CN113709176A - Threat detection and response method and system based on secure cloud platform - Google Patents
Threat detection and response method and system based on secure cloud platform Download PDFInfo
- Publication number
- CN113709176A CN113709176A CN202111038943.XA CN202111038943A CN113709176A CN 113709176 A CN113709176 A CN 113709176A CN 202111038943 A CN202111038943 A CN 202111038943A CN 113709176 A CN113709176 A CN 113709176A
- Authority
- CN
- China
- Prior art keywords
- data
- attack
- detection
- cloud platform
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 230000004044 response Effects 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000013145 classification model Methods 0.000 claims abstract description 18
- 238000004140 cleaning Methods 0.000 claims abstract description 17
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 16
- 238000001914 filtration Methods 0.000 claims description 14
- 230000000903 blocking effect Effects 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 9
- 238000010219 correlation analysis Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000007621 cluster analysis Methods 0.000 claims description 4
- 238000013075 data extraction Methods 0.000 claims description 4
- 238000012098 association analyses Methods 0.000 claims description 2
- 238000004138 cluster model Methods 0.000 claims 1
- 238000012549 training Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013499 data model Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- BHMLFPOTZYRDKA-IRXDYDNUSA-N (2s)-2-[(s)-(2-iodophenoxy)-phenylmethyl]morpholine Chemical compound IC1=CC=CC=C1O[C@@H](C=1C=CC=CC=1)[C@H]1OCCNC1 BHMLFPOTZYRDKA-IRXDYDNUSA-N 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007635 classification algorithm Methods 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000033764 rhythmic process Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a threat detection and response method and system based on a secure cloud platform, wherein the method comprises the following steps: firstly, extracting a log file of a secure cloud platform, and extracting second-class characteristic data of the log file; step two, performing data cleaning on the second type of characteristic data based on service access white data, and extracting gray data; thirdly, carrying out clustering model detection on the grey data to obtain unknown data; step four, detecting and grading an attack type classification model aiming at the unknown data obtained in the step three; defining malicious data according to the scores; and step five, responding to the final malicious data result. The invention can effectively improve the efficiency and accuracy of data detection, reduce the missing report of data, improve the objectivity of malicious detection and quickly respond to malicious results.
Description
Technical Field
The invention relates to the technical field of network security. More particularly, the invention relates to a threat detection and response method based on a secure cloud platform.
Background
As cyber crimes become more complicated, the diversity of attack modes increases day by day, the high-grade complicated attack modes of automatic attack, machine learning and artificial intelligence are rapidly increased, and the security defense line of enterprises and departments cannot keep pace with the rhythm of threat development. Traditional security teams are limited in work due to lack of network security skills. Threat detection and response technology is increasingly important for enterprise security protection, but at present, a plurality of problems exist:
(1) the sources of safety products of different users are more and more extensive, the brands of safety equipment are more and more, and log data have difference in formatting; the data volume of the safety log is large, the average daily safety log data of a client is about 0.5G, the redundancy of the data is large, the traditional safety data needs manual processing and analysis, and the problems of slow analysis, high cost, low accuracy and the like exist;
(2) the attack detection of common security products is based on the known attack matching special detection rules to realize the interception of the attack, the unknown attack is protected and found at a low speed, the attack can be found and processed after the attack is attacked, the response period is long, and the risk is high;
(3) the common safety products can not achieve higher trial rate aiming at common information banks on the market, and waste of information data is caused.
Disclosure of Invention
An object of the present invention is to solve at least the above problems and to provide at least the advantages described later.
The invention also aims to provide a threat detection and response method based on the security cloud platform, which can effectively improve the efficiency and accuracy of data detection, reduce the missing report of data, improve the objectivity of malicious detection and quickly respond to malicious results.
