CN114117160A - Threat analysis map generation and application method and device based on threat information - Google Patents

Threat analysis map generation and application method and device based on threat information Download PDF

Info

Publication number
CN114117160A
CN114117160A CN202111335619.4A CN202111335619A CN114117160A CN 114117160 A CN114117160 A CN 114117160A CN 202111335619 A CN202111335619 A CN 202111335619A CN 114117160 A CN114117160 A CN 114117160A
Authority
CN
China
Prior art keywords
data
threat
graph
analysis
threat intelligence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111335619.4A
Other languages
Chinese (zh)
Inventor
白敏�
万文杰
黄朝文
李佳馨
汪列军
李敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202111335619.4A priority Critical patent/CN114117160A/en
Publication of CN114117160A publication Critical patent/CN114117160A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9035Filtering based on additional data, e.g. user or group profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9038Presentation of query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/904Browsing; Visualisation therefor

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a threat analysis map generation and application method and device based on threat information, and relates to the field of data security, wherein the method comprises the following steps: acquiring a plurality of data types of data to be analyzed; obtaining a plurality of data relationships among a plurality of data types; the data relationship comprises an incidence relationship among threat intelligence; determining a plurality of data association orientations which are in one-to-one correspondence with a plurality of data relationships; defining a plurality of data types as map vertexes, defining a plurality of data relations as map edges, and constructing a threat analysis map based on threat intelligence according to a plurality of data association directions. Thus, implementation of this embodiment enables a threat analysis graph based on threat intelligence to be generated, which can be put into use directly. Meanwhile, because the threat analysis graph generated by the method is generally suitable for the user network environment, the method can more easily acquire threat intelligence suitable for the user network environment.

Description

Threat analysis map generation and application method and device based on threat information
Technical Field
The application relates to the field of data security, in particular to a threat analysis map generation and application method and device based on threat intelligence.
Background
At present, the threat intelligence is generally obtained by extracting from massive log data. Specifically, a professional threat intelligence analysis team is usually required to analyze massive log data in the process, and then the analyzed result is fed back to the user. However, in practice, it is found that this threat intelligence analysis method is quite labor and material consuming, and there are also situations where the analyzed result is not suitable for the network environment of the user. Therefore, how to easily obtain threat intelligence suitable for the network environment of the user becomes a problem to be solved urgently.
Disclosure of Invention
The application aims to provide a threat analysis map generation and application method and device based on threat intelligence, which can generate a threat analysis map based on threat intelligence, and the threat map can be directly used for use. Meanwhile, because the threat analysis graph generated by the method is generally suitable for the user network environment, the method can more easily acquire threat intelligence suitable for the user network environment.
The first aspect of the embodiments of the present application provides a threat analysis map generation method based on threat intelligence, where the method includes:
acquiring a plurality of data types of data to be analyzed;
obtaining a plurality of data relationships among the plurality of data types; the data relationship comprises an incidence relationship between the threat intelligence;
determining a plurality of data association orientations in one-to-one correspondence with the plurality of data relationships;
defining the data types as graph peaks, defining the data relations as graph edges, and constructing a threat analysis graph based on threat intelligence according to the data association directions.
In the implementation process, the method can determine a data association undirected graph according to the data type of the data and the association relation between the data types, then construct a threat analysis map by combining the data association direction of each data relation on the basis, and base the threat analysis map on a scene of threat intelligence. All data types and incidence relations are provided based on threat intelligence in a specified network environment, so that the threat analysis graph constructed by the method has strong professionality and pertinence. Therefore, by implementing the implementation mode, the threat map suitable for the user network environment can be directly put into the analysis process of the threat intelligence, so that the method can more easily and conveniently acquire the threat intelligence suitable for the user network environment.
Further, the step of obtaining a plurality of data relationships between the plurality of data types comprises:
acquiring a plurality of data relation sets in one-to-one correspondence with the plurality of data types; the data relation set comprises a data autocorrelation relation subset and a data cross-correlation relation subset;
carrying out duplicate removal on the data relations in the data cross-correlation relation subsets to obtain duplicate removal results;
and combining the duplicate removal result and the data autocorrelation relation subset to obtain a plurality of data relations among the plurality of data types.
Further, the step of constructing a threat analytics graph based on threat intelligence based on the plurality of data correlations comprises:
extracting a starting vertex and a terminating vertex pointed by each data association; the starting vertex and the ending vertex are both the atlas vertices;
determining a particular atlas edge between the starting vertex and the ending vertex;
and generating a pointing arrow at the termination vertex end of the specific graph edge to obtain a threat analysis graph based on threat intelligence.
A second aspect of the embodiments of the present application provides an application method based on a threat analysis graph, where the method includes:
acquiring the data to be analyzed;
substituting the data to be analyzed into the threat analysis map to construct data to obtain json data;
and pushing the json data to a distributed file system, and performing data processing on the json data through the distributed file system to obtain a graph database.
Further, the step of obtaining the data to be analyzed includes:
acquiring substrate data;
extracting the base data type and the base data information of each datum in the base data;
calculating according to the base data type and the base data information to obtain a data id;
and eliminating data with the same data id from the base data to obtain data to be analyzed.
Further, the method further comprises:
receiving query content input by a user;
searching query data matched with the query content in the graph database;
carrying out threat analysis on the query data to obtain a threat information analysis result;
and visually outputting the threat intelligence analysis result.
Further, the step of performing threat analysis on the query data to obtain a threat intelligence analysis result includes:
obtaining the out-degree data and the in-degree data of the query data in the graph database;
extracting root node data and malicious node data from the query data, the out-degree data and the in-degree data;
and qualitatively analyzing the root node data and the malicious node data to obtain a threat intelligence analysis result.
Further, the step of performing data processing on the json data through the distributed file system to obtain a graph database includes:
in the distributed file system, data of the json data are recorded in a nebula database by using spark.
A third aspect of the embodiments of the present application provides a threat analysis map generation apparatus based on threat intelligence, where the threat analysis map generation apparatus based on threat intelligence includes:
an acquisition unit configured to acquire a plurality of data types of data to be analyzed;
the obtaining unit is further configured to obtain a plurality of data relationships among the plurality of data types; the data relationship comprises an incidence relationship between the threat intelligence;
a determining unit, configured to determine a plurality of data association orientations that are in one-to-one correspondence with the plurality of data relationships;
and the construction unit is used for defining the data types as graph vertexes, defining the data relationships as graph edges and constructing the threat analysis graph based on threat intelligence according to the data association directions.
In the implementation process, the device can generate a threat analysis map with strong specialty and pertinence, and can be directly put into the threat information analysis process. Therefore, by implementing the embodiment, the device can more easily and conveniently acquire threat intelligence suitable for the network environment of the user.
A fourth aspect of the embodiments of the present application provides a threat analysis graph application apparatus based on threat intelligence, where the threat analysis graph application apparatus includes each unit in a threat analysis graph generation apparatus, and the threat analysis graph application apparatus further includes:
the acquisition unit is also used for acquiring data to be analyzed;
the construction unit is further configured to substitute the data to be analyzed into the threat analysis graph to perform data construction, so as to obtain json data;
and the processing unit is used for pushing the json data to a distributed file system and carrying out data processing on the json data through the distributed file system to obtain a graph database.
Further, the threat analysis graph application apparatus based on threat intelligence further includes:
the receiving unit is used for receiving query contents input by a user;
the query unit is used for searching query data matched with the query content in the graph database;
the analysis unit is used for carrying out threat analysis on the query data to obtain a threat information analysis result;
and the output unit is used for visually outputting the threat information analysis result.
A fifth aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the threat intelligence-based threat analysis graph generation method described in any one of the first aspect of the embodiments of the present application.
A sixth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for generating a threat analysis graph based on threat intelligence according to any one of the first aspect of the embodiments of the present application is performed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a threat analysis graph generation method based on threat intelligence according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of another threat analysis graph application method based on threat intelligence according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a threat analysis map generation apparatus based on threat intelligence according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another threat analysis map generation apparatus based on threat intelligence according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a threat graph relationship modeling model provided in an embodiment of the present application;
fig. 6 is a visual layer display effect diagram provided in the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flow chart of a threat analysis graph generation method based on threat intelligence according to an embodiment of the present application. The threat analysis map generation method based on threat intelligence comprises the following steps:
s101, acquiring a plurality of data types of data to be analyzed.
In this embodiment, the data to be analyzed includes a plurality of data, wherein the data may have threat intelligence.
In this embodiment, the data types based on the modeling model of fig. 5 include: v (ip), V (domain), V (url), V (report), V (hash), V (email), V (psha1), V (registry _ organization), V (registry _ name).
As an alternative embodiment, the step of obtaining a plurality of data types of the data to be analyzed includes:
extracting all code information in the data to be analyzed;
and identifying each code information, and removing the duplication of the identification result to obtain a plurality of data types.
In this embodiment, the data to be analyzed has a data name and data content in the form of a code. Where the data name is typically a data type, such as XX: YYY, where XX is the data type.
In this embodiment, the method may first obtain all data names, remove data names that are obviously not "data types", and then remove duplicates of the removed results to obtain a plurality of data types. Or, the method can also identify the stored data type in the code information of the data to be analyzed according to the data type in a preset data type library, so as to acquire the accurate data type, and then repeatedly acquire a plurality of unrepeated data types.
S102, acquiring a plurality of data relationships among a plurality of data types; the data relationships include associations between threat intelligence.
In this embodiment, when the data initiates a network connection, an IP, a domain name, or a URL may be connected, and this type of relationship is connect; the relationship between the data and the data is release (file release), download (file download), alias (relationship between MD5 and SHA256, SHA1 of the same sample); meanwhile, a certain IP, domain name or URL may also be used to distribute malicious files, with the relationship being delivery.
In this embodiment, the relationship is the relationship described in this application.
In this embodiment, the association based on the modeling model of fig. 5 includes: e (container), E (resolve), E (cname), E (subdomain), E (register), E (payload), E (connect), E (delivery), E (release), E (download), E (receiver), E (sender) and E (bin).
As an optional implementation, the step of obtaining a plurality of data relationships between a plurality of data types includes:
acquiring a plurality of data relation sets corresponding to a plurality of data types one by one; the data relation set comprises a data autocorrelation relation subset and a data cross-correlation relation subset;
carrying out duplicate removal on the data relations in the data cross-correlation relation subsets to obtain duplicate removal results;
and combining the deduplication result and the data autocorrelation relation subset to obtain a plurality of data relations among the plurality of data types.
S103, determining a plurality of data association directions which are in one-to-one correspondence with the plurality of data relations.
In this embodiment, the multiple data associations point to the following:
V(url)->E(delivery)->V(hash)
V(ip)->E(delivery)->V(hash)
V(ip)->E(sender)->V(email)
V(ip)->E(payload)->V(psha1)
V(ip)->E(bind)->V(certificates)
V(email)->E(register)->V(domain)
V(email)->E(sender)->V(hash)
V(hash)->E(connect)->V(url)
V(hash)->E(connect)->V(ip)
V(hash)->E(connect)->V(domain)
V(hash)->E(receiver)->V(email)
V(hash)->E(release)->V(hash)
V(hash)->E(download)->V(hash)
V(hash)->E(alias)->V(hash)
V(domain)->E(contain)->V(url)
V(domain)->E(delivery)->V(hash)
V(domain)->E(cname)->V(domain)
V(domain)->E(subdomain)->V(domain)
V(domain)->E(resolve)->V(ip)
V(domain)->E(payload)->V(psha1)
V(report)->E(contain)->V(hash)
V(report)->E(contain)->V(ip)
V(report)->E(contain)->V(certificates)
V(report)->E(contain)->V(url)
V(report)->E(contain)->V(domain)
V(report)->E(contain)->V(email)
V(registrant_organization)->E(register)->V(domain)
V(registrant_name)->E(register)->V(domain)。
and S104, defining a plurality of data types as graph vertexes, defining a plurality of data relations as graph edges, and constructing a threat analysis graph based on threat intelligence according to a plurality of data association directions.
In this embodiment, the data association pointers may be defined using link objects. The directions of the arrows respectively represent two attributes of source and target, the ID values of the source node and the target node are respectively stored, the type of the edge is defined by the label attribute, and meanwhile, the vertex and the edge are defined. In this way, the relationship between nodes and edges related to the expression of the threat analysis graph can be constructed.
As an alternative embodiment, the step of constructing a threat analytics graph based on threat intelligence based on a plurality of data association pointers comprises:
extracting a starting vertex and a terminating vertex pointed by each data association; the initial vertex and the termination vertex are both graph vertices;
determining a particular atlas edge between the starting vertex and the ending vertex;
and generating a pointing arrow at the end vertex end of the edge of the specific graph to obtain a threat analysis graph based on the threat intelligence.
Referring to fig. 5, fig. 5 shows a schematic diagram of a threat graph relationship modeling model.
For example, we define a node object with each vertex having a corresponding attribute value, for example www.baidu.com for a domain type vertex value. Defining the label attribute as the type of the vertex, such as: domain; the name attribute is www.baidu.com, ID uniqueness is defined to ensure that ID is not repeated, and the ID calculation rule adopts md5(name + label) mode. Wherein, label defines the type content of the vertex.
By implementing the implementation mode, the map analysis and discovery capability of a specific object entity can be improved, so that the APT detection capability and efficiency are improved, and a multi-dimensional combined analysis method is realized.
In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, an execution subject of the method may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.
It can be seen that, by implementing the threat analysis map generation method based on threat intelligence described in this embodiment, a data association undirected graph can be determined according to the data type of the data and the association relationship between the data types, and then a threat analysis map is constructed by combining the data association direction of each data relationship on the basis, and the threat analysis map is put into practical application. All data types and incidence relations are provided based on threat intelligence in a specified network environment, so that the threat analysis graph constructed by the method has strong professionality and pertinence. Therefore, the implementation of the embodiment can directly put the threat map into the analysis process of threat intelligence. Meanwhile, because the threat analysis map is suitable for the user network environment, the method can more easily and conveniently acquire threat intelligence suitable for the user network environment.
Example 2
Please refer to fig. 2, fig. 2 is a flowchart illustrating a threat analysis graph application method based on threat intelligence according to an embodiment of the present application. As shown in fig. 2, the threat analysis graph application method based on threat intelligence includes:
s201, acquiring a plurality of data types of data to be analyzed.
S202, acquiring a plurality of data relationships among a plurality of data types; the data relationships include associations between threat intelligence.
S203, determining a plurality of data association directions which are in one-to-one correspondence with the plurality of data relations.
S204, defining a plurality of data types as graph vertexes, defining a plurality of data relations as graph edges, and constructing a threat analysis graph based on threat intelligence according to a plurality of data association directions.
And S205, acquiring data to be analyzed.
As an alternative embodiment, the step of obtaining the data to be analyzed includes:
acquiring substrate data;
extracting the base data type and the base data information of each datum in the base data;
calculating according to the type of the base data and the base data information to obtain data id;
and eliminating data with the same data id from the base data to obtain the data to be analyzed.
In this embodiment, the base data is extracted from a base data source.
In this embodiment, the base data has at least the following eight types:
(1) data of sample identification result class
The data of the sandbox mainly generates an incidence relation related to a sample (hash) which is a label type, and mainly relates to the following edge types: connect, download, release, delivery, sender, receiver, payload.
(2) Context associated data of threat situation newspaper class
Generating associated data of IP, DOMAIN and URL by data in the defect detection library, wherein the associated data mainly relates to edge types: association relations such as URL contained in IP, URL contained in DOMAIN, and the like.
(3) report artificial intelligence semantic analysis data
The method comprises the following steps of obtaining an article based on a distributed crawler, performing semantic analysis by using artificial intelligence, and extracting entity information such as sample HASH, IP, DOMAIN, URL, Email, certificate and the like contained in a report, wherein the entity information mainly relates to the edge types: continain (inclusive).
The application process of the NLP algorithm model is applied, functions including classification, clustering, entity extraction, keyword extraction and the like are established and realized, and the NLP algorithm model is used for processing data analysis and extraction of articles, blogs, twitter and the like related to the security field.
(4) IP and domain mapping context data
