behavior relation of the network entity in real time: extracting a network entity and a behavior relation thereof from a structured flow log stored in a data center in real time, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
2) extracting labels and behavior relations of the network entities offline: extracting a network entity and a behavior relation thereof from a structured traffic log stored in a data center in an off-line manner, extracting a network entity threat label from event alarm data stored in the data center in an off-line manner, and extracting the threat label and a risk label of the network entity from multi-source information data in an off-line manner;
3) mapping the real-time and offline extracted network entity behavior relation to obtain a specific network empty threat frame technical item based on an ATT & CK network empty threat frame, so as to realize network entity threat standardization description;
4) taking a pre-constructed network entity behavior association model as a reference, wherein the model comprises possible behavior relations among network entities, and associating the labels of the network entities with the behavior relations by using a distributed graph data calculation engine to realize the behavior association fusion of the network entities;
5) and storing and managing the result of the network entity behavior association fusion by using a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
2. The method of claim 1, wherein the network entity comprises an IP, a sample, a URL, a certificate, a domain name, and a mailbox.
3. The method of claim 1, wherein the multi-source intelligence data comprises local intelligence, intelligence interface services, and public intelligence data packets.
4. The method of claim 1, wherein the network entity behavioral association model comprises possible behavioral relationships between network entities including: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
5. The method of claim 1, wherein the real-time automated disambiguation of the network entity threat signatures and risk signatures is performed according to specificity rules and universality rules, wherein the specificity rules are unified disambiguation rules performed on standard threat signatures in different cyberkat threat frameworks, and the universality rules are generalized disambiguation rules performed on threat signature aliases or short names.
6. A network entity behavior association building system, comprising:
the real-time extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in real time based on streaming, extracting a network entity threat tag from event alarm data stored in the data center in real time, and extracting the threat tag of the network entity from multi-source threat information in real time;
the offline extraction module is used for extracting the network entity and the behavior relation thereof from a structured flow log stored in a data center in an offline manner based on spark, extracting a threat tag of the network entity from event alarm data stored in the data center in an offline manner, and extracting the threat tag and a risk tag of the network entity from multi-source information data in an offline manner;
the network air threat mapping module is used for mapping the real-time and offline extracted network entity behavior relation to obtain a specific network air threat box technical item based on an ATT & CK network air threat frame, so as to realize network entity threat standardization description;
the fusion association building module is used for associating the labels of the network entities with the behavior relations by utilizing a distributed graph data calculation engine based on spark and taking a network entity behavior association model as a reference, wherein the model comprises various possible behavior relations among the network entities, so that the network entity behavior association fusion is realized;
and the association storage retrieval module is used for storing and managing the result of the network entity behavior association fusion by utilizing a distributed graph relation data storage management engine, constructing network entity behavior association graph data and providing retrieval service.
7. The system of claim 6, wherein the network entities include IP, sample, URL, certificate, domain name, and mailbox.
8. The system of claim 6, wherein the multi-source intelligence data comprises local intelligence, intelligence interface services, and public intelligence data packets.
9. The system of claim 6, wherein the fusion association building module is further configured to automatically disambiguate the network entity threat tags and the risk tags in real time according to a specificity rule and a universality rule, wherein the specificity rule is a unified disambiguation rule performed on standard threat tags in different net-space threat frameworks, and the universality rule is a universal disambiguation rule performed on alias names or short names of the threat tags.
10. The system of claim 6, wherein the network entity behavioral association model comprises possible behavioral relationships between network entities including: the method comprises the following steps of establishing a communication or attack relationship between an IP and the IP, a middle horse or horse release relationship between the IP and a sample, an access or bearing relationship between the IP and a domain name, an illegal certificate deploying relationship on a malicious IP entity between the IP and a certificate, an access relationship between the IP and a URL (uniform resource locator), and an access or attack relationship between the IP and a mailbox; the method comprises the following steps of (1) deriving or pulling relations between samples, propagation or back connection relations between samples and URLs, propagation or back connection relations between samples and domain names, and propagation relations between samples and mailboxes; refer link relation between URL and URL, mount or extract construction relation between URL and domain name, malicious mail between URL and mailbox contains phishing link relation; the domain name Whois information between the certificate and the domain name contains the attribution relationship of the legal certificate, and the domain name Whois information between the domain name and the mailbox contains the mailbox relationship of a registered manufacturer.
CN202110671288.5A 2021-06-17 2021-06-17 Method and system for constructing network entity behavior association Active CN113609234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110671288.5A CN113609234B (en) 2021-06-17 2021-06-17 Method and system for constructing network entity behavior association

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110671288.5A CN113609234B (en) 2021-06-17 2021-06-17 Method and system for constructing network entity behavior association

Publications (2)

Publication Number Publication Date
CN113609234A true CN113609234A (en) 2021-11-05
CN113609234B CN113609234B (en) 2023-08-29

Family

ID=78336552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110671288.5A Active CN113609234B (en) 2021-06-17 2021-06-17 Method and system for constructing network entity behavior association

Country Status (1)