To achieve these objects and other advantages in accordance with the purpose of the invention, there is provided a threat detection and response method based on a secure cloud platform, comprising the steps of:
firstly, extracting a log file of a secure cloud platform, and extracting second-class characteristic data of the log file; wherein the log file is, for example, a system log, a security log, an access log, etc.; the second type of feature data is, for example, feature data corresponding to the service type can be selected;
step two, performing data cleaning on the second type of characteristic data based on service access white data, and extracting gray data; the service access white data is preset data in a service white database, and the service white database is updated in real time according to running time;
thirdly, carrying out clustering model detection on the grey data to obtain unknown data;
step four, detecting and grading an attack type classification model aiming at the unknown data obtained in the step three; the score obtained by grading exceeds a preset threshold value and can be defined as malicious data;
and step five, responding to the malicious data result.
Preferably, the two types of feature data in the step one include: one or more of source IP, destination IP, request URL, request body, request time, access port, region, interception identification, detection identification, attack type, request mode and log source. Of course, the two types of feature data may also be other feature data based on services.
Preferably, in the first step, data extraction is performed based on a regular expression, and the second type of feature extraction policy is used for processing collected data, and includes Source IP, Destination IP, request URL, request body, request time, access port, region, interception identifier, detection identifier, attack type, request mode, and log Source, performing association analysis and feature marking.
Preferably, in the second step, during data cleaning, according to the condition of the combination of the interception identifier and the detection identifier attribute, the data which is not intercepted is extracted and marked as grey data.
Preferably, in the third step, before performing clustering model detection on the gray data, performing attack feature library hit matching on the gray data; the method specifically comprises the following steps: and performing historical access combination on the grey data, wherein the historical access combination comprises access frequency analysis, malicious information correlation hit analysis and malicious event library correlation analysis, associating assets through a target IP of service access in the grey data, and performing matching marking on IP sources, URLs and request bodies of the accessed assets and historical attack events in a malicious event library and an information library. The matching marking and asset association are carried out on the attack event, after the characteristic type of the attack and the service address of the target are matched according to the information of the event in the grey data, the attack event and the service target server are matched and marked, and the malicious condition of the data is matched according to the detected rule mark.
Preferably, in the third step, the gray data clustering model detecting includes: and (3) carrying out classification detection and filtration on the result after the gray data matching, and dividing into: normal request, abnormal request, unknown request; and forming a sample set by using the abnormal data in the history and the attack data hit in the history, filtering the abnormal data, and then sending the abnormal data into the clustering model to classify the data, thereby realizing the discovery and marking of the undetected and/or intercepted attack data of the safety tool. Attack history hits for gray data access events, including: correlating an intelligence library and a malicious event library, determining whether the grey data has a history attack record, marking the data with history attack, and filtering abnormal data by combining a clustering model; unknown attack behaviors are filtered out through a large amount of training of abnormal data and normal known attack data type samples, and guarantee is provided for the accuracy of a subsequent classifier. The clustering model adopts a K-means algorithm, for example, a data model which fully expresses white samples can be constructed, and the detection of abnormal behaviors can be realized. Because the normal access request in the historical data reaches 85%, the malicious attack and the crawler account for 15%; the historical parameters of normal service access are particularly little in change, and the clustering characteristic is good; the difference between the attack data with poor classification characteristics and the normal data is large; the clustering model thus implements a function of filtering unknown attacks.
Preferably, the step four specifically includes:
(1) the attack type classification model adopts an xgboost algorithm to carry out attack identification and classification on the gray data;
(2) comprehensively scoring the detection result of the attack type classification model, calculating the score of the detection result, and determining that the score is greater than a preset threshold value as malicious data, wherein the score calculation formula is as follows:
in the formula: s is a final score, y is a data attribute index, A is an attack type classification model prediction result, B is a historical data hit result, and C is an intelligence data result.
Preferably, in the fifth step, the data and malicious data with the comprehensive score value larger than the preset threshold value in the fourth step are determined, and the blocking of the attack is achieved by calling the blocking of the firewall and the strategy of the WAF by adopting the data source IP, the port and the attack type.