The above produced IP and Domain data are enriched in context, the main edge types include: resolve, CNAME, and logging graph databases.
(5) Data based on whois data source
The DOMAIN produced above is used for inquiring whois information, establishing an association relation register (registration) with Email, register _ name and register _ organization, and updating the association relation information in real time.
(6) Data in data source based on sub-domain name query
And inquiring the sub DOMAIN name by the generated DOMAIN, and establishing the association relation of the sub DOMAIN name.
(7) URL-based relational data sources
And inquiring the corresponding URL information of the generated DOMAIN data to establish a container (containing) relationship.
(8) Other ontological data
The method comprises vulnerability CVE information, APT organization information and the like, and establishes a relation such as continain and the like.
And S206, substituting the data to be analyzed into the threat analysis map to construct data to obtain json data.
In this embodiment, the threat intelligence entity relationship model based on the knowledge graph can be obtained by bringing the data to be analyzed into the threat analysis graph. On the basis, data construction is carried out on the model to obtain json data.
By implementing the implementation mode, the information such as assets, threats, vulnerabilities, flow, logs and the like can be uniformly described based on massive multi-type big data, so that a data gap is broken, a model of a security entity, an entity relation and related attributes is established, and the analysis of abnormal behaviors is further realized by applying a knowledge reasoning method.
And S207, pushing the json data to a distributed file system, and performing data processing on the json data through the distributed file system to obtain a graph database.
In this embodiment, the method pushes data to a big data platform HDFS (distributed file system). And performing data processing by using spark, and then recording into a nebula database.
In this embodiment, the method may utilize a nebula database to store and provide well-correlated data.
As an optional implementation manner, the step of performing data processing on json data by using a distributed file system to obtain a graph database includes:
in the distributed file system, json data is recorded in a nebula database by using spark.
And S208, receiving the query content input by the user.
In this embodiment, the method may add a graph database interface query, and define the type, IP, DOMAIN, URL, Report, etc. of the query. For unclear query parameter input, using other to transfer node types, defining search fields to perform advanced search, transferring a condition list, using and semantics completely, defining category as edge type query, defining start time and end time, filtering invalid data, and performing quantity limitation and screening after deduplication.
S209, searching query data matched with the query content in the graph database.
In this embodiment, for queries counting the number of edge types, a total of edge type list data is defined according to the entity relationship model, the required edge type deduplication is calculated in advance according to the type of the queried node, and the final join for information query is performed through multitask concurrence to return query data and context information.
In this embodiment, the method may obtain data from the database by classifying the obtained count statistics, and after sending the query, combine all the results together and return.
And S210, carrying out threat analysis on the query data to obtain a threat intelligence analysis result.
In this embodiment, the threat analysis includes association analysis and qualitative analysis.
In this embodiment, the association analysis requires that all the out-degrees and in-degrees associated vertices and edges of the query node be returned. Qualitative analysis requires the return of corresponding malicious nodes and root nodes.
In this embodiment, the method may perform analysis and qualification by combining known APT family association IOCs, provide different IOC information for association of multiple IOC query analysis by combining a data multidimensional association manner, obtain possible data out-degree and in-degree contents of the clue, and then perform accurate information research and positioning.
As an optional implementation, the step of performing threat analysis on the query data to obtain a threat intelligence analysis result includes:
obtaining the out-degree data and the in-degree data of query data in a graph database;
extracting root node data and malicious node data from the query data, the out-degree data and the in-degree data;
and carrying out qualitative analysis on the root node data and the malicious node data to obtain a threat intelligence analysis result.
By implementing the implementation mode, threat intelligence and context clues thereof can be searched in the graph data, so that different types of intelligence can be accurately searched, the workload of intelligence analysis is further reduced, and the accuracy of tracing can be greatly improved.
In this embodiment, the extraction rule of the malicious node data may include:
extracting data related to a specific target or a specific system;
extracting data with variable transmission paths;
thirdly, extracting data with strong persistence;
and fourthly, extracting data with high concealment.
In the embodiment, in the process of qualitatively analyzing the root node data and the malicious node data to obtain the threat information analysis result, the method can be used for accurately judging and positioning the malicious node data. Specific modes can include an edge computing malicious node identification method, a likelihood multivariate classification dynamic malicious node detection method, a characteristic node analysis-based malicious node detection method and the like.
In this embodiment, the threat analysis graph treats the search as a search of entities rather than a simple string search. The threat analysis map can be used for constructing a knowledge level query system so as to achieve the purposes of improving the correlation degree and query efficiency of intelligence query results.
And S211, visually outputting the threat intelligence analysis result.
In this embodiment, the method may specifically perform one-degree and multi-degree route extension display on the vertex data, and support the detailed association analysis of a certain node. The processed clues can be stored in canvas and shared to other people, and the tracking, positioning and analyzing accuracy is improved. And then, constructing and displaying a 2-4-degree hierarchical association effect, and quickly outputting context association information. And then, based on the content expansion of the non-connecting line relation, performing advanced display on classified and clustered contents in the aspect of attributes.
Referring to fig. 6, fig. 6 shows a visual layer display effect diagram. Wherein, the threat intelligence and the normal intelligence have different display modes, so that the threat intelligence can be known by related staff.
It can be seen that, by implementing the threat analysis graph application method based on threat intelligence described in this embodiment, the threat graph suitable for the user network environment can be directly put into the threat intelligence analysis process, so that the method can more easily and conveniently acquire the threat intelligence suitable for the user network environment.
Example 3
Please refer to fig. 3, fig. 3 is a schematic structural diagram of a threat analysis map generation apparatus based on threat intelligence according to an embodiment of the present application. As shown in fig. 3, the threat analytics map generating apparatus based on threat intelligence includes:
an obtaining unit 310, configured to obtain a plurality of data types of data to be analyzed;
an obtaining unit 310, further configured to obtain a plurality of data relationships between a plurality of data types; the data relationship comprises an incidence relationship among threat intelligence;
a determining unit 320, configured to determine a plurality of data association orientations that are in one-to-one correspondence with a plurality of data relationships;
the constructing unit 330 is configured to define a plurality of data types as graph vertices, a plurality of data relationships as graph edges, and construct a threat analysis graph based on threat intelligence according to a plurality of data association directions.
As an optional implementation manner, the obtaining unit 310 is specifically configured to obtain a plurality of data relationship sets corresponding to a plurality of data types one to one; the data relation set comprises a data autocorrelation relation subset and a data cross-correlation relation subset;
carrying out duplicate removal on the data relations in the data cross-correlation relation subsets to obtain duplicate removal results;
and combining the deduplication result and the data autocorrelation relation subset to obtain a plurality of data relations among the plurality of data types.
As an alternative embodiment, the constructing unit 330 is specifically configured to define a plurality of data types as graph vertices and a plurality of data relationships as graph edges;
extracting a starting vertex and a terminating vertex pointed by each data association; the initial vertex and the termination vertex are both graph vertices;
determining a particular atlas edge between the starting vertex and the ending vertex;
and generating a pointing arrow at the end vertex end of the edge of the specific graph to obtain a threat analysis graph based on the threat intelligence.
In the embodiment of the present application, for the explanation of the threat analysis map generation apparatus based on threat intelligence, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
It can be seen that, by implementing the threat analysis map generation apparatus based on threat intelligence described in this embodiment, a threat analysis map with strong speciality and pertinence can be generated, and can be directly put into the threat intelligence analysis process. Therefore, by implementing the embodiment, the device can more easily and conveniently acquire threat intelligence suitable for the network environment of the user.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of a threat analysis graph application apparatus based on threat intelligence according to an embodiment of the present application. The threat analysis map generation apparatus based on threat intelligence shown in fig. 4 is optimized by the threat analysis map generation apparatus based on threat intelligence shown in fig. 3. As shown in fig. 4, the obtaining unit 310 is further configured to obtain data to be analyzed;
the constructing unit 330 is further configured to substitute data to be analyzed into the threat analysis graph to construct data, so as to obtain json data;
the processing unit 340 is configured to push the json data to the distributed file system, and perform data processing on the json data by using the distributed file system to obtain a graph database.
As an optional implementation manner, the processing unit 340 is specifically configured to push json data to a distributed file system, and record the json data in a nebula database in the distributed file system by using spark.
As an optional implementation, the obtaining unit 310 includes:
a first subunit 311, configured to acquire substrate data;
a second subunit 312, configured to extract a base data type and base data information of each data in the base data;
the third subunit 313 is configured to perform calculation according to the type of the base data and the base data information to obtain a data id;
and the fourth subunit 314 is configured to eliminate data with the same data id from the base data, so as to obtain data to be analyzed.
As an optional implementation, the threat analysis graph generating apparatus further includes:
a receiving unit 350, configured to receive query content input by a user;
the query unit 360 is used for searching query data matched with the query content in the graph database;
the analysis unit 370 is used for performing threat analysis on the query data to obtain a threat information analysis result;
and an output unit 380 for visually outputting the threat information analysis result.
As an alternative embodiment, the analysis unit 370 includes:
a fifth subunit 371, configured to obtain the data of the query in the graph database;
a sixth subunit 372, configured to extract root node data and malicious node data from the query data, the out-degree data, and the in-degree data;
and a seventh subunit 373, configured to perform qualitative analysis on the root node data and the malicious node data to obtain a threat intelligence analysis result.
In the embodiment of the present application, for the explanation of the threat analysis map generation apparatus based on threat intelligence, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