Country Link
CN (1) CN113609234B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113961969A (en) * 2021-12-22 2022-01-21 北京金睛云华科技有限公司 Security threat collaborative modeling method and system
CN114884703A (en) * 2022-04-19 2022-08-09 南京航空航天大学 Advanced persistent threat detection method based on threat intelligence and message delivery model
CN114915452A (en) * 2022-04-11 2022-08-16 中国信息通信研究院 Method, system and storage medium for calibrating network entity threat tag
CN116319077A (en) * 2023-05-15 2023-06-23 鹏城实验室 Network attack detection method and device, equipment, storage medium and product

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
US10438001B1 (en) * 2018-12-31 2019-10-08 Arceo Labs Inc. Identification, prediction, and assessment of cyber security risk
CN110430190A (en) * 2019-08-05 2019-11-08 北京经纬信安科技有限公司 Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method
CN111147504A (en) * 2019-12-26 2020-05-12 深信服科技股份有限公司 Threat detection method, apparatus, device and storage medium
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN112769821A (en) * 2021-01-07 2021-05-07 中国电子科技集团公司第十五研究所 Threat response method and device based on threat intelligence and ATT & CK
CN112818131A (en) * 2021-02-01 2021-05-18 亚信科技(成都)有限公司 Method, system and storage medium for constructing graph of threat information

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
US10438001B1 (en) * 2018-12-31 2019-10-08 Arceo Labs Inc. Identification, prediction, and assessment of cyber security risk
CN110430190A (en) * 2019-08-05 2019-11-08 北京经纬信安科技有限公司 Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method
CN111147504A (en) * 2019-12-26 2020-05-12 深信服科技股份有限公司 Threat detection method, apparatus, device and storage medium
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN112769821A (en) * 2021-01-07 2021-05-07 中国电子科技集团公司第十五研究所 Threat response method and device based on threat intelligence and ATT & CK
CN112818131A (en) * 2021-02-01 2021-05-18 亚信科技(成都)有限公司 Method, system and storage medium for constructing graph of threat information

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
GBADEBO AYOADE等: "automated threat report classification over multi-source data", 2018 IEEE 4TH INTERNATIONAL CONFERENCE ON COLLABORATION AND INTERNET COMPUTING, pages 236 - 245 *
刘汉生;唐洪玉;薄明霞;牛剑锋;李天博;李玲晓;: "基于机器学习的多源威胁情报质量评价方法", 电信科学, vol. 36, no. 01, pages 119 - 126 *
贾焰等: "基于人工智能的网络空间安全防御战略研究", 中国工程科学, vol. 23, no. 3, pages 98 - 105 *
陈瑞东;张小松;牛伟纳;蓝皓月;: "APT攻击检测与反制技术体系的研究", 电子科技大学学报, vol. 48, no. 06, pages 870 - 879 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113961969A (en) * 2021-12-22 2022-01-21 北京金睛云华科技有限公司 Security threat collaborative modeling method and system
CN114915452A (en) * 2022-04-11 2022-08-16 中国信息通信研究院 Method, system and storage medium for calibrating network entity threat tag
CN114884703A (en) * 2022-04-19 2022-08-09 南京航空航天大学 Advanced persistent threat detection method based on threat intelligence and message delivery model
CN114884703B (en) * 2022-04-19 2023-02-28 南京航空航天大学 Advanced persistent threat detection method based on threat intelligence and message delivery model
CN116319077A (en) * 2023-05-15 2023-06-23 鹏城实验室 Network attack detection method and device, equipment, storage medium and product
CN116319077B (en) * 2023-05-15 2023-08-22 鹏城实验室 Network attack detection method and device, equipment, storage medium and product

Also Published As

Publication number Publication date
CN113609234B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
CN113609234A (en) Network entity behavior association construction method and system
AU2019403265B2 (en) Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time
US11431738B2 (en) Multistage analysis of emails to identify security threats
US11032312B2 (en) Programmatic discovery, retrieval, and analysis of communications to identify abnormal communication activity
US10867034B2 (en) Method for detecting a cyber attack
US9602530B2 (en) System and method for predicting impending cyber security events using multi channel behavioral analysis in a distributed computing environment
CN107172022B (en) APT threat detection method and system based on intrusion path
CA2840992C (en) Syntactical fingerprinting
CN109413109A (en) Heaven and earth integrated network oriented security state analysis method based on finite-state machine
RU2634209C1 (en) System and method of autogeneration of decision rules for intrusion detection systems with feedback
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
US20220286432A1 (en) Discovering email account compromise through assessments of digital activities
CN109962927B (en) Anti-attack method based on threat intelligence
CN103067387B (en) A kind of anti-phishing monitoring system and method
Vaarandi et al. Using security logs for collecting and reporting technical security metrics
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN111314301A (en) Website access control method and device based on DNS (Domain name Server) analysis
CN114598499A (en) Network risk behavior analysis method combined with business application
Tazaki et al. MATATABI: multi-layer threat analysis platform with Hadoop
CN114510710A (en) Honeypot attack event identification system and method based on XSS and SQL injection
CN110278213B (en) Network security log key information extraction method and system
CN110855602B (en) Internet of things cloud platform event identification method and system
CN112487419A (en) Computer network information security event processing method
KR101929522B1 (en) STIX Conversion Apparatus and Method thereof
CN110933064A (en) Method and system for determining user behavior track

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant