CN113691518A - Information analysis method, device, equipment and storage medium - Google Patents
Information analysis method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113691518A CN113691518A CN202110945852.8A CN202110945852A CN113691518A CN 113691518 A CN113691518 A CN 113691518A CN 202110945852 A CN202110945852 A CN 202110945852A CN 113691518 A CN113691518 A CN 113691518A
- Authority
- CN
- China
- Prior art keywords
- address
- analyzed
- risk
- safety
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 244
- 230000002159 abnormal effect Effects 0.000 claims description 106
- 230000006399 behavior Effects 0.000 claims description 64
- 230000002265 prevention Effects 0.000 claims description 17
- 238000000034 method Methods 0.000 description 23
- 238000001514 detection method Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 235000015122 lemonade Nutrition 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention belongs to the technical field of computers, and discloses an intelligence analysis method, an intelligence analysis device, intelligence analysis equipment and a storage medium. The invention obtains the safety information corresponding to the address to be analyzed; carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result; determining whether the address to be analyzed has a safety risk according to the safety analysis result; and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result. The safety information corresponding to the address to be analyzed can be automatically acquired when the address to be analyzed is acquired, whether the address to be analyzed has safety risks or not is determined according to the safety information, an alarm event is generated when the safety risks exist, safety operators only need to pay attention to the alarm event, the workload of the safety operators can be greatly reduced, and the safety operators can conveniently deal with attack alarm with complex intersection.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an intelligence analysis method, apparatus, device, and storage medium.
Background
Whether the real-network attack and defense exercise or the daily safe operation inside an enterprise, a great amount of attack alarms from the internet need to be operated and analyzed. Among such attack alarms are false alarms from benign detection, automated scan recording without concern, and high risk of human infiltration and lemonade transmission. In the face of the complex intersection, if safety operators analyze the complex intersection one by one, the method needs to consume great manpower, has extremely high cost and low disposal efficiency, and is difficult to effectively and accurately deal with.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide an information analysis method, an information analysis device, information analysis equipment and a storage medium, and aims to solve the technical problem that safety operators are difficult to deal with in the face of attack alarm with complex intersection.
In order to achieve the above object, the present invention provides an intelligence analysis method, comprising the steps of:
acquiring safety information corresponding to an address to be analyzed;
carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result;
determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result.
Optionally, before the step of obtaining the security intelligence information corresponding to the address to be analyzed, the method further includes:
when an address to be analyzed is obtained, detecting whether the address to be analyzed is an intranet address;
and when the address to be analyzed is not an intranet address, executing the step of acquiring the safety information corresponding to the address to be analyzed.
Optionally, when the address to be analyzed is not an intranet address, the step of obtaining the security information corresponding to the address to be analyzed is performed, and the step includes:
when the address to be analyzed is not an intranet address, acquiring a service server address list;
matching the address to be analyzed with the address of the service server in the address list of the service server;
and when the address of the service server corresponding to the address to be analyzed is not matched, executing the step of acquiring the safety information corresponding to the address to be analyzed.
Optionally, the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result includes:
determining the equipment type corresponding to the address to be analyzed according to the safety information;
matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result;
determining a risk reason and a risk level according to the matching result;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, before the step of determining the device type corresponding to the address to be analyzed according to the security intelligence information, the method further includes:
acquiring a preset abnormal address list;
matching the address to be analyzed with an abnormal address in the preset abnormal address list;
and when the abnormal address corresponding to the address to be analyzed is not matched, executing the step of determining the equipment type corresponding to the address to be analyzed according to the safety information.
Optionally, after the step of matching the address to be analyzed with the exception address in the preset exception address list, the method further includes:
when the abnormal address corresponding to the address to be analyzed is matched, the matched abnormal address is used as a target abnormal address;
acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result includes:
determining the access behavior corresponding to the address to be analyzed according to the safety information;
determining a program type corresponding to the address to be analyzed according to the access behavior, and acquiring a preset security prevention and control level;
determining a risk reason and a risk level according to the preset security prevention and control level and the program type;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result includes:
determining whether the address to be analyzed has malicious attack behavior characteristics or not according to the safety information;
when the address to be analyzed has malicious attack behavior characteristics, searching an attack intention and a risk level corresponding to the malicious attack behavior characteristics;
determining a risk reason and a risk level according to the attack intention and the risk level;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result includes:
determining historical access behaviors corresponding to the address to be analyzed according to the safety information;
determining whether the address to be analyzed is a real network address according to the historical access behavior, and obtaining a forwarding detection result;
determining a risk reason and a risk level according to the forwarding detection result;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, before the step of determining the historical access behavior corresponding to the address to be analyzed according to the security intelligence information, the method further includes:
matching the address to be analyzed with a forwarding address in a forwarding address list;
and when the forwarding address corresponding to the address to be analyzed is not matched, executing the step of determining the historical access behavior corresponding to the address to be analyzed according to the safety information.
Optionally, after the step of matching the address to be analyzed with the forwarding address in the forwarding address list, the method further includes:
when the forwarding address corresponding to the address to be analyzed is matched, the matched forwarding address is used as a target address;
acquiring forwarding server information corresponding to the target address;
determining risk reasons and risk levels according to the target address and the forwarding server information;
and generating a security analysis result according to the risk reason and the risk level.
Optionally, after the step of generating an alarm event according to the address to be analyzed and the security analysis result when the address to be analyzed has a security risk, the method further includes:
determining a risk reason and a risk level according to the safety analysis result;
determining a corresponding risk handling strategy according to the risk reason and the risk level;
and displaying the risk handling strategy and the alarm event.
In addition, in order to achieve the above object, the present invention further provides an information analysis apparatus, including:
the information acquisition module is used for acquiring the safety information corresponding to the address to be analyzed;
the safety analysis module is used for carrying out safety analysis on the address to be analyzed according to the safety information to obtain a safety analysis result;
the risk judgment module is used for determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and the event generating module is used for generating an alarm event according to the address to be analyzed and the safety analysis result when the address to be analyzed has safety risk.