It can be seen that, by implementing the threat analysis map generation apparatus based on threat intelligence described in this embodiment, a threat analysis map with strong speciality and pertinence can be generated, and can be directly put into the threat intelligence analysis process. Therefore, by implementing the embodiment, the device can more easily and conveniently acquire threat intelligence suitable for the network environment of the user.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the threat analysis graph generation method based on threat intelligence in any one of embodiment 1 or embodiment 2 of the present application.
The embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for generating a threat analysis graph based on threat intelligence according to any one of embodiment 1 or embodiment 2 of the present application is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A threat analysis graph generation method based on threat intelligence is characterized by comprising the following steps:
acquiring a plurality of data types of data to be analyzed;
obtaining a plurality of data relationships among the plurality of data types; the data relationship comprises an incidence relationship between the threat intelligence;
determining a plurality of data association orientations in one-to-one correspondence with the plurality of data relationships;
defining the data types as graph peaks, defining the data relations as graph edges, and constructing a threat analysis graph based on threat intelligence according to the data association directions.
2. The threat intelligence-based threat analytics graph generating method of claim 1, wherein the step of obtaining a plurality of data relationships between the plurality of data types comprises:
acquiring a plurality of data relation sets in one-to-one correspondence with the plurality of data types; the data relation set comprises a data autocorrelation relation subset and a data cross-correlation relation subset;
carrying out duplicate removal on the data relations in the data cross-correlation relation subsets to obtain duplicate removal results;
and combining the duplicate removal result and the data autocorrelation relation subset to obtain a plurality of data relations among the plurality of data types.
3. The method of claim 1, wherein the step of constructing a threat analytics based on threat intelligence based on the plurality of data association pointers comprises:
extracting a starting vertex and a terminating vertex pointed by each data association; the starting vertex and the ending vertex are both the atlas vertices;
determining a particular atlas edge between the starting vertex and the ending vertex;
and generating a pointing arrow at the termination vertex end of the specific graph edge to obtain a threat analysis graph based on threat intelligence.
4. A method for applying a threat-based analysis graph, the method comprising:
acquiring the data to be analyzed;
substituting the data to be analyzed into the threat analysis map to construct data to obtain json data;
and pushing the json data to a distributed file system, and performing data processing on the json data through the distributed file system to obtain a graph database.
5. The method of claim 4, wherein the step of obtaining data to be analyzed comprises:
acquiring substrate data;
extracting the base data type and the base data information of each datum in the base data;
calculating according to the base data type and the base data information to obtain a data id;
and eliminating data with the same data id from the base data to obtain data to be analyzed.
6. The method for applying a threat-analysis graph according to claim 4, the method further comprising:
receiving query content input by a user;
searching query data matched with the query content in the graph database;
carrying out threat analysis on the query data to obtain a threat information analysis result;
and visually outputting the threat intelligence analysis result.
7. The method of claim 6, wherein the step of performing threat analysis on the query data to obtain a threat intelligence analysis result comprises:
obtaining the out-degree data and the in-degree data of the query data in the graph database;
extracting root node data and malicious node data from the query data, the out-degree data and the in-degree data;
and qualitatively analyzing the root node data and the malicious node data to obtain a threat intelligence analysis result.
8. The threat analysis graph-based application method of claim 4, wherein the step of performing data processing on the json data through the distributed file system to obtain a graph database comprises:
in the distributed file system, data of the json data are recorded in a nebula database by using spark.
9. A threat analytics map generating apparatus based on threat intelligence, the threat analytics map generating apparatus comprising:
an acquisition unit configured to acquire a plurality of data types of data to be analyzed;
the obtaining unit is further configured to obtain a plurality of data relationships among the plurality of data types; the data relationship comprises an incidence relationship between the threat intelligence;
a determining unit, configured to determine a plurality of data association orientations that are in one-to-one correspondence with the plurality of data relationships;
and the construction unit is used for defining the data types as graph vertexes, defining the data relationships as graph edges and constructing the threat analysis graph based on threat intelligence according to the data association directions.
10. A threat analytics map application apparatus based on threat intelligence, the threat analytics map application apparatus based on threat intelligence comprising:
the acquisition unit is also used for acquiring data to be analyzed;
the construction unit is further configured to substitute the data to be analyzed into the threat analysis graph to perform data construction, so as to obtain json data;
and the processing unit is used for pushing the json data to a distributed file system and carrying out data processing on the json data through the distributed file system to obtain a graph database.
11. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the method of any of claims 1 to 8.
12. A readable storage medium having stored thereon computer program instructions which, when read and executed by a processor, perform the method of any one of claims 1 to 8.
CN202111335619.4A 2021-11-11 2021-11-11 Threat analysis map generation and application method and device based on threat information Pending CN114117160A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111335619.4A CN114117160A (en) 2021-11-11 2021-11-11 Threat analysis map generation and application method and device based on threat information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111335619.4A CN114117160A (en) 2021-11-11 2021-11-11 Threat analysis map generation and application method and device based on threat information

