CN113722576A

CN113722576A - Network security information processing method, query method and related device

Info

Publication number: CN113722576A
Application number: CN202110494618.8A
Authority: CN
Inventors: 戚名钰; 倪雯; 姚靖怡; 康俊飞
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2021-05-07
Filing date: 2021-05-07
Publication date: 2021-11-30

Abstract

The application provides a network security information processing method, an inquiry method and a related device, which are used for solving the problem that the relationship between information data related to network security cannot be completely described in the related technology, so that the risk identification result is not accurate enough. In the method provided by the embodiment of the application, the intelligence data of different dimensions are taken as points, and the correlation relationship between the points of different dimensions is taken as an edge construction graph structure model. In order to improve convenience and accuracy of attack tracing, in the graph structure model in the embodiment of the present application, on one hand, an edge may have a time attribute, and on the other hand, an edge may also have a strong attribute and a weak attribute. The time attribute can consider the time range limit of each association relationship, and the strength attribute of the edge is used for describing the strength of the association relationship. Therefore, the strength of the relationship between different entity points in the graph structure model can be reflected, and compared with the simple providing of the association relationship, the strength of the association relationship can be further provided, and the accuracy of risk description is improved.

Description

Network security information processing method, query method and related device

Technical Field

The present application relates to the field of information security technologies, and in particular, to a network security information processing method, an inquiry method, and a related apparatus.

Background

With the development of the internet, especially the mobile internet, the network environment is more complex, different attack behaviors are more industrialized and ganged, and the intrusion methods are more diversified and complex. The traditional security strategy mainly aiming at defending the vulnerability is difficult to timely and effectively detect, intercept and analyze the novel, persistent and advanced threats when the threats are exposed. Therefore, the safety attack and defense requirements gradually evolve from the traditional way of taking a leak as a center to an active construction mode taking information as a center.

For example, in the related art, information related to network security may be acquired, and the information may be divided into different dimensions, such as an IP (Internet Protocol) dimension, a user account dimension, and the like. At present, the traditional analysis of network security is based on single-dimension analysis processing.

However, in terms of attack tracing and attack, it is difficult to accurately analyze the attack source from a single dimension, so a scheme for analyzing by using multiple dimensions is also proposed in the related art. However, even if multiple dimensions are adopted, the risks are not effectively connected in series, so that the risk analysis is not comprehensive, and the analysis result is inaccurate.

Disclosure of Invention

The embodiment of the application provides a processing method, a query method and a related device of network security information, which are used for solving the problems that in the related technology, due to the fact that risks are not effectively connected in series in a multi-dimensional mode, the description of the risks is not comprehensive enough, and the accuracy of a risk analysis result needs to be improved.

In a first aspect, the present application provides a method for processing network security information, where the method includes:

obtaining intelligence data of a plurality of specified dimensions relating to network security;

constructing a graph structure model with the intelligence data of each specified dimension as points and the correlation between the points of different specified dimensions as edges;

in the graph structure model, the attribute of the edge of at least one incidence relation comprises a time attribute and/or a strength attribute; the time attribute is used for describing the duration of the association relationship, and the strength attribute is used for describing the strength of the association relationship.

Optionally, for each edge with the strong and weak attributes, the value of the strong and weak attributes of the edge is positively correlated with at least one of the following information:

the number of times the edge is generated;

the operation times of the specified operation associated with the edge;

an operation duration of the specified operation associated with the edge.

Optionally, the specified dimension includes a device and an account, and for multiple accounts associated with the same device, an edge between each account and the device at least has the strength attribute.

Optionally, the value of the time attribute includes a start time and an end time, and for any two points in the graph structure model having an association relationship, the time attribute of an edge between the two points is determined according to the following method:

acquiring indication information for indicating that the two points have an association relationship, wherein the indication information comprises time points;

taking the earliest time point in the indication information as the starting time and taking the latest time point as the ending time;

and if the indication information is acquired again, updating the ending time by adopting the latest time point in the indication information.

Optionally, in the graph structure model, the target dimension in the multiple specified dimensions is used as a central point, and edges between points of other specified dimensions and the central point are constructed.

In a second aspect, the present application provides a method for querying network security information, where the method includes:

acquiring a query result from a graph structure model of the network security information based on the query request; the graph structure model is constructed by taking information data of each specified dimension as points and taking the association relationship between the points of different specified dimensions as edges, and at least one edge in the graph structure model has a time attribute and/or a strength attribute, wherein the time attribute is used for describing the duration of the association relationship, and the strength attribute is used for describing the strength of the association relationship;

and displaying the query result.

Optionally, if the attribute of the edge includes the time attribute, the obtaining, based on the query request, a query result from a graph structure model of the network security information includes:

and acquiring a query result matched with the time condition from the graph structure model based on the time condition in the query request.