Optionally, the information obtaining module is further configured to detect whether the address to be analyzed is an intranet address when the address to be analyzed is obtained; and when the address to be analyzed is not the intranet address, acquiring safety information corresponding to the address to be analyzed.
Optionally, the information obtaining module is further configured to obtain a service server address list when the address to be analyzed is not an intranet address; matching the address to be analyzed with the address of the service server in the address list of the service server; and when the address of the service server corresponding to the address to be analyzed is not matched, acquiring the safety information corresponding to the address to be analyzed.
Optionally, the security analysis module is further configured to determine, according to the security intelligence information, a device type corresponding to the address to be analyzed; matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result; determining a risk reason and a risk level according to the matching result; and generating a security analysis result according to the risk reason and the risk level.
Optionally, the security analysis module is further configured to obtain a preset abnormal address list; matching the address to be analyzed with an abnormal address in the preset abnormal address list; and when the abnormal address corresponding to the address to be analyzed is not matched, determining the equipment type corresponding to the address to be analyzed according to the safety information.
Optionally, the security analysis module is further configured to, when an exception address corresponding to the address to be analyzed is matched, use the matched exception address as a target exception address; acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason; and generating a security analysis result according to the risk reason and the risk level.
Further, in order to achieve the above object, the present invention also provides an information analysis apparatus including: a processor, a memory and a intelligence analysis program stored on the memory and capable of running on the processor, wherein the intelligence analysis program realizes the steps of the intelligence analysis method when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a computer readable storage medium, wherein the computer readable storage medium stores an intelligence analysis program, and the intelligence analysis program realizes the steps of the intelligence analysis method when executed.
The invention obtains the safety information corresponding to the address to be analyzed; carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result; determining whether the address to be analyzed has a safety risk according to the safety analysis result; and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result. The safety information corresponding to the address to be analyzed can be automatically acquired when the address to be analyzed is acquired, whether the address to be analyzed has safety risks or not is determined according to the safety information, an alarm event is generated when the safety risks exist, safety operators only need to pay attention to the alarm event, the workload of the safety operators can be greatly reduced, and the safety operators can conveniently deal with attack alarm with complex intersection.
Drawings
Fig. 1 is a schematic structural diagram of an electronic device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of an information analysis method according to the present invention;
FIG. 3 is a flow chart of a second embodiment of the information analysis method of the present invention;
FIG. 4 is a flow chart of a third embodiment of an information analysis method according to the present invention;
FIG. 5 is a block diagram of a first embodiment of an information analysis apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an intelligence analysis apparatus of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the electronic device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, the memory 1005, which is a storage medium, may include an operating system, a network communication module, a user interface module, and an intelligence analysis program.
In the electronic apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the electronic device of the present invention may be provided in an intelligence analysis device, and the electronic device calls the intelligence analysis program stored in the memory 1005 through the processor 1001 and executes the intelligence analysis method provided by the embodiment of the present invention.
An embodiment of the present invention provides an intelligence analysis method, and referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of the intelligence analysis method according to the present invention.
In this embodiment, the intelligence analysis method includes the following steps:
step S10: and acquiring safety information corresponding to the address to be analyzed.
It should be noted that the execution subject of the present embodiment may be the information analysis apparatus, and the information analysis apparatus may be an electronic apparatus such as a personal computer, a server, etc., or may be other apparatuses capable of realizing the same or similar functions.
It should be noted that the address to be analyzed may be an ip (internet protocol) address that needs to be subjected to security analysis, and the address to be analyzed may be manually input by a user in an address input interface provided by the information analysis device, or may be an attack alarm that is received and generated, and the attack alarm is analyzed, so as to obtain the address to be analyzed. The security intelligence information may include information such as geographic location, device type, network type, attack behavior signature, behavior attributes, risk level, and blocking impact. The obtaining of the safety information corresponding to the address to be analyzed may be searching for the safety information corresponding to the address to be analyzed in a safety information base, and the safety information base may be preset by a manager of the information analysis equipment, in which the safety information corresponding to each IP address is stored.
Step S20: and carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result.
It should be noted that the security analysis result may include a risk level and a risk reason, and the risk level may be set to a plurality of levels according to actual needs, for example: low, medium, high, severe, etc., the cause of the risk may be the reason for determining the risk. The security analysis may include at least one of an anomaly IP analysis, a false alarm analysis, a risk analysis, an insidious trail analysis, and the like.
In a specific implementation, in order to quickly determine whether the address to be analyzed is a forged IP address, and perform an abnormal IP analysis on the address to be analyzed, the step S20 in this embodiment may include:
determining the equipment type corresponding to the address to be analyzed according to the safety information; matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result; determining a risk reason and a risk level according to the matching result; and generating a security analysis result according to the risk reason and the risk level.
It should be noted that the IP addresses of some devices should not appear in the network traffic theoretically, for example: such devices as base station devices or cdn (content Delivery network) devices do not actively access the outside, and the IP addresses of such devices should not appear in the network traffic.
In practical use, the determining of the device type corresponding to the address to be analyzed according to the security information may be extracting the device type recorded in the security information after obtaining the security information corresponding to the address to be analyzed. The preset exception type list may be preset by an administrator of the intelligence analysis device, and includes various device types of devices that should not appear in the network traffic.
It can be understood that the device type corresponding to the address to be analyzed is matched with the abnormal type in the preset abnormal type list, if the matching is successful, it can be shown that the address to be analyzed should not appear in the network traffic, and the address to be analyzed may be a forged IP address, at this time, the abnormal type successfully matched may be determined according to the matching result, a risk reason is generated according to the abnormal type successfully matched, a risk level corresponding to the forged IP address is obtained, and then a security analysis result is generated according to the risk reason and the risk level. If the matching fails, whether the IP address is a forged IP address or not cannot be determined, so that the risk reason and the risk level can be nulled, and a security analysis result can be generated according to the nulled risk reason and the risk level.
Further, in order to save analysis time, before the step of determining the device type corresponding to the address to be analyzed according to the security intelligence information, the method may further include:
acquiring a preset abnormal address list; and matching the address to be analyzed with the abnormal address in the preset abnormal address list.
It should be noted that, if the device type corresponding to the address to be analyzed needs to be determined according to the security information each time, and then whether the address to be analyzed is a forged IP address is determined according to the device type, it needs to perform multiple analysis and matching steps, and if the data size is very large, the performance consumption is large, the time consumption is high, and the large-scale data processing is not facilitated, therefore, after determining that a certain IP address is a forged IP address, the IP address may be added to a preset abnormal address list, before determining the device type corresponding to the address to be analyzed according to the safety information, the address to be analyzed can be matched with the abnormal address in the abnormal address list, when the corresponding abnormal address cannot be matched, the equipment type corresponding to the address to be analyzed is determined according to the safety information and subsequent analysis is carried out, so that the analysis time can be saved, and unnecessary performance consumption is reduced. The preset abnormal address list can be created in advance by a manager of the information analysis equipment, and the manager of the information analysis equipment can add or remove the recorded abnormal address in the preset abnormal address list according to actual needs.
It can be understood that if the abnormal address corresponding to the address to be analyzed is matched, the address to be analyzed can be directly determined to be a forged IP address, and a security analysis result can be directly generated without performing subsequent analysis. Therefore, after the step of matching the address to be analyzed with the exception address in the preset exception address list, the method may further include:
when the abnormal address corresponding to the address to be analyzed is matched, the matched abnormal address is used as a target abnormal address; acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason; and generating a security analysis result according to the risk reason and the risk level.
When an IP address is added as an abnormal address to the preset abnormal address list, the reason why the IP address is determined to be the abnormal address may also be added together. The exception reason for acquiring the target exception address may be a reason why the acquisition target exception address is determined to be an exception address. Determining the risk reason and the risk level according to the target abnormal address and the abnormal reason may be to obtain a risk level corresponding to a forged IP address, and then generate a risk reason according to the matched target abnormal address and the abnormal reason.
In a specific implementation, in order to quickly distinguish an attack alarm caused by a low-risk program such as an automatic access crawler, an asset mapping program, and the like, a false alarm analysis may be performed on an address to be analyzed, and step S20 in this embodiment may include:
determining the access behavior corresponding to the address to be analyzed according to the safety information; determining a program type corresponding to the address to be analyzed according to the access behavior, and acquiring a preset security prevention and control level; determining a risk reason and a risk level according to the preset security prevention and control level and the program type; and generating a security analysis result according to the risk reason and the risk level.
It should be noted that the program types may include automatic access crawlers, asset mapping programs, and the like. In daily security operation or real-network attack and defense drilling, automatic access to a crawler, an asset mapping program or other similar programs is generally determined as an attack behavior and generates a corresponding attack alarm, but such programs generally do not have great threat or even can not be processed, and therefore, such programs need to be identified and marked in the attack alarm.
In practical use, the determining of the access behavior corresponding to the address to be analyzed according to the security information may be determining an external access request of the address to be analyzed according to the security information corresponding to the address to be analyzed, and determining the access behavior corresponding to the address to be analyzed according to a request time of the external access request and an access target. Determining the program type corresponding to the address to be analyzed according to the access behavior may be to match the access behavior with behavior characteristics corresponding to each program type, and determine the program type corresponding to the access behavior, for example: if the access behavior of the address to be analyzed is that the same access target is periodically accessed, the access behavior is matched with the behavior characteristics of the automatic access crawler, so that the program type corresponding to the address to be analyzed can be judged to be the automatic access crawler. The preset security prevention and control level can be preset by a manager of the information analysis equipment, wherein the preset security prevention and control level comprises risk levels corresponding to different program types. The determining of the risk reason and the risk level according to the security prevention and control level and the program type may be searching for a corresponding risk level in preset security prevention and control levels according to the program type corresponding to the analyzed address, and generating the risk reason according to the program type.
In a specific implementation, in order to quickly determine whether the address to be analyzed has a corresponding malicious attack behavior, risk analysis may be performed on the address to be analyzed, and step S20 in this embodiment may include:
determining whether the address to be analyzed has malicious attack behavior characteristics or not according to the safety information; when the address to be analyzed has malicious attack behavior characteristics, searching an attack intention and a risk level corresponding to the malicious attack behavior characteristics; determining a risk reason and a risk level according to the attack intention and the risk level; and generating a security analysis result according to the risk reason and the risk level.
It should be noted that, the attack behavior characteristics corresponding to the address to be analyzed are recorded in the security information, the attack behavior characteristics corresponding to the address to be analyzed can be determined according to the security information corresponding to the address to be analyzed, the attack behavior characteristics corresponding to the address to be analyzed are matched with the attack characteristics corresponding to each malicious attack behavior in the malicious attack characteristic library, when the matching is successful, the malicious attack behavior characteristics existing in the address to be analyzed are judged, the matched malicious attack behavior is taken as the target malicious attack behavior, and the attack intention and the risk level of the target malicious attack behavior are searched in the malicious attack characteristic library. The malicious attack feature library can be preset by a manager of the intelligence analysis equipment. The risk cause and the risk level may be determined according to the attack intention and the risk level by directly using the risk level as the risk level and using the attack intention as the risk cause.
In a specific implementation, in order to quickly distinguish whether the attack alarm is triggered by the proxy IP address and perform the track analysis on the address to be analyzed, step S20 in this embodiment may include:
determining historical access behaviors corresponding to the address to be analyzed according to the safety information; determining whether the address to be analyzed is a real network address according to the historical access behavior, and obtaining a forwarding detection result; determining a risk reason and a risk level according to the forwarding detection result; and generating a security analysis result according to the risk reason and the risk level.