Publications (1)

Publication Number Publication Date
CN114117160A true CN114117160A (en) 2022-03-01

Family

ID=80378710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111335619.4A Pending CN114117160A (en) 2021-11-11 2021-11-11 Threat analysis map generation and application method and device based on threat information

Country Status (1)

Country Link
CN (1) CN114117160A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210152574A1 (en) * 2016-06-03 2021-05-20 Mcafee, Llc Determining computing system incidents using node graphs
US11533324B2 (en) 2017-12-08 2022-12-20 Mcafee, Llc Learning maliciousness in cybersecurity graphs
CN115935722A (en) * 2023-03-09 2023-04-07 北京集度科技有限公司 Process failure mode and impact analysis method, equipment and computer program product
CN116389083A (en) * 2023-03-15 2023-07-04 中国华能集团有限公司北京招标分公司 Threat information using method
CN116506235A (en) * 2023-06-29 2023-07-28 北京优特捷信息技术有限公司 Threat information processing method, device, equipment and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210152574A1 (en) * 2016-06-03 2021-05-20 Mcafee, Llc Determining computing system incidents using node graphs
US11552967B2 (en) * 2016-06-03 2023-01-10 Mcafee, Llc Determining computing system incidents using node graphs
US11533324B2 (en) 2017-12-08 2022-12-20 Mcafee, Llc Learning maliciousness in cybersecurity graphs
CN115935722A (en) * 2023-03-09 2023-04-07 北京集度科技有限公司 Process failure mode and impact analysis method, equipment and computer program product
CN116389083A (en) * 2023-03-15 2023-07-04 中国华能集团有限公司北京招标分公司 Threat information using method
CN116506235A (en) * 2023-06-29 2023-07-28 北京优特捷信息技术有限公司 Threat information processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN114117160A (en) Threat analysis map generation and application method and device based on threat information
US6119124A (en) Method for clustering closely resembling data objects
US8661004B2 (en) Representing incomplete and uncertain information in graph data
KR20120018226A (en) Media identification system with fingerprint database balanced according to search loads
CN107330079B (en) Method and device for presenting rumor splitting information based on artificial intelligence
US20150222565A1 (en) Cache control for web application resources
CN108353083A (en) The system and method for algorithm (DGA) Malware is generated for detecting domains
Moia et al. Similarity digest search: A survey and comparative analysis of strategies to perform known file filtering using approximate matching
Debattista et al. Quality assessment of linked datasets using probabilistic approximation
CN110008462A (en) A kind of command sequence detection method and command sequence processing method
US9910873B2 (en) Efficient sorting of large data set with duplicate values
CN106933880B (en) Label data leakage channel detection method and device
CN107463578B (en) Application download amount statistical data deduplication method and device and terminal equipment
US20200401569A1 (en) System and method for data reconciliation
CN110895587A (en) Method and device for determining target user
CN110188537B (en) Data separation storage method and device, storage medium and electronic device
Joshi et al. Intelligent clustering scheme for log data streams
CN107992538B (en) Message log generation method and device, query method and information processing system
CN116032576A (en) Uncertainty attack-based resource map construction method and system
US20150347402A1 (en) System and method for enabling a client system to generate file system operations on a file system data set using a virtual namespace
Junjing et al. Research on forensics of social network relationship based on big data
Moia et al. A comparative analysis about similarity search strategies for digital forensics investigations
SalahEldeen et al. Reading the correct history? Modeling temporal intention in resource sharing
CN114915485A (en) Abnormal behavior analysis method and device based on UEBA
Risch et al. Measuring and facilitating data repeatability in web science

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing

Applicant after: QAX Technology Group Inc.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing

Applicant before: QAX Technology Group Inc.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CB02 Change of applicant information