Optionally, the matching with the time condition includes: the time range indicated by the time attribute has an intersection with the time period of the time condition.

Optionally, different strong and weak attributes are displayed by adopting a differentiated display effect.

Optionally, the display result of the query result includes display identifiers of a plurality of points, and the method further includes:

and in response to the selection operation of any display identifier, displaying the description information of the point corresponding to the selected display identifier in the popup window.

Optionally, the method further includes:

acquiring and storing the display position of each point in the query result;

after the responding to the selection operation of any display identifier and displaying the description information of the point corresponding to the selected display identifier in the popup window, the method further comprises the following steps:

closing the pop-up window in response to a closing operation for the pop-up window; and the number of the first and second electrodes,

and displaying the edges between the points in the query result and the points with the association relation according to the stored display positions of the points.

Optionally, the method further includes:

and responding to the zooming operation of the query result, and correspondingly zooming the display page of the query result.

In a third aspect, the present application further provides a device for processing network security information, where the device includes:

a data acquisition module configured to perform acquisition of intelligence data of a plurality of specified dimensions relating to network security;

the graph construction module is configured to execute the construction of a graph structure model taking the intelligence data of each specified dimension as points and taking the correlation among the points of different specified dimensions as edges;

the number of times the edge is generated;

the operation times of the specified operation associated with the edge;

an operation duration of the specified operation associated with the edge.

Optionally, the values of the time attribute include a start time and an end time, and for any two points in the graph structure model having an association relationship, the graph building module is configured to determine the time attribute of the edge between the two points according to the following method:

In a fourth aspect, the present application further provides an apparatus for querying network security information, where the apparatus includes:

the query module is configured to execute query result acquisition from the graph structure model of the network security information based on the query request; the graph structure model is constructed by taking information data of each specified dimension as points and taking the association relationship between the points of different specified dimensions as edges, and at least one edge in the graph structure model has a time attribute and/or a strength attribute, wherein the time attribute is used for describing the duration of the association relationship, and the strength attribute is used for describing the strength of the association relationship;

and the presentation module is configured to perform presentation of the query result.

Optionally, if the edge attribute includes the time attribute, the query module is specifically configured to perform: and acquiring a query result matched with the time condition from the graph structure model based on the time condition in the query request.

Optionally, the display result of the query result includes display identifiers of a plurality of points, and the display module is further configured to perform:

Optionally, the apparatus further comprises:

the storage module is configured to acquire and store the display position of each point in the query result;

after the display module responds to the selection operation of any display identifier and displays the description information of the point corresponding to the selected display identifier in the pop-up window, the display module is further configured to execute:

Optionally, the presentation module is further configured to perform:

In a fifth aspect, the present application further provides an electronic device, including:

a processor;

a memory for storing the processor-executable instructions;

wherein the processor is configured to execute the instructions to implement any of the methods as provided in the first and second aspects of the present application.

In a sixth aspect, an embodiment of the present application further provides a computer-readable storage medium, where instructions, when executed by a processor of an electronic device, enable the electronic device to perform any one of the methods as provided in the first and second aspects of the present application.

In a seventh aspect, an embodiment of the present application provides a computer program product comprising a computer program that, when executed by a processor, implements any of the methods as provided in the first and second aspects of the present application.

The technical scheme provided by the embodiment of the application at least has the following beneficial effects:

in the method provided by the embodiment of the application, the intelligence data of different dimensions are taken as points, and the correlation relationship between the points of different dimensions is taken as an edge construction graph structure model. The constructed graph structure model is stored based on a graph database, and after the graph database is used, entity IDs (identities) of all dimensions can be connected in series to form a network with comprehensive intelligence data. By utilizing the network, the attack mode, cheating tools, group characteristics and the like of an attacker can be accurately described, so that the original plane identification hierarchy can be changed into a three-dimensional mesh identification hierarchy by the safe data modeling.

In order to improve convenience and accuracy of attack tracing, in the graph structure model in the embodiment of the present application, on one hand, an edge may have a time attribute, and on the other hand, an edge may also have a strong attribute and a weak attribute. The temporal attribute may take into account the time range limitations of each association, e.g., one association is present during time period a and absent during time period B. The change of the association relation can be dynamically described from time. Based on the time attribute, a dynamic graph structure that changes with time is obtained.

The strength attribute of the edge is used for describing the strength degree of the association relationship. Therefore, the strength of the relationship between different entity points in the graph structure model can be reflected, and compared with the simple providing of the association relationship, the strength of the association relationship can be further provided, and the accuracy of risk description is improved. In addition, when the incidence relation and the corresponding strength attribute between the equipment and the plurality of accounts are established, the real attack source can be well analyzed.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a schematic diagram illustrating a relationship between single-layer confrontation and difficulty according to an embodiment of the present disclosure;

fig. 2 is a schematic view of an application scenario of a network security information processing or querying method according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a network security information processing method according to an embodiment of the present application;

FIG. 4 is a schematic diagram of information in different dimensions provided by an embodiment of the present application;

fig. 5 is a schematic view of association relations between devices and different accounts according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a graph structure model according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a method for querying network security information according to an embodiment of the present application;

FIG. 8 is a schematic diagram illustrating a time relationship between query time and an edge according to an embodiment of the present application;

FIG. 9 is a diagram illustrating detailed information of view entity points provided by an embodiment of the present application;

FIG. 10 is a diagram structural model of a normal device according to an embodiment of the present application;

fig. 11 is a diagram structural model diagram of a group control device according to an embodiment of the present disclosure;

FIG. 12 is a diagram illustrating a structure model for nutritional number identification according to an embodiment of the present application;

fig. 13 is a diagram structural model diagram of group-partnership and red packet identification according to an embodiment of the present application;

fig. 14 is a schematic diagram illustrating a result of group-gang red packet recognition according to an embodiment of the present disclosure;

FIG. 15 is a block diagram illustrating an apparatus for processing network security information in accordance with an exemplary embodiment;

FIG. 16 is a block diagram illustrating a querying device for network security information, in accordance with an illustrative embodiment;

fig. 17 is a schematic structural diagram of an electronic device shown in accordance with an example embodiment.

Detailed Description

In order to make the technical solutions of the present application better understood by those of ordinary skill in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

Hereinafter, some terms in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.

(1) In the embodiments of the present application, the term "plurality" means two or more, and other terms are similar thereto.

(2) "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

(3) A server serving the terminal, the contents of the service such as providing resources to the terminal, storing terminal data; the server is corresponding to the application program installed on the terminal and is matched with the application program on the terminal to run.

(4) The terminal device may refer to an APP (Application) of a software class, or may refer to a client. The system is provided with a visual display interface and can interact with a user; is corresponding to the server, and provides local service for the client. For software applications, except some applications that are only run locally, the software applications are generally installed on a common client terminal and need to be run in cooperation with a server terminal. After the development of the internet, more common application programs include short video applications, email clients for receiving and sending emails, and clients for instant messaging, for example. For such applications, a corresponding server and a corresponding service program are required in the network to provide corresponding services, such as database services, configuration parameter services, and the like, so that a specific communication connection needs to be established between the client terminal and the server terminal to ensure the normal operation of the application program.

(5) Intelligence data, valuable security-related risk data mined from business data or overheard, which in embodiments of the present application may include: network equipment identification, user account, IP information, domain name information, WIFI (wireless communication technology) information and mobile phone number information. It should be noted that, in the embodiments of the present application, the information data related to the user is obtained after the user authorization permission.

(6) The dimensions are specified, which can be understood as classifying intelligence data relating to network security in order to describe and analyze whether there is a threat to network security from different dimensions. In the embodiment of the application, the specified dimensions may include dimensions of a network side, a device layer, an account layer, a user layer, and the like.

(7) In the graph structure model, in the embodiment of the application, a graph database is used for representing the incidence relation between different specified dimensions so as to conveniently mine the intelligence information of the same target. In the graph structure model, the intelligence data of each designated dimension is a point and is expressed by a representative entity ID, and if the intelligence data of different designated dimensions have an incidence relation, the incidence relation is expressed by adopting a corresponding edge. Edges have certain attributes for perfectly describing the relationship between different points. Thus, based on the graph structure model, risks can be observed and discovered from a single dimension and relationships between different dimensions.

From the perspective of intelligence analysis, layered countermeasure and defense of network security, the difficulty is increased from bottom to top. Referring to fig. 1, a diagram of the relationship between layered confrontation and defense and difficulty is shown. The difficulty of network security analysis from the bottommost document carrier layer to the level of localization to natural human beings is increasing.

In view of the difficulty in analyzing the attack source from a single dimension in the related art, there is a problem of limitation in use when analyzing the attack source using multiple dimensions currently, because the description of the risk in the related art is not comprehensive enough, so that the accuracy of the analysis and identification result of the risk also needs to be improved. In view of this, embodiments of the present application provide a network security information processing method, an inquiry method, and a related device.

In the method provided by the embodiment of the application, the intelligence data of different dimensions are taken as points, and the correlation relationship between the points of different dimensions is taken as an edge construction graph structure model. The constructed graph structure model is stored based on a graph database, and after the graph database is used, entity IDs of all dimensions can be connected in series to form a network with comprehensive information data. By utilizing the network, the attack mode, cheating tools, group characteristics and the like of an attacker can be accurately described, so that the original plane identification hierarchy can be changed into a three-dimensional mesh identification hierarchy by the safe data modeling.

In addition, in the embodiment of the application, how to query the graph structure model is also optimized, after optimization, a risk analysis user can conveniently know detailed information of each point, and for points with high density, displayed point density can be controlled through scaling operation, so that the risk analysis user can conveniently check the association relation. In addition, the relative positions of the same batch of points and the incidence relation thereof can be kept stable in the process of multiple operations, and the points checked before and after can be conveniently known.

After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.

Fig. 2 is a schematic view of an application scenario of the network security information processing method or the query method according to the embodiment of the present application. The application scenario includes a plurality of terminal devices 101 (including terminal device 101-1, terminal device 101-2, … … terminal device 101-n), and further includes server 102. The terminal device 101 and the server 102 are connected via a wireless or wired network, and the terminal device 101 includes but is not limited to a desktop computer, a mobile phone, a mobile computer, a tablet computer, a media player, a smart wearable device, a smart television, and other electronic devices. The server 102 may be a server, a server cluster composed of several servers, or a cloud computing center. The server 102 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a web service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform.

In one aspect, server 102 may provide rich media information to terminal device 101 for presentation. For example, the content browsing user of the terminal device 101 may select a short video that is of interest to the user, and then pull the video data of interest from the server 102 for playing.

After the content browsing user authorizes, the terminal device 101 may report its own usage log data to the server. The usage log data may include intelligence data for a plurality of specified dimensions, for example. The intelligence data of each dimension in the log data has an incidence relation, and based on the incidence relation, a graph structure model can be constructed and stored in a graph database.

The other terminal device 101 is a terminal device of a risk analysis user, and can request the server 102 to query the intelligence data meeting the query condition, and then show the intelligence data based on the form of a graph structure so as to view the association relationship between the intelligence data of different dimensions. For example, the query condition may be set to query intelligence data for a specified dimension (e.g., device dimension) for a time period. Thus, the intelligence data can be analyzed according to the time attribute and the strength attribute.

To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide the method operation steps as shown in the following embodiments or figures, more or less operation steps may be included in the method based on the conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application.

The main objectives of graph structure modeling of security intelligence are: when the risk of any specified dimension is known, the risk is not only limited to the state and the attribute of the dimension to analyze the risk, but the dimension is expanded from an individual to a network level, and the risk of the dimension is known three-dimensionally through an upper layer, a lower layer and a same level layer through the data relation of a graph structure. Therefore, in the embodiment of the present application, as shown in fig. 3, the processing flow of the network security information may include:

in step 301, intelligence data is obtained for a plurality of specified dimensions relating to network security.

In step 302, a graph structure model is constructed with the intelligence data of each designated dimension as a point and the correlation between the points of different designated dimensions as an edge.

In the implementation process, at least one target dimension can be selected from the multiple specified dimensions as a central point, and edges between points of other specified dimensions and the central point are constructed in the graph structure model by taking each target dimension as the central point. Therefore, when the single dimension is analyzed, not only can the information of the single dimension be known, but also the information of other dimensions related to the single dimension can be known through the graph structure model, and risk identification is facilitated. For example, in the embodiment of the present application, in order to better express the risk of the device dimension, edges between points of other specified dimensions and a central point may be constructed in the graph structure model with the device as the central point. Taking the risk of the equipment as an example, as shown in fig. 4: for a device, the whole device is divided into four specified dimensions, namely a network layer, a device layer, an account layer and a user layer, and each specified dimension is expressed by a representative entity ID. Through the graph structure, three-dimensional risk cognition can be performed on one device, and the risk cognition is more helpful for risk identification. In implementation, the network layer may include WIFI information and IP address information, etc. The IP address information may include, for example, IP geographical location, IP network attributes, IP historical attack records, IP traffic labels, IP impact (corresponding to the number of devices), and other information. The device layer may include device identifications GIDs of respective devices associated with the network layer, and DID (unique identification of APP) associated with the GIDs. And the account layer can comprise a user account UID related to the equipment layer. The user layer can comprise a PHONE number PHONE of the user.

Thus, constructing a graph structure model for the center point based on the device can help understand and express risks from the device dimensions. So as to implement risk mining from the plant dimension and corresponding control strategies, such as limiting plant operation.

In implementation, the device may report log data, where the log data carries information of multiple specified dimensions, so as to facilitate mining of association relationships and construction of edge attributes. The temporal attribute and the intensity attribute of the edge are explained below.

1. Time attribute

In the construction of the graph structure model, the existence of each incidence relation needs to be considered to be time-range. If the association relationship exists in the time period A, the association relationship does not necessarily exist in the time period B, so that the security intelligence can truly reflect the association relationship in different time periods on the graph database.

This means that data that presents different graph structure models, referred to herein as dynamic graph structures, is required as the query time interval varies.

In a possible implementation manner, the value of the time attribute includes a start time and an end time, and for any two points in the graph structure model having an association relationship, indicating information (such as log data) indicating that the two points have an association relationship may be obtained, where the indicating information includes a time point; then, taking the earliest time point in the indication information as a starting time, and taking the latest time point as an ending time; and then, updating the ending time by using the latest time point in the indication information every time the indication information is acquired again. Thus, the start time of the time attribute can be obtained based on the first discovery of the association between two points, and the end time can be updated every time the instruction information is received. Therefore, the time periods of the association relationship can be accurately maintained.

For example, the log data reported by the device is used as the indication information, and the data format can be as shown in table 1:

TABLE 1

IP	Device ID	Account ID	Mobile phone ID	Time stamp
					IP1	Device 1	Account number 1	Mobile phone number 1	Time 1
IP2	Device 2	Account 2	Mobile phone number 2	Time point 2

Based on the data format shown in table 1 above, edges having an association relationship with the device may be extracted with the device ID as a central point, where each edge has a timestamp, for example:

for example, the device 1ID, IP1, time point 1 (start time) is extracted from the log data. Therefore, the association relationship between the device 1ID and the IP1 is obtained, if the association relationship is found for the first time, the start time of the association relationship is the time stamp carried in the log data reporting the association relationship for the first time, and the time stamp for obtaining the association relationship between the device ID and the IP1 for the last time is the end time.

As another example, the device ID, account ID, 1618901993 (start time) are analyzed from the log data. The starting time of acquiring the association between the device ID and the account ID for the first time is the time stamp of reporting the log data of the association for the first time, and the time of acquiring the association for the last time is the time stamp of acquiring the log data of the association for the last time.

Similarly, the start time and the end time of the association relationship between the device ID and the mobile phone number are analyzed based on the log data.

However, it should be noted that one log data does not need to include all the intelligence data of the specified dimension, and the correlation between the intelligence data of different dimensions can be found by including at least two intelligence data of the specified dimension.

In the graph structure model, points are the dimension types and specific values of the data of the dimensions, each entity point has a unique ID, and the time attribute of an edge is the start time and the end time of the association relationship.

In the graph database, the graph is stored in an edge mode, and by the data organization and storage mode, the same relation can be queried in different time intervals at the query level, and the presented graph structure is dynamically changed.

2. Strong and weak property

Continuing to take the device as a central point for example, when facing black and gray products or illegal operation of a real person, the situation often occurs: in order to match with the attack of public security or legal affairs, it is necessary to accurately distinguish which accounts are frequently-used accounts of the user and which are only used for illegal operations from the batch of accounts.

Therefore, for example, network security analysis can be accurately performed, and in the embodiment of the application, strong and weak attributes are introduced to edges in the graph structure model. In implementation, edges of association relationship (e.g., relationship between a device and an account) of a category may be specified to have strong and weak attributes, or all edges may have strong and weak attributes.

Continuing to take the edge of the association relationship between the account and the device as an example: if the account is a frequently-used account of the equipment, the relationship between the account and the equipment is a strong relationship, and the attribute value of the strong and weak attribute of the edge is high; if the account is used only in case of illegal operation/live broadcast, the relationship between the account and the equipment is weaker, and the attribute value of the corresponding strong and weak attribute is lower.

Therefore, based on the characteristic of analyzing the incidence relation of different entity points, aiming at each edge with strong and weak attributes, the value of the strong and weak attributes of the edge is positively correlated with at least one of the following information:

1) and the number of times of generation of the edge.

The strength of the association relationship between the same entity point and other similar entity points can be determined based on the number of times of generating the same edge. For example, if the association relationship between the account 1 and the device 1 is analyzed from the log data and reported n times, the number of times of generation of the edge between the device 1 and the account 1 is n. Therefore, the strength of the edge changes with the generation times of the same edge.

2) The operation times of the designated operation related to the side;

for example, account 1 operates frequently on device 1, while account 2 operates infrequently on device 1. Therefore, the user operation habit can also influence the relationship between strength and weakness, if the operation times are more, the user can be regarded as normal operation to further know that the relationship is stronger, and if the operation times are less, the relationship is weaker.

3. The operation duration of the specified operation of the edge association.

For example, a user may often use his account to browse a web page and access a short video, but may use a specific account to perform an illegal network behavior, and the operation duration of different operation types may also affect the strong and weak attributes.

In order to extract real account numbers of the same device, in the embodiment of the application, for a plurality of account numbers associated with the same device, an edge between each account number and the device has a strong and weak attribute. Thus, the real account number can be mined from the perspective of the equipment.

For example, the log data reported by the device is analyzed and sorted to obtain data in the format shown in table 2:

TABLE 2

Referring to table 2, the reaction from the data level is that the device 1 logs in two accounts, but the relationship between the two accounts and the device is different. Account 56757 reports 2 records, and account 5435 reports only 1 record. Therefore, when constructing the strong and weak properties of the edge:

device ID-account ID: device 1, 56757, 2 (times)

Device ID-account ID: device 1, 5435, 1 (times)

And constructing a graph data model by using the association relation, wherein the times exist as the attributes of the edges.

Then, in the queried time interval, as long as the condition of the edge satisfies the unveiling condition, the edge with the strong and weak attributes is bound to be frequent. An exemplary query result is shown in fig. 5, where fig. 5 reflects association relationships between a device ID and three accounts, i.e., account a, account B, and account C, and an edge of each association relationship has a number of times as an attribute value of a corresponding strong or weak attribute.

During query, the attribute values of the strong and weak attributes can be converted into weight values, so that the strength of the association relationship between the same device and different account numbers can be better reflected. For example, the dynamic normalization calculation is performed for the number of times of each edge. The process of the normalization calculation is as follows: taking the sum of the attribute times of all edges as a denominator and a certain edge as a numerator, respectively obtaining the normalized weights thereof, and obtaining the weights based on fig. 5 as follows:

device ID-account a: weight 0.3;

device ID-account B: weight 0.4;

device ID-account C: the weight is 0.3.

Therefore, the weight between the same device and different account numbers related to the same device is obtained, and the display can be performed based on the weight during the display.

It should be noted that, during the storage, information related to the strong and weak attributes, such as the number of times of edge generation, the operation duration, etc., may be stored, and then, when the query is real, the weight value may be calculated and displayed

Fig. 6 is a schematic structural diagram of a graph structure model with a time attribute and a strength attribute according to an embodiment of the present application.

The method can intuitively express the relationship between the intelligence data of different dimensions based on the graph structure model, and comprehensively measure the risk of the intelligence data of the specific dimension based on the relationship between the intelligence data of the specific dimension and the intelligence data of other dimensions. The change of the relation between the intelligence data of the specific dimension and the intelligence data of other dimensions along with the time can be dynamically known based on the time attribute. Based on the intensity attribute, the intensity of the relationship between the intelligence data of a specific dimension and the intelligence data of other dimensions can be known so as to facilitate risk analysis.

How the graph structure model is queried and presented is explained below.

Query processing of network security information

In the related art, the display of the network security data model is more limited, for example, only which entities have association relationships can be displayed, and in the embodiment of the application, the association relationships between different entity points can be better described based on the time attribute and the strength attribute, so that a user can know the relationship and know the risk of each specified dimension. As shown in fig. 7, a schematic flow chart of a method for querying network security information provided in the embodiment of the present application includes:

in step 701, based on the query request, obtaining a query result from a graph structure model of the network security information; the graph structure model is constructed by taking information data of each specified dimension as points and taking the association relation between the points of different specified dimensions as edges, and at least one edge in the graph structure model has a time attribute and/or a strength attribute, wherein the time attribute is used for describing the duration of the association relation, and the strength attribute is used for describing the strength of the association relation.

For example, if the attribute of the edge includes a time attribute, a time condition may be included in the query request, that is, a query result matching the time condition may be obtained from the graph structure model based on the time condition in the query request.

For convenience of understanding, in the embodiment of the present application, the time range defined as the time attribute indication of the match has intersection with the time period of the time condition. The data thus returned is data that will return as long as there is a time intersection during the time period of the query.

As shown in fig. 8, a schematic diagram of a position relationship between an inquiry time interval and an actual time interval that is defined by a start time and an end time of an edge in an inquiry request is shown. When the query time interval is B, C, D, the edge intersects with the query time interval, the edge is returned, and when the query time interval is A, E, the edge should not be returned. Therefore, the graph structures of different time intervals can be flexibly checked based on the time condition in the query request.

In step 702, the query results are presented.

In implementation, in order to facilitate understanding of the strength degree of the association relationship, different strength attributes are displayed by adopting differential display effects.

In some embodiments, in order to intuitively reflect the graph structure, in the embodiments of the present application, the association relationship is displayed by using a line, and the value of the strong and weak attribute is displayed by using the thickness of the line, where the stronger the association relationship, the larger the thickness of the line.

Fig. 9 is a schematic diagram of an association relationship between the device 1 and the account 2. Since the relationship between the device 1 and the account 1 is stronger, the edge between the device 1 and the account 1 is thicker than the edge between the device 1 and the account 2.

Of course, the strength of the association relationship can be represented by different colors during the display. For example, the strength of the association relationship is divided into different levels, and the strength of the association relationship in different levels is displayed in different colors. Therefore, when the relationship between the same entity point and other entity points (the entity points are the same entity points) is checked, the relationship strength between different entity points can be intuitively known.

Of course, the strength relationship can also be expressed based on the length of the edge during the presentation, for example, the longer the edge, the lower the representation relationship, and the shorter the edge, the stronger the representation relationship. Therefore, the display effect of expressing different strength relationships can be set according to actual requirements during implementation, and the display effect is suitable for the embodiment of the application.