It should be noted that the forwarding detection result may include a determination result and a determination reason, where the determination result is whether the address to be analyzed is the real network address, and the determination reason is the reason for determining whether the address is the real network address. The determining of the historical access behavior corresponding to the address to be analyzed according to the security intelligence information may be determining of historical access parameters, historical access time and historical access service type of the address to be analyzed according to the security intelligence information. Determining whether the address to be analyzed is the real network address according to the historical access behavior may be determining whether the address to be analyzed is accessed by an agent mode such as a tor (the on routers) agent or an open agent according to historical access parameters in the historical access behavior, when determining that the address to be analyzed is accessed by the agent mode, it may be determined that the address to be analyzed is not the real network address, and when determining that the address to be analyzed is not accessed by the agent mode, it may be determined that the address to be analyzed is the real network address. Determining whether the address to be analyzed is the real network address according to the historical access behavior, or determining whether the address to be analyzed is the real network address according to the historical access time and the historical access service in the historical access behavior, so as to determine that the address to be analyzed is the real network address or the proxy network address according to the historical access time and the historical access service, thereby obtaining a forwarding detection result, for example: if the access service of the address to be analyzed at the same time is video playing and game, the address to be analyzed can be judged to be an agent network address.
In actual use, determining the risk reason and the risk level according to the forwarding detection result can be to obtain a determination result and a determination reason in the forwarding detection result, when the determination result is that the address to be analyzed is not the real network address, obtaining the risk level corresponding to the access in an agent mode, generating the risk reason according to the determination result and the determination reason, and when the determination result is that the address to be analyzed is the real network address, emptying the risk level and the risk reason.
Further, in order to reduce analysis time and save analysis resources, before the step of determining the historical access behavior corresponding to the address to be analyzed according to the security intelligence information, the method may further include:
and matching the address to be analyzed with the forwarding address in the forwarding address list.
It should be noted that the forwarding address list may be set in advance by an administrator of the intelligence analysis apparatus, and forwarding addresses of the respective proxy servers, that is, IP addresses of the proxy servers may be stored therein.
In practical use, when the forwarding address corresponding to the address to be analyzed is not matched, it cannot be determined whether the address to be analyzed is a real network address according to a matching result, and therefore, a subsequent analysis step is required, and the step of determining the historical access behavior corresponding to the address to be analyzed according to the security information can be executed to continue the subsequent analysis.
In practical use, when the forwarding address corresponding to the address to be analyzed is matched, the address to be analyzed can be directly judged not to be the real network address according to the matching result, so that subsequent analysis is not needed, and the following steps can be directly executed:
when the forwarding address corresponding to the address to be analyzed is matched, the matched forwarding address is used as a target address; acquiring forwarding server information corresponding to the target address; determining risk reasons and risk levels according to the target address and the forwarding server information; and generating a security analysis result according to the risk reason and the risk level.
It can be understood that when a forwarding address is added to the forwarding address list, the forwarding server information corresponding to the forwarding address may also be added together, so that when a forwarding address corresponding to an address to be analyzed is matched, the matched forwarding address may be used as a target address, and the forwarding server information added to the forwarding address list together with the target address may be acquired. Determining the risk reason and the risk level according to the target address and the forwarding server information may be to acquire a risk level corresponding to access by an agent method, and generate the risk reason according to the target address and the forwarding server information.
Step S30: and determining whether the address to be analyzed has a safety risk or not according to the safety analysis result.
It should be noted that, if there is a security risk in the address to be analyzed, the risk level and the risk reason in the security analysis result are not null. If the address to be analyzed does not have a security risk, the risk level and the risk reason in the security analysis result may be null. Therefore, determining whether the address to be analyzed has a security risk according to the security analysis result may be determining whether the risk level and the risk reason in the security analysis result are null.
In actual use, some low risk level exceptions may not need to be handled depending on the actual scenario settings, for example: for search engine crawlers, internet asset mapping and the like, the exceptions exist, but the actual business is not affected, so that the processing is not needed. In this case, determining whether the address to be analyzed has the security risk according to the security analysis result may be to acquire a risk level in the security analysis result, compare the risk level with a preset prevention and control level when the risk level is not empty, and determine that the address to be analyzed has the security risk when the risk level is higher than the preset prevention and control level. The preset prevention and control level can be preset by a manager of the information analysis equipment according to actual needs.
Step S40: and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result.
It can be understood that if it is determined that the address to be analyzed has the security risk, it indicates that the address to be analyzed needs to be further analyzed, and at this time, an alarm event may be generated according to the address to be analyzed and the security analysis result, and the alarm event is pushed to the security operator, so that the security operator may perform further investigation.
The embodiment obtains the safety information corresponding to the address to be analyzed; carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result; determining whether the address to be analyzed has a safety risk according to the safety analysis result; and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result. The safety information corresponding to the address to be analyzed can be automatically acquired when the address to be analyzed is acquired, whether the address to be analyzed has safety risks or not is determined according to the safety information, an alarm event is generated when the safety risks exist, safety operators only need to pay attention to the alarm event, the workload of the safety operators can be greatly reduced, and the safety operators can conveniently deal with attack alarm with complex intersection.
Referring to fig. 3, fig. 3 is a flow chart of a second embodiment of an intelligence analysis method according to the present invention.
Based on the first embodiment, the method for analyzing intelligence in this embodiment further includes, before the step S10:
step S01: when the address to be analyzed is obtained, whether the address to be analyzed is an intranet address is detected.
It should be noted that, detecting whether the address to be analyzed is an intranet address may be to determine whether the address to be analyzed is an IP address of an intranet server, where the IP addresses of the intranet server include two types, namely an intranet IP and an extranet IP, respectively, where the intranet IP is an IP address used by the intranet server for communication in an intranet, and the extranet IP is an IP address used by the intranet server for communication to the outside.
In actual use, detecting whether the address to be analyzed is the intranet address may be comparing the address to be analyzed with the IP addresses of the intranet servers, and when there is an IP address of an intranet server that is consistent with the address to be analyzed, it may be determined that the address to be analyzed is the intranet address, otherwise, it may be determined that the address to be analyzed is not the intranet address.
Step S02: and when the address to be analyzed is not an intranet address, executing the step of acquiring the safety information corresponding to the address to be analyzed.
It should be noted that, if the address to be analyzed is an intranet address, it indicates that the address to be analyzed, which needs to be subjected to security analysis, may correspond to the intranet server, and if the attack IP address recorded in the attack alarm is an IP address of the intranet server, the attack may be an attack behavior initiated by an external attacker through the intranet using the intranet IP after penetrating through the intranet, and at this time, the situation is complicated, and needs to be manually processed, and the address to be analyzed may be directly pushed to a security operator, and is manually analyzed.