The invention provides a system for a threat detection and response method based on a secure cloud platform, which comprises the following steps:
the log acquisition module is used for acquiring log files on the security cloud platform, and performing standardized processing and log second-class feature extraction on the log files;
the data cleaning module is used for cleaning the white data of the data extracted by the log acquisition module;
the grey data detection module is used for carrying out grey data marking on the data subjected to white data cleaning, and carrying out classified detection and filtering on the marked grey data by utilizing a cluster analysis model;
the attack classification module is used for carrying out attack identification and classification on the marked gray data by utilizing the attack classification model and further grading, and the marked gray data is determined to be malicious data when the grading value is larger than a preset threshold value;
and the response module is used for calling the policy of the blocking of the firewall and the WAF to achieve the blocking effect of the attack by adopting the data source IP, the port and the attack type aiming at the malicious data so as to realize the response processing of the attack.
Preferably, the system further comprises: and the database comprises a log library, an intelligence library, a malicious event library and a business asset library which are used for storing and updating log data.
The invention at least comprises the following beneficial effects: according to the invention, a two-class characteristic extraction method is combined on the basis of traditional log extraction, data which are identified and intercepted by a safety product are filtered out and sent to the next step for processing, and the speed and hit efficiency of non-intercepted data detection can be increased;
in the second step of the invention, the data cleaning can accurately and effectively filter the data which is not blocked, and clean the data with the white list, thereby reducing the noise point detected in the later step and reducing the error blocking in the response process;
according to the method, a gray data identification and clustering model detection method is adopted, the data amount of model detection is reduced, three types of classification are carried out on data to be detected, and the accuracy and the efficiency of data detection are improved;
the attack type classification model finally determines whether to block data or not by combining detection and grading, continuously identifies the maliciousness of attack data, can identify specific attack types and has larger improvement on accuracy; and in the response stage of threat data, rules of pre-made IP block, block and characteristic type attack are adopted, so that the flow of blocking the attack by a user is simplified, and the requirement of rapidly processing the attack is met.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
FIG. 1 is a schematic flow chart of a threat detection and response method based on a secure cloud platform according to the present invention;
FIG. 2 is a graph illustrating the effect of the gray data cluster analysis model in the threat detection and response method based on a secure cloud platform according to the present invention;
fig. 3 is a schematic structural diagram of a system for a threat detection and response method based on a secure cloud platform according to the present invention.
Detailed Description
The present invention is further described in detail below with reference to the attached drawings so that those skilled in the art can implement the invention by referring to the description text.
It will be understood that terms such as "having," "including," and "comprising," as used herein, do not preclude the presence or addition of one or more other elements or groups thereof.
As shown in fig. 1, the present invention provides a threat detection and response method based on a secure cloud platform, which includes the following steps:
firstly, extracting a log file of a secure cloud platform, and extracting second-class characteristic data of the log file; the log file includes, but is not limited to, user access and security log data, and then security log standardization processing is performed, and data extraction is performed by using, for example, a regular expression (regular expression), and the result is, for example: nginx:
snort
step two, performing data cleaning on the second type of characteristic data based on service access white data, and extracting gray data; the second class of feature extraction strategies are used for processing the acquired data and comprise Source IP, Destination IP, request URL, request body, request time, access port, region, interception identification, detection identification, attack type, request mode and log Source correlation analysis and feature marking; the processing strategy of the second class of characteristics is to extract the data which is not intercepted according to the conditions of the combination of the interception identification and the detection identification attribute, mark the data as gray data, and carry out attack characteristic library hit matching and clustering model detection based on three types on the gray data; performing historical access combination on the data, including access frequency analysis, malicious information correlation hit analysis and malicious event library correlation analysis, by correlating the assets through a target IP accessed by the service in the grey data, and performing matching marking on the IP source, URL (uniform resource locator) and a request body of the accessed assets and historical attack events in a malicious event library and an information library;
the attack event carries out matching marking and asset association, after the characteristic type of the attack and the service address of a target are matched according to the information of the event in the grey data, the attack event and a service target server carry out matching marking, and the malicious condition of the data is marked and matched according to the detected rule;
the clustering model detection is to classify, detect and filter the results after matching the gray data, and comprises the following steps: normal request, abnormal request, unknown request; and forming a sample set by using the abnormal data in the history and the attack data hit in the history, filtering the abnormal data, and then sending the abnormal data into a classification model to classify the data, so that the undetected and intercepted attack data of the safety tool can be found and marked.