In some embodiments, in order to facilitate the user to know detailed information of different points, in the display result of the query result in the embodiment of the present application, display identifiers of multiple points are included, and after the query result is displayed, in step 703, in response to a selection operation on any display identifier, description information of a point corresponding to the selected display identifier may be displayed in a pop-up window. The description information may be, for example, detailed information of the entity point and its surrounding edge. As shown in fig. 8, when the user selects the physical point of the device 1, the detailed information of the device 1 is displayed in the popup. And when the user closes the popup window, returning to the previous page.

In the embodiment of the application, in order to avoid redrawing the query result, the position of the entity point always changes after the user selects a certain entity point, which is not beneficial for the user to know which nodes are checked, in the embodiment of the application, the display position of each point in the query result is obtained and stored; then, in step 704, after closing the pop-up window, the edges between the points in the query result and the points having the association relationship may be displayed according to the stored display positions of the points. Therefore, the display positions of the points are relatively fixed, so that a user can know which entity points are checked conveniently, and other surrounding entity points can be selected conveniently.

In other embodiments, the size of the display page is limited, and in order to facilitate understanding of different entity points according to user requirements, in the embodiments of the present application, the display page of the query result may be scaled correspondingly in response to the scaling operation on the query result.

For example, a user may scroll a mouse to perform a zoom operation, and may perform the zoom operation by using a multi-finger gesture, which is suitable for the embodiment of the present application, so that the display density of the points on the display page may be reduced along with the enlargement, so that the relationship between different points and corresponding data may be clearly viewed. With the zooming-out operation, the whole association relationship can be known, and the analysis and the viewing are carried out macroscopically.

The following takes some cyber security risk analyses as examples, and further explains the method for processing and querying cyber security information provided by the embodiment of the present application.

Example 1 identification of group control devices

The group control equipment and the normal equipment are obviously different from each other in the representation of the graph structure model. For example, fig. 10 is a schematic diagram of a diagram structure model of a normal device. As can be seen in fig. 10, generally, one device may have an association relationship with multiple IPs, and one device is often associated with a small number of user accounts and a small number of mobile phone numbers. For example, generally, one device associates only one or two user accounts and one or two mobile phone numbers, and because of the mobility of the device, login access is performed in network segments with different IP addresses, so that multiple IPs are associated.

And a graph structure model of a typical cluster control apparatus is shown in fig. 11. The center of fig. 11 is IP, and fig. 11 shows that one IP associates a very large number of devices and DIDs.

Accordingly, based on the characteristics of the group control device, the group control device can be identified based on the graph structure.

Example 2 Nursery number identification

Fig. 12 is a diagram of a model of a diagram structure for one device with many accounts. In fig. 12, the central point is a device to which a very large number of accounts are associated. This is an abnormal situation, and it can be recognized which device is to perform the number maintenance operation based on the characteristic expression.

Example 3 attack group identification and tracing

Taking the identification of a rouleau as an example, as shown in fig. 13, the central point is a device, and the device is associated with an IP and a plurality of account numbers (i.e., nourishing numbers). The red packet robbing behavior of the device in the live broadcast room, and the change of the red packet amount obtained by the device with time is shown in fig. 14. In fig. 14, the abscissa represents the time of red packet robbing, and the ordinate represents the amount of red packet robbing, which may be the amount of red packet robbed or the number of red packet robbed. Therefore, in implementation, for a red packet robbing scene, a batch of suspicious account numbers can be screened out through preliminary analysis, for example (a plurality of account numbers with a large red packet robbing amount), and then the account numbers can be located to meet the characteristics shown in fig. 13 based on the graph structure model of the application, that is, the account numbers are on the same device. Or may be distributed over a small number of devices, each with multiple accounts. And multiple accounts are concentrated on one or a small number of several IPs. Then the batch of accounts is further proved to be a batch of accounts for malicious clawing. The batch of accounts is further analyzed for their amount of red envelope robbed over time as shown in fig. 14, and if a peak is found as shown in fig. 14, the batch of accounts is further certified as a red envelope group. It may be determined at which time periods the set of account numbers have malicious red packet swiping behavior (e.g., the time periods encircled in fig. 14).

In order to find which accounts in fig. 13 are real accounts of the device, in the case that the same device has multiple accounts, the determination may be made based on the strength of the association relationship between the same device and different accounts. Therefore, based on the strong and weak attributes of the association relationship, which account of the device is the real account of the malicious group can be accurately identified.

Based on the same inventive concept, as shown in fig. 15, the present application provides a network security information processing apparatus 1500, the apparatus comprising:

a data acquisition module 1501 configured to perform acquisition of informative data of a plurality of specified dimensions relating to network security;

a graph construction module 1502 configured to execute construction of a graph structure model in which the intelligence data of each specified dimension is a point and the association relationship between the points of different specified dimensions is an edge;

the number of times the edge is generated;

the operation times of the specified operation associated with the edge;

an operation duration of the specified operation associated with the edge.