It can be understood that if the address to be analyzed is not an intranet address, the attack is from the outside, and the information analysis device can determine whether the address to be analyzed has phenomena such as false alarm, and analyze and screen the address, so as to save the workload of the security operator.
Further, in an actual situation, an enterprise may deploy multiple sets of intranets or need to cooperate with other enterprises according to actual needs, a service server may interact with an external service server, during which the external service server that needs to interact may also be attacked, an attacker may use the server to attack, but this situation is serious, but in order to avoid affecting company services, the attacker cannot directly use network blocking or other means to handle this situation, in this embodiment, the step S02 may specifically include:
when the address to be analyzed is not an intranet address, acquiring a service server address list; matching the address to be analyzed with the address of the service server in the address list of the service server; and when the address of the service server corresponding to the address to be analyzed is not matched, executing the step of acquiring the safety information corresponding to the address to be analyzed.
It should be noted that the service server address list is preset by the administrator of the intelligence analysis device, and the service server address list may include IP addresses of service servers that need to perform communication interaction, for example: partner service server IP address.
It can be understood that, if the service server address corresponding to the address to be analyzed is matched in the service server address list, it indicates that the address to be analyzed may be an IP address of a partner service server or an IP address of a service server in another server cluster in the enterprise, and at this time, the address to be analyzed may be directly pushed to the security operator, and the security operator may perform manual troubleshooting. If the service server address corresponding to the address to be analyzed is not matched in the service server address list, it can be stated that the address to be analyzed is not the IP address of the partner service server, nor the IP addresses of the service servers in other server clusters inside the enterprise, and therefore, the step of obtaining the security information corresponding to the address to be analyzed can be performed for subsequent analysis.
In the embodiment, when the address to be analyzed is obtained, whether the address to be analyzed is an intranet address is detected; and when the address to be analyzed is not an intranet address, executing the step of acquiring the safety information corresponding to the address to be analyzed. The address to be analyzed is classified when the address to be analyzed is acquired, if the address to be analyzed is an intranet address, the safety operator is informed to perform manual analysis processing, and if the address to be analyzed is not the intranet address, subsequent analysis is performed to reduce the workload of the safety operator, so that the workload of the safety operator can be reduced, the complex practical application scene can be adapted, and the phenomenon of missing report can be avoided.
Referring to fig. 3, fig. 3 is a flow chart of a third embodiment of an intelligence analysis method according to the present invention.
Based on the first embodiment, the method for analyzing information in this embodiment further includes, after the step S40:
step S50: and determining a risk reason and a risk level according to the safety analysis result.
It should be noted that the security analysis result includes a risk reason and a risk level, and determining the risk reason and the risk level according to the security analysis result may be analyzing the security analysis result, and extracting data therein, so as to obtain the risk reason and the risk level.
Step S60: and determining a corresponding risk handling strategy according to the risk reason and the risk level.
It should be noted that the risk cause may include a risk determination keyword, and determining the corresponding risk handling policy according to the risk cause and the risk level may be extracting the risk determination keyword from the risk cause, and searching the corresponding risk handling policy in the risk handling policy library according to the risk determination keyword and the risk level. The risk handling policy repository may include a correspondence between the risk handling policy and the risk determination keyword and the risk level, and the correspondence may be preset by a manager of the information analysis device.
Step S70: and displaying the risk handling strategy and the alarm event.
It should be noted that, the displaying of the risk handling policy and the alarm event may be sending the risk handling policy and the alarm event to a display device of the information analysis device for displaying, or pushing the risk handling policy and the alarm event to a terminal of a security operator for displaying, which is not limited in this embodiment.
It can be understood that the risk handling policy and the alarm event are displayed, so that the security operator can rapidly determine the security analysis result corresponding to the address to be analyzed according to the alarm event, determine the risk reason and the risk level according to the security analysis result, and determine the exception category according to the risk reason, thereby determining whether immediate processing is required, and when processing is required, the processing can be performed by referring to the risk handling policy, so that the workload of the security operator can be greatly reduced.
According to the embodiment, risk reasons and risk levels are determined according to the safety analysis result; determining a corresponding risk handling strategy according to the risk reason and the risk level; and displaying the risk handling strategy and the alarm event. Because the risk reason and the risk level are determined according to the safety analysis result recorded in the alarm event after the alarm event is generated, the corresponding risk handling strategy is determined according to the risk reason and the risk level, and the risk handling strategy and the alarm event are displayed, the safety operator can conveniently and quickly determine the abnormal category, and can refer to the risk handling strategy when the abnormal category needs to be processed, and the workload of the safety operator is further reduced.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium stores an intelligence analysis program, and the intelligence analysis program, when executed by a processor, implements the steps of the intelligence analysis method as described above.
Referring to fig. 5, fig. 5 is a block diagram of the first embodiment of the information analysis apparatus of the present invention.
As shown in fig. 5, the intelligence analysis apparatus according to the embodiment of the present invention includes:
the information acquisition module 10 is used for acquiring the safety information corresponding to the address to be analyzed;
the safety analysis module 20 is used for carrying out safety analysis on the address to be analyzed according to the safety information to obtain a safety analysis result;
a risk judgment module 30, configured to determine whether a security risk exists in the address to be analyzed according to the security analysis result;
and the event generating module 40 is configured to generate an alarm event according to the address to be analyzed and the security analysis result when the address to be analyzed has a security risk.
The embodiment obtains the safety information corresponding to the address to be analyzed; carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result; determining whether the address to be analyzed has a safety risk according to the safety analysis result; and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result. The safety information corresponding to the address to be analyzed can be automatically acquired when the address to be analyzed is acquired, whether the address to be analyzed has safety risks or not is determined according to the safety information, an alarm event is generated when the safety risks exist, safety operators only need to pay attention to the alarm event, the workload of the safety operators can be greatly reduced, and the safety operators can conveniently deal with attack alarm with complex intersection.
Further, the information obtaining module 10 is further configured to detect whether the address to be analyzed is an intranet address when the address to be analyzed is obtained; and when the address to be analyzed is not the intranet address, acquiring safety information corresponding to the address to be analyzed.