Thirdly, carrying out clustering model detection on the grey data to obtain unknown data; attack history hits for gray data access events, including: correlating an intelligence library and a malicious event library, determining whether the grey data has a history attack record, marking the data with history attack, and filtering abnormal data by combining a clustering model; unknown attack behaviors are filtered out through a large amount of training of abnormal data and normal known attack data type samples, and guarantee is provided for the accuracy of a subsequent classifier.
Step four, detecting and grading an attack type classification model aiming at the unknown data obtained in the step three;
and step five, responding to the final malicious data result.
In one embodiment, the two types of feature data in the first step include: one or more of source IP, destination IP, request URL, request body, request time, access port, region, interception identification, detection identification, attack type, request mode and log source.
In one embodiment, in the first step, data extraction is performed based on a regular expression, and the second type of feature extraction policy is used for processing collected data, and includes Source IP, Destination IP, request URL, request body, request time, access port, region, interception identifier, detection identifier, attack type, request mode, and log Source, and performs correlation analysis and feature marking.
In one embodiment, in the second step, during data cleaning, according to the conditions of the combination of the interception identifier and the detection identifier attribute, the data which is not intercepted is extracted and marked as grey data.
In one embodiment, in the third step, before the gray data clustering model is detected, attack feature library hit matching is performed on the gray data; the method specifically comprises the following steps: and performing historical access combination on the grey data, wherein the historical access combination comprises access frequency analysis, malicious information correlation hit analysis and malicious event library correlation analysis, associating assets through a target IP of service access in the grey data, and performing matching marking on IP sources, URLs and request bodies of the accessed assets and historical attack events in a malicious event library and an information library.
In one embodiment, as shown in fig. 2, in step three, the gray data clustering model detecting includes: and (3) carrying out classification detection and filtration on the result after the gray data matching, and dividing into: normal request, abnormal request, unknown request; and forming a sample set by using the abnormal data in the history and the attack data hit in the history, filtering the abnormal data, and then sending the abnormal data into the clustering model to classify the data, thereby realizing the discovery and marking of the undetected and/or intercepted attack data of the safety tool. The grey data clustering model adopts a K-means algorithm, so that a data model for fully expressing white samples is constructed, and the detection of abnormal behaviors is realized; because the normal access request in the historical data reaches 85%, the malicious attack and the crawler account for 15%; the historical parameters of normal service access are particularly little in change, and the clustering characteristic is good; the difference between the attack data with poor classification characteristics and the normal data is large; therefore, the function of filtering unknown attack behaviors is realized by the clustering model,
normal access request calculation formula:
remarking: p fraction, H history data, S attack data,
the sample class label initial classification algorithm is as follows:
z={z1,z2,......zk,}
wherein: z sample, k sample size
Calculate sample centroid of cluster center for z:
wherein, the category Z, a clusters the center;
in one embodiment, the fourth step specifically includes:
(1) the attack type classification model adopts an xgboost algorithm to carry out attack identification and classification on the gray data; the parallelism is high, the training is fast, the division characteristics of the decision tree nodes can be randomly selected, the variance is reduced by adopting random sampling, and the generalization capability is strong; common attack types include: SQL injection, crawlers, missing headers, scripting attacks, scanning, violation protocols; calling a malicious event response module to respond to the event according to the detected result service attack type characteristics;
SQL malicious keywords include, for example: database, Where, exec, iner, convert, distint, sleep, mid, updatexml (, null, sqlmap, md5(, flow, rand, cast, real, catch, print, delete, current, extractvalue (, upperjoin, assign (, exec (, length, etc.)