Based on the same inventive concept, as shown in fig. 16, the present application further provides an apparatus 1600 for querying network security information, the apparatus includes:

a query module 1601 configured to execute obtaining a query result from a graph structure model of the network security information based on the query request; the graph structure model is constructed by taking information data of each specified dimension as points and taking the association relationship between the points of different specified dimensions as edges, and at least one edge in the graph structure model has a time attribute and/or a strength attribute, wherein the time attribute is used for describing the duration of the association relationship, and the strength attribute is used for describing the strength of the association relationship;

a presentation module 1602 configured to perform presentation of the query result.

Optionally, the apparatus further comprises:

Optionally, the presentation module is further configured to perform:

Having described the methods and apparatus of the exemplary embodiments of the present application, an electronic device in accordance with another exemplary embodiment of the present application is described next.

As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

In some possible implementations, an electronic device according to the present application may include at least one processor, and at least one memory. The memory stores program code, and when the program code is executed by the processor, the program code causes the processor to execute the processing and/or querying method for network security information according to various exemplary embodiments of the present application described above in this specification. For example, the processor may perform steps in a method such as processing and/or querying network security information.

The electronic device 170 according to this embodiment of the present application is described below with reference to fig. 17. The electronic device 170 shown in fig. 17 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

As shown in fig. 17, the electronic device 170 is represented in the form of a general electronic device. The components of the electronic device 170 may include, but are not limited to: the at least one processor 171, the at least one memory 172, and a bus 173 that connects the various system components (including the memory 172 and the processor 171).

Bus 173 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The memory 172 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1721 and/or cache memory 1722, and may further include Read Only Memory (ROM) 1723.

Memory 172 may also include a program/utility 1725 having a set (at least one) of program modules 1724, such program modules 1724 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

The electronic device 170 may also communicate with one or more external devices 174 (e.g., keyboard, pointing device, etc.), with one or more devices that enable a user to interact with the electronic device 170, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 170 to communicate with one or more other electronic devices. Such communication may occur via an input/output (I/O) interface 175. Also, the electronic device 170 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 176. As shown, the network adapter 176 communicates with other modules for the electronic device 170 over the bus 173. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 170, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

In an exemplary embodiment, there is also provided a computer readable storage medium comprising instructions, such as the memory 172 comprising instructions, which are executable by the processor 171 of the apparatus 700 or the processor 171 of the apparatus 800 to perform the above multimedia information editing method. Alternatively, the storage medium may be a non-transitory computer readable storage medium, which may be, for example, a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.

In an exemplary embodiment, there is also provided a computer program product comprising a computer program which, when executed by the processor 171, implements any of the methods of processing and/or querying of network security information as provided herein.

In an exemplary embodiment, various aspects of a network security information processing and/or querying method provided by the present application may also be implemented in the form of a program product, which includes program code for causing a computer device to perform the steps in the network security information processing and/or querying method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product for the network security information processing and/or querying method of the embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on an electronic device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the consumer electronic device, partly on the consumer electronic device, as a stand-alone software package, partly on the consumer electronic device and partly on a remote electronic device, or entirely on the remote electronic device or server. In the case of remote electronic devices, the remote electronic devices may be connected to the consumer electronic device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external electronic device (e.g., through the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable image scaling apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable image scaling apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable image scaling apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method for processing network security information, the method comprising:

2. The method according to claim 1, wherein for each edge with strong and weak attributes, the value of the strong and weak attributes of the edge is positively correlated with at least one of the following information:

the number of times the edge is generated;

the operation times of the specified operation associated with the edge;

an operation duration of the specified operation associated with the edge.

3. The method according to claim 1 or 2, wherein the specified dimension comprises a device and an account, and for a plurality of accounts associated with the same device, an edge between each account and the device has at least the strong and weak attributes.

4. The method according to claim 1, wherein the value of the time attribute comprises a start time and an end time, and for any two points in the graph structure model having an association relationship, the time attribute of the edge between the two points is determined according to the following method:

5. A method for querying network security information is characterized in that the method comprises the following steps:

and displaying the query result.

6. An apparatus for processing network security information, the apparatus comprising:

7. An apparatus for querying network security information, the apparatus comprising:

8. An electronic device, comprising:

a processor;

a memory for storing the processor-executable instructions;

wherein the processor is configured to execute the instructions to implement the method of any one of claims 1-5.

9. A computer-readable storage medium, wherein instructions in the computer-readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the method of any of claims 1-5.

10. A computer program product comprising a computer program, characterized in that the computer program realizes the method of any of claims 1-5 when executed by a processor.