Further, the information obtaining module 10 is further configured to obtain a service server address list when the address to be analyzed is not an intranet address; matching the address to be analyzed with the address of the service server in the address list of the service server; and when the address of the service server corresponding to the address to be analyzed is not matched, acquiring the safety information corresponding to the address to be analyzed.
Further, the security analysis module 20 is further configured to determine, according to the security intelligence information, a device type corresponding to the address to be analyzed; matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result; determining a risk reason and a risk level according to the matching result; and generating a security analysis result according to the risk reason and the risk level.
Further, the security analysis module 20 is further configured to obtain a preset abnormal address list; matching the address to be analyzed with an abnormal address in the preset abnormal address list; and when the abnormal address corresponding to the address to be analyzed is not matched, determining the equipment type corresponding to the address to be analyzed according to the safety information.
Further, the security analysis module 20 is further configured to, when an exception address corresponding to the address to be analyzed is matched, use the matched exception address as a target exception address; acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason; and generating a security analysis result according to the risk reason and the risk level.
Further, the security analysis module 20 is further configured to determine an access behavior corresponding to the address to be analyzed according to the security intelligence information; determining a program type corresponding to the address to be analyzed according to the access behavior, and acquiring a preset security prevention and control level; determining a risk reason and a risk level according to the preset security prevention and control level and the program type; and generating a security analysis result according to the risk reason and the risk level.
Further, the security analysis module 20 is further configured to determine whether the address to be analyzed has malicious attack behavior characteristics according to the security intelligence information; when the address to be analyzed has malicious attack behavior characteristics, searching an attack intention and a risk level corresponding to the malicious attack behavior characteristics; determining a risk reason and a risk level according to the attack intention and the risk level; and generating a security analysis result according to the risk reason and the risk level.
Further, the security analysis module 20 is further configured to determine a historical access behavior corresponding to the address to be analyzed according to the security intelligence information; determining whether the address to be analyzed is a real network address according to the historical access behavior, and obtaining a forwarding detection result; determining a risk reason and a risk level according to the forwarding detection result; and generating a security analysis result according to the risk reason and the risk level.
Further, the security analysis module 20 is further configured to match the address to be analyzed with a forwarding address in a forwarding address list; and when the forwarding address corresponding to the address to be analyzed is not matched, determining the historical access behavior corresponding to the address to be analyzed according to the safety information.
Further, the security analysis module 20 is further configured to, when a forwarding address corresponding to the address to be analyzed is matched, use the matched forwarding address as a target address; acquiring forwarding server information corresponding to the target address; determining risk reasons and risk levels according to the target address and the forwarding server information; and generating a security analysis result according to the risk reason and the risk level.
Further, the event generating module 40 is further configured to determine a risk reason and a risk level according to the security analysis result; determining a corresponding risk handling strategy according to the risk reason and the risk level; and displaying the risk handling strategy and the alarm event.
It should be understood that the above is only an example, and the technical solution of the present invention is not limited in any way, and in a specific application, a person skilled in the art may set the technical solution as needed, and the present invention is not limited thereto.
It should be noted that the above-described work flows are only exemplary, and do not limit the scope of the present invention, and in practical applications, a person skilled in the art may select some or all of them to achieve the purpose of the solution of the embodiment according to actual needs, and the present invention is not limited herein.
In addition, the technical details that are not described in detail in this embodiment can be referred to the intelligence analysis method provided by any embodiment of the present invention, and are not described herein again.
Further, it is to be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (e.g. Read Only Memory (ROM)/RAM, magnetic disk, optical disk), and includes several instructions for enabling a terminal device (e.g. a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
The invention discloses A1 and an intelligence analysis method, which comprises the following steps:
acquiring safety information corresponding to an address to be analyzed;
carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result;
determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result.
A2, the intelligence analysis method as defined in a1, further comprising, before the step of obtaining the security intelligence information corresponding to the address to be analyzed:
when an address to be analyzed is obtained, detecting whether the address to be analyzed is an intranet address;
and when the address to be analyzed is not an intranet address, executing the step of acquiring the safety information corresponding to the address to be analyzed.
A3, the intelligence analysis method as defined in a2, wherein the step of obtaining the security intelligence information corresponding to the address to be analyzed is performed when the address to be analyzed is not an intranet address, the method comprising:
when the address to be analyzed is not an intranet address, acquiring a service server address list;
matching the address to be analyzed with the address of the service server in the address list of the service server;
and when the address of the service server corresponding to the address to be analyzed is not matched, executing the step of acquiring the safety information corresponding to the address to be analyzed.
A4, the intelligence analysis method as defined in a1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining the equipment type corresponding to the address to be analyzed according to the safety information;
matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result;
determining a risk reason and a risk level according to the matching result;
and generating a security analysis result according to the risk reason and the risk level.
A5, the intelligence analysis method according to a4, further comprising, before the step of determining the device type corresponding to the address to be analyzed according to the safety intelligence information:
acquiring a preset abnormal address list;
matching the address to be analyzed with an abnormal address in the preset abnormal address list;
and when the abnormal address corresponding to the address to be analyzed is not matched, executing the step of determining the equipment type corresponding to the address to be analyzed according to the safety information.
A6, the intelligence analysis method as claimed in a5, further comprising, after the step of matching the address to be analyzed with the exception address in the preset exception address list:
when the abnormal address corresponding to the address to be analyzed is matched, the matched abnormal address is used as a target abnormal address;
acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason;
and generating a security analysis result according to the risk reason and the risk level.
A7, the intelligence analysis method as defined in a1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining the access behavior corresponding to the address to be analyzed according to the safety information;
determining a program type corresponding to the address to be analyzed according to the access behavior, and acquiring a preset security prevention and control level;
determining a risk reason and a risk level according to the preset security prevention and control level and the program type;
and generating a security analysis result according to the risk reason and the risk level.