XSS common keywords include, for example: print, href ═ sleep, Onclick ═ onerror! -, - - >, < base, echo, < script, </script, < iframe, etc
1 and 0 are used as characteristic values, and the text is subjected to word segmentation processing of "", "/", and "&" and is subjected to statistics of word frequency and conversion of capital and small cases due to the fact that data differentiation is large;
(2) comprehensively scoring the detection result of the attack type classification model, calculating the score of the detection result, and determining that the score is greater than a preset threshold value as malicious data, wherein the score calculation formula is as follows:
in the formula: s is a final score, y is a data attribute index, A is an attack type classification model prediction result, B is a historical data hit result, and C is an intelligence data result. And carrying out comprehensive scoring on the evaluation result, wherein the result marked by the grey data is as follows: historical attack events, threat intelligence libraries, and historical training data are derived, for example, malicious attack data when score > 72.
In one embodiment, in the fifth step, data with a comprehensive score larger than a preset threshold and malicious data are determined, and for the malicious data, a data source IP, a port and an attack type are adopted, and firewall blocking and WAF policies are invoked to block the attack.
As shown in fig. 3, the present invention provides a system for a threat detection and response method based on a secure cloud platform, comprising:
the log acquisition module is used for acquiring log files on the security cloud platform, and performing standardized processing and log second-class feature extraction on the log files;
the data cleaning module is used for cleaning the white data of the data extracted by the log acquisition module;
the grey data detection module is used for carrying out grey data marking on the data subjected to white data cleaning, and carrying out classified detection and filtering on the marked grey data by utilizing a cluster analysis model;
the attack classification module is used for carrying out attack identification and classification on the marked gray data by utilizing the attack classification model and further grading, and the marked gray data is determined to be malicious data when the grading value is larger than a preset threshold value;
and the response module is used for calling the policy of the blocking of the firewall and the WAF to achieve the blocking effect of the attack by adopting the data source IP, the port and the attack type aiming at the malicious data so as to realize the response processing of the attack.
In one embodiment, as shown in fig. 3, the system further comprises: and the database comprises a log library, an intelligence library, a malicious event library and a business asset library which are used for storing and updating log data.
While embodiments of the invention have been described above, it is not limited to the applications set forth in the description and the embodiments, which are fully applicable in various fields of endeavor to which the invention pertains, and further modifications may readily be made by those skilled in the art, it being understood that the invention is not limited to the details shown and described herein without departing from the general concept defined by the appended claims and their equivalents.
Claims (10)
1. The threat detection and response method based on the security cloud platform is characterized by comprising the following steps:
firstly, extracting a log file of a secure cloud platform, and extracting second-class characteristic data of the log file;
step two, performing data cleaning on the second type of characteristic data based on service access white data, and extracting gray data;
thirdly, carrying out clustering model detection on the grey data to obtain unknown data;
step four, detecting and grading an attack type classification model aiming at the unknown data obtained in the step three; defining malicious data according to the scores;
and step five, responding to the final malicious data result.
2. The secure cloud platform-based threat detection and response method of claim 1, wherein the two types of feature data in step one comprises: one or more of source IP, destination IP, request URL, request body, request time, access port, region, interception identification, detection identification, attack type, request mode and log source.
3. The security cloud platform-based threat detection and response method according to claim 2, wherein in the first step, data extraction is performed based on a regular expression, and a second type of feature extraction strategy is used for processing collected data, and includes Source IP, Destination IP, request URL, request body, request time, access port, region, interception identifier, detection identifier, attack type, request mode, log Source, performing association analysis and feature marking.
4. The security cloud platform-based threat detection and response method of claim 3, wherein in the second step, during data cleaning, according to the condition of combination of the interception identifier and the detection identifier attribute, the data which is not intercepted is extracted and marked as grey data.
5. The security cloud platform-based threat detection and response method of claim 1, wherein in step three, before performing cluster model detection on gray data, attack feature library hit matching is performed on the gray data; the method specifically comprises the following steps: and performing historical access combination on the grey data, wherein the historical access combination comprises access frequency analysis, malicious information correlation hit analysis and malicious event library correlation analysis, associating assets through a target IP of service access in the grey data, and performing matching marking on IP sources, URLs and request bodies of the accessed assets and historical attack events in a malicious event library and an information library.
6. The secure cloud platform-based threat detection and response method of claim 5, wherein in step three, the gray data clustering model detection comprises: and (3) carrying out classification detection and filtration on the result after the gray data matching, and dividing into: normal request, abnormal request, unknown request; and forming a sample set by using the abnormal data in the history and the attack data hit in the history, filtering the abnormal data, and then sending the abnormal data into the clustering model to classify the data, thereby realizing the discovery and marking of the undetected and/or intercepted attack data of the safety tool.
7. The security cloud platform-based threat detection and response method of claim 1, wherein the fourth step specifically comprises:
(1) the attack type classification model adopts an xgboost algorithm to carry out attack identification and classification on the gray data;
(2) and carrying out comprehensive scoring on the detection result of the attack type classification model, wherein the score calculation formula is as follows:
in the formula: s is a final score, y is a data attribute index, A is an attack type classification model prediction result, B is a historical data hit result, and C is an intelligence data result.
8. The security cloud platform-based threat detection and response method according to claim 1, wherein in the fifth step, data and malicious data with a comprehensive score value larger than a preset threshold value in the fourth step are determined, and firewall blocking and WAF policies are invoked to achieve attack blocking by adopting a data source IP, a port and an attack type.
9. A system for a secure cloud platform-based threat detection and response method according to any one of claims 1 to 8, comprising:
the log acquisition module is used for acquiring log files on the security cloud platform, and performing standardized processing and log second-class feature extraction on the log files;
the data cleaning module is used for cleaning the white data of the data extracted by the log acquisition module;
the grey data detection module is used for carrying out grey data marking on the data subjected to white data cleaning, and carrying out classified detection and filtering on the marked grey data by utilizing a cluster analysis model;
the attack classification module is used for carrying out attack identification and classification on the marked gray data by utilizing an attack classification model and further grading the marked gray data;
and the response module is used for calling the policy of the blocking of the firewall and the WAF to achieve the blocking effect of the attack by adopting the data source IP, the port and the attack type aiming at the malicious data so as to realize the response processing of the attack.
10. The system of claim 9, further comprising: and the database comprises a log library, an intelligence library, a malicious event library and a business asset library which are used for storing and updating log data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111038943.XA CN113709176A (en) | 2021-09-06 | 2021-09-06 | Threat detection and response method and system based on secure cloud platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111038943.XA CN113709176A (en) | 2021-09-06 | 2021-09-06 | Threat detection and response method and system based on secure cloud platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113709176A true CN113709176A (en) | 2021-11-26 |
Family
ID=78660546
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111038943.XA Pending CN113709176A (en) | 2021-09-06 | 2021-09-06 | Threat detection and response method and system based on secure cloud platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113709176A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114168948A (en) * | 2021-12-17 | 2022-03-11 | 北京华清信安科技有限公司 | Network security situation comprehensive analysis method |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
| CN104811418A (en) * | 2014-01-23 | 2015-07-29 | 腾讯科技(深圳)有限公司 | Virus detection method and apparatus |
| CN107613036A (en) * | 2017-09-04 | 2018-01-19 | 北京新流万联网络技术有限公司 | Realize the method and system of HTTPS Transparent Proxies |
| CN108388631A (en) * | 2018-02-13 | 2018-08-10 | 北京奇安信科技有限公司 | A kind of method, agent apparatus and system threatening intelligence sharing |
| CN109101527A (en) * | 2018-06-21 | 2018-12-28 | 中国科学院信息工程研究所 | A kind of magnanimity security log information filter method and device |
| CN111881289A (en) * | 2020-06-10 | 2020-11-03 | 北京启明星辰信息安全技术有限公司 | Training method of classification model, and detection method and device of data risk category |
| CN112257757A (en) * | 2020-09-27 | 2021-01-22 | 北京锐服信科技有限公司 | Malicious sample detection method and system based on deep learning |
| CN113194058A (en) * | 2020-01-14 | 2021-07-30 | 深信服科技股份有限公司 | WEB attack detection method, equipment, website application layer firewall and medium |
-
2021
- 2021-09-06 CN CN202111038943.XA patent/CN113709176A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
| CN104811418A (en) * | 2014-01-23 | 2015-07-29 | 腾讯科技(深圳)有限公司 | Virus detection method and apparatus |
| CN107613036A (en) * | 2017-09-04 | 2018-01-19 | 北京新流万联网络技术有限公司 | Realize the method and system of HTTPS Transparent Proxies |
| CN108388631A (en) * | 2018-02-13 | 2018-08-10 | 北京奇安信科技有限公司 | A kind of method, agent apparatus and system threatening intelligence sharing |
| CN109101527A (en) * | 2018-06-21 | 2018-12-28 | 中国科学院信息工程研究所 | A kind of magnanimity security log information filter method and device |
| CN113194058A (en) * | 2020-01-14 | 2021-07-30 | 深信服科技股份有限公司 | WEB attack detection method, equipment, website application layer firewall and medium |
| CN111881289A (en) * | 2020-06-10 | 2020-11-03 | 北京启明星辰信息安全技术有限公司 | Training method of classification model, and detection method and device of data risk category |
| CN112257757A (en) * | 2020-09-27 | 2021-01-22 | 北京锐服信科技有限公司 | Malicious sample detection method and system based on deep learning |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114168948A (en) * | 2021-12-17 | 2022-03-11 | 北京华清信安科技有限公司 | Network security situation comprehensive analysis method |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| US10721249B2 (en) | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis | |
| CN107592312B (en) | Malicious software detection method based on network flow | |
| CN112738126B (en) | Attack tracing method based on threat intelligence and ATT & CK | |
| CN107888571B (en) | Multi-dimensional webshell intrusion detection method and system based on HTTP log | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| Gogoi et al. | MLH-IDS: a multi-level hybrid intrusion detection method | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN106790186A (en) | Multi-step attack detection method based on multi-source anomalous event association analysis | |
| CN102932348A (en) | Real-time detection method and system of phishing website | |
| CN107172022A (en) | APT threat detection method and system based on intrusion feature | |
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| CN113709176A (en) | Threat detection and response method and system based on secure cloud platform | |
| KR100960117B1 (en) | Signature Pattern Matching Method, the System for the Same and Computer Readable Medium Storing a Signature Pattern | |
| CN111641634B (en) | Honey net based active defense system and method for industrial control network | |
| CN114021040B (en) | Method and system for alarming and protecting malicious event based on service access | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| Dhakar et al. | A novel data mining based hybrid intrusion detection framework | |
| CN106790062A (en) | A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute | |
| CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
| Maslan et al. | Feature selection for DDoS detection using classification machine learning techniques | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| Mohamed et al. | Alert correlation using a novel clustering approach | |
| Teoh et al. | Analyst intuition inspired high velocity big data analysis using PCA ranked fuzzy k-means clustering with multi-layer perceptron (MLP) to obviate cyber security risk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211126 |