A8, the intelligence analysis method as defined in a1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining whether the address to be analyzed has malicious attack behavior characteristics or not according to the safety information;
when the address to be analyzed has malicious attack behavior characteristics, searching an attack intention and a risk level corresponding to the malicious attack behavior characteristics;
determining a risk reason and a risk level according to the attack intention and the risk level;
and generating a security analysis result according to the risk reason and the risk level.
A9, the intelligence analysis method as defined in a1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining historical access behaviors corresponding to the address to be analyzed according to the safety information;
determining whether the address to be analyzed is a real network address according to the historical access behavior, and obtaining a forwarding detection result;
determining a risk reason and a risk level according to the forwarding detection result;
and generating a security analysis result according to the risk reason and the risk level.
A10, the intelligence analysis method as defined in a9, further comprising, before the step of determining the historical access behavior corresponding to the address to be analyzed according to the security intelligence information:
matching the address to be analyzed with a forwarding address in a forwarding address list;
and when the forwarding address corresponding to the address to be analyzed is not matched, executing the step of determining the historical access behavior corresponding to the address to be analyzed according to the safety information.
A11, the intelligence analysis method as defined in a10, further comprising, after the step of matching the address to be analyzed with the forwarding addresses in the forwarding address list:
when the forwarding address corresponding to the address to be analyzed is matched, the matched forwarding address is used as a target address;
acquiring forwarding server information corresponding to the target address;
determining risk reasons and risk levels according to the target address and the forwarding server information;
and generating a security analysis result according to the risk reason and the risk level.
A12, the intelligence analysis method according to any one of a1-a11, further comprising, after the step of generating an alarm event according to the address to be analyzed and the security analysis result when the address to be analyzed is at a security risk:
determining a risk reason and a risk level according to the safety analysis result;
determining a corresponding risk handling strategy according to the risk reason and the risk level;
and displaying the risk handling strategy and the alarm event.
The invention discloses B13 and an information analysis device, which comprises the following modules:
the information acquisition module is used for acquiring the safety information corresponding to the address to be analyzed;
the safety analysis module is used for carrying out safety analysis on the address to be analyzed according to the safety information to obtain a safety analysis result;
the risk judgment module is used for determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and the event generating module is used for generating an alarm event according to the address to be analyzed and the safety analysis result when the address to be analyzed has safety risk.
B14, the information analysis apparatus as described in B13, the information acquisition module is further configured to detect whether the address to be analyzed is an intranet address when the address to be analyzed is acquired; and when the address to be analyzed is not the intranet address, acquiring safety information corresponding to the address to be analyzed.
B15, the information analysis device as described in B14, the information acquisition module is further used for acquiring a service server address list when the address to be analyzed is not an intranet address; matching the address to be analyzed with the address of the service server in the address list of the service server; and when the address of the service server corresponding to the address to be analyzed is not matched, acquiring the safety information corresponding to the address to be analyzed.
B16, the intelligence analysis device as described in B13, the security analysis module is further used for determining the equipment type corresponding to the address to be analyzed according to the security intelligence information; matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result; determining a risk reason and a risk level according to the matching result; and generating a security analysis result according to the risk reason and the risk level.
B17, the intelligence analysis device as described in B16, the security analysis module is further used for obtaining a preset abnormal address list; matching the address to be analyzed with an abnormal address in the preset abnormal address list; and when the abnormal address corresponding to the address to be analyzed is not matched, determining the equipment type corresponding to the address to be analyzed according to the safety information.
B18, the intelligence analysis device as described in B17, the security analysis module is further used for taking the matched abnormal address as the target abnormal address when the abnormal address corresponding to the address to be analyzed is matched; acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason; and generating a security analysis result according to the risk reason and the risk level.
The invention discloses C19, an intelligence analysis device, the intelligence analysis device includes: a processor, a memory and a intelligence analysis program stored on the memory and capable of running on the processor, wherein the intelligence analysis program realizes the steps of the intelligence analysis method when being executed by the processor.
The invention discloses D20 and a computer readable storage medium, wherein the computer readable storage medium is stored with an intelligence analysis program, and the intelligence analysis program realizes the steps of the intelligence analysis method when executed.
Claims (10)
1. An information analysis method, characterized in that the information analysis method comprises the following steps:
acquiring safety information corresponding to an address to be analyzed;
carrying out security analysis on the address to be analyzed according to the security information to obtain a security analysis result;
determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and when the address to be analyzed has a safety risk, generating an alarm event according to the address to be analyzed and the safety analysis result.
2. The intelligence analysis method of claim 1, wherein the step of obtaining the security intelligence information corresponding to the address to be analyzed further comprises:
when an address to be analyzed is obtained, detecting whether the address to be analyzed is an intranet address;
and when the address to be analyzed is not an intranet address, executing the step of acquiring the safety information corresponding to the address to be analyzed.
3. The intelligence analysis method according to claim 2, wherein the step of obtaining the security intelligence information corresponding to the address to be analyzed when the address to be analyzed is not an intranet address comprises:
when the address to be analyzed is not an intranet address, acquiring a service server address list;
matching the address to be analyzed with the address of the service server in the address list of the service server;
and when the address of the service server corresponding to the address to be analyzed is not matched, executing the step of acquiring the safety information corresponding to the address to be analyzed.
4. The intelligence analysis method according to claim 1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining the equipment type corresponding to the address to be analyzed according to the safety information;
matching the equipment type with the abnormal type in a preset abnormal type list to obtain a matching result;
determining a risk reason and a risk level according to the matching result;
and generating a security analysis result according to the risk reason and the risk level.
5. The intelligence analysis method of claim 4, wherein before the step of determining the device type corresponding to the address to be analyzed according to the security intelligence information, further comprising:
acquiring a preset abnormal address list;
matching the address to be analyzed with an abnormal address in the preset abnormal address list;
and when the abnormal address corresponding to the address to be analyzed is not matched, executing the step of determining the equipment type corresponding to the address to be analyzed according to the safety information.
6. The intelligence analysis method according to claim 5, wherein after the step of matching the address to be analyzed with the exception address in the preset exception address list, further comprising:
when the abnormal address corresponding to the address to be analyzed is matched, the matched abnormal address is used as a target abnormal address;
acquiring an abnormal reason corresponding to the target abnormal address, and determining a risk reason and a risk level according to the target abnormal address and the abnormal reason;
and generating a security analysis result according to the risk reason and the risk level.
7. The intelligence analysis method according to claim 1, wherein the step of performing security analysis on the address to be analyzed according to the security intelligence information to obtain a security analysis result comprises:
determining the access behavior corresponding to the address to be analyzed according to the safety information;
determining a program type corresponding to the address to be analyzed according to the access behavior, and acquiring a preset security prevention and control level;
determining a risk reason and a risk level according to the preset security prevention and control level and the program type;
and generating a security analysis result according to the risk reason and the risk level.
8. An information analysis apparatus, characterized in that the information analysis apparatus comprises the following modules:
the information acquisition module is used for acquiring the safety information corresponding to the address to be analyzed;
the safety analysis module is used for carrying out safety analysis on the address to be analyzed according to the safety information to obtain a safety analysis result;
the risk judgment module is used for determining whether the address to be analyzed has a safety risk according to the safety analysis result;
and the event generating module is used for generating an alarm event according to the address to be analyzed and the safety analysis result when the address to be analyzed has safety risk.
9. An intelligence analysis apparatus, characterized in that the intelligence analysis apparatus comprises: processor, memory and intelligence analysis program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the intelligence analysis method according to any of claims 1-7.
10. A computer-readable storage medium, having a intelligence analysis program stored thereon, which when executed performs the steps of the intelligence analysis method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110945852.8A CN113691518B (en) | 2021-08-17 | 2021-08-17 | Information analysis method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110945852.8A CN113691518B (en) | 2021-08-17 | 2021-08-17 | Information analysis method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113691518A true CN113691518A (en) | 2021-11-23 |
| CN113691518B CN113691518B (en) | 2023-12-05 |
Family
ID=78580347
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110945852.8A Active CN113691518B (en) | 2021-08-17 | 2021-08-17 | Information analysis method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113691518B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
| US20130125235A1 (en) * | 2011-11-14 | 2013-05-16 | Kddi Corporation | Method, Apparatus and Program for Detecting Spoofed Network Traffic |
| US20160044054A1 (en) * | 2014-08-06 | 2016-02-11 | Norse Corporation | Network appliance for dynamic protection from risky network activities |
| CN105471623A (en) * | 2015-11-16 | 2016-04-06 | 中国烟草总公司江苏省公司 | Key IP address safety alarm association analysis method based on fuzzy scene |
| CN105515882A (en) * | 2014-09-22 | 2016-04-20 | 北京奇虎科技有限公司 | Website security detection method and website security detection device |
| CN106549959A (en) * | 2016-10-26 | 2017-03-29 | 中国银联股份有限公司 | A kind of recognition methodss of agent IP Protocol IP address and device |
| US20180316695A1 (en) * | 2017-04-28 | 2018-11-01 | Splunk Inc. | Risk monitoring system |
| US20200336508A1 (en) * | 2020-07-04 | 2020-10-22 | Kumar Srivastava | Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| WO2021093051A1 (en) * | 2019-11-15 | 2021-05-20 | 网宿科技股份有限公司 | Ip address assessment method and system, and device |
| CN113225349A (en) * | 2021-05-21 | 2021-08-06 | 中国工商银行股份有限公司 | Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack |
-
2021
- 2021-08-17 CN CN202110945852.8A patent/CN113691518B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
| US20130125235A1 (en) * | 2011-11-14 | 2013-05-16 | Kddi Corporation | Method, Apparatus and Program for Detecting Spoofed Network Traffic |
| US20160044054A1 (en) * | 2014-08-06 | 2016-02-11 | Norse Corporation | Network appliance for dynamic protection from risky network activities |
| CN105515882A (en) * | 2014-09-22 | 2016-04-20 | 北京奇虎科技有限公司 | Website security detection method and website security detection device |
| CN105471623A (en) * | 2015-11-16 | 2016-04-06 | 中国烟草总公司江苏省公司 | Key IP address safety alarm association analysis method based on fuzzy scene |
| CN106549959A (en) * | 2016-10-26 | 2017-03-29 | 中国银联股份有限公司 | A kind of recognition methodss of agent IP Protocol IP address and device |
| US20180316695A1 (en) * | 2017-04-28 | 2018-11-01 | Splunk Inc. | Risk monitoring system |
| WO2021017614A1 (en) * | 2019-07-31 | 2021-02-04 | 平安科技(深圳)有限公司 | Threat intelligence data collection and processing method and system, apparatus, and storage medium |
| WO2021093051A1 (en) * | 2019-11-15 | 2021-05-20 | 网宿科技股份有限公司 | Ip address assessment method and system, and device |
| US20200336508A1 (en) * | 2020-07-04 | 2020-10-22 | Kumar Srivastava | Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations |
| CN113225349A (en) * | 2021-05-21 | 2021-08-06 | 中国工商银行股份有限公司 | Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113691518B (en) | 2023-12-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| CN110324310B (en) | Network asset fingerprint identification method, system and equipment | |
| JP6894003B2 (en) | Defense against APT attacks | |
| US20200177552A1 (en) | Methods and apparatus for malware threat research | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN110881043B (en) | Method and device for detecting web server vulnerability | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN110336835B (en) | Malicious behavior detection method, user equipment, storage medium and device | |
| CN106778242B (en) | Kernel vulnerability detection method and device based on virtual machine | |
| Grégio et al. | Ontology for malware behavior: A core model proposal | |
| CN114422255A (en) | Cloud security simulation detection system and detection method | |
| Djap et al. | Xb-pot: Revealing honeypot-based attacker’s behaviors | |
| Pandey et al. | A lifecycle based approach for malware analysis | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| CN113595981A (en) | Method and device for detecting threat of uploaded file and computer-readable storage medium | |
| Kumar et al. | Security patterns for intrusion detection systems | |
| CN113691518A (en) | Information analysis method, device, equipment and storage medium | |
| CN115865494A (en) | Safety test system and method | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Applicant after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Applicant before: Beijing Hongteng Intelligent Technology Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |