CN114189361A - Situation awareness method, device and system for defending threats - Google Patents

Situation awareness method, device and system for defending threats Download PDF

Info

Publication number
CN114189361A
CN114189361A CN202111375012.9A CN202111375012A CN114189361A CN 114189361 A CN114189361 A CN 114189361A CN 202111375012 A CN202111375012 A CN 202111375012A CN 114189361 A CN114189361 A CN 114189361A
Authority
CN
China
Prior art keywords
threat
information
item
defense
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111375012.9A
Other languages
Chinese (zh)
Other versions
CN114189361B (en
Inventor
杨腾霄
崔政强
严涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Niudun Technology Co ltd
Original Assignee
Shanghai Niudun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Niudun Technology Co ltd filed Critical Shanghai Niudun Technology Co ltd
Priority to CN202111375012.9A priority Critical patent/CN114189361B/en
Publication of CN114189361A publication Critical patent/CN114189361A/en
Application granted granted Critical
Publication of CN114189361B publication Critical patent/CN114189361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a situation awareness method, device and system for defending threats, and relates to the technical field of network security. The processing method comprises the following steps: collecting alarm information and calling log information related to the alarm information in a network environment; the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment; and performing joint defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof. The invention obtains the threat items and the abnormal items in the network environment by analyzing the threat intelligence, and performs combined defense by combining the target threat items and/or the target abnormal items in the threat items and the abnormal items and the associated threat and/or the associated abnormal information thereof.

Description

Situation awareness method, device and system for defending threats
Technical Field
The invention relates to the technical field of network security, in particular to a situation awareness method for defending threats.
Background
In the prior art, a situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
In order to ensure the network security and the sensing capability of potential network threats, threat information analysis is carried out on the existing warning information, the log information of network nodes and the security log information of network security equipment so as to obtain the information of threat items and abnormal items in the network environment, and defense is carried out according to a defense scheme of a threat information database in a situation sensing system so as to realize accurate defense and protection of the network security and ensure the stable operation of the network security. However, in practice, in the face of a complex network environment, threats need to be analyzed from multiple aspects, and various defense methods are used to implement security defense against threat items and abnormal items in the network environment.
Therefore, a situation awareness method, a device and a system for defending threats are provided, so as to obtain threat items and abnormal items in a network environment by analyzing threat information, and perform combined defense by combining target threat items and/or target abnormal items in the threat items and the abnormal items and associated threat and/or associated abnormal information thereof, so as to guarantee stable operation of network security, which is a technical problem that needs to be solved urgently at present.
Disclosure of Invention
The invention aims to: the invention overcomes the defects of the prior art and provides a situation awareness method, a device and a system for defending threats, and can collect alarm information and call log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node; the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment; and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
In order to solve the prior technical problem, the invention provides the following technical scheme:
a situational awareness method of defending against threats, comprising the steps of,
collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node;
the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment;
and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
Further, the threat intelligence includes known threat intelligence and unknown threat intelligence; when the threat intelligence is stored in a threat intelligence database of a situational awareness system, the threat intelligence is known threat intelligence; otherwise, the threat intelligence is unknown threat intelligence.
Further, when the known threat situation is judged to be reported, calling a preset defense scheme in a threat situation perception system threat information database to defend the threat item in the threat information; when the unknown threat information is judged to be the unknown threat information, abnormal items corresponding to the triggered alarm in the threat information are analyzed to call a defense scheme of the network security database to deal with the unknown threat information.
Further, the step of analyzing the unknown threat intelligence information is as follows,
extracting threat characteristics in the unknown threat information, marking the types of the threat characteristics, and counting the number of the threat characteristics corresponding to each type;
selecting the type with the largest number of threat characteristics as a preferred defense type, and selecting a corresponding defense scheme from the preset situation awareness threat database based on the preferred defense type;
based on the foregoing defense scheme, heuristic defense is performed.
Further, the heuristic defense comprises adopting one defense scheme or adopting a sequence defense of a plurality of defense schemes, or adopting an out-of-sequence defense of a plurality of defense schemes; the out-of-order defense means that all threat characteristics extracted from the unknown threat information are sequenced from primary to secondary to common according to the state of the influence on the network environment threat, and steps and sequences for defense in the defense scheme are correspondingly adjusted.
Further, the threat characteristics contained in the called defense scheme have a smaller number and type of threat characteristics than the threat characteristics contained in the unknown threat information; and after the heuristic defense corresponding to the first-selected defense type is finished, aiming at other defense types except the first-selected defense type, selecting a corresponding defense scheme from the situation awareness threat database for defense.
And further, judging whether the prediction of the situation awareness trend is correct or not by combining the associated threat and/or the associated abnormality caused by the threat item and/or the abnormal item to the network environment, wherein threat intelligence information corresponding to the threat intelligence is behavior description information for generating the network threat in real time, and the network threat comprises network attack, Trojan horse virus and advanced persistent threat.
Further, the alarm comprises an alarm for the threat item and/or the abnormal item, and the threat item and/or the abnormal item causes a related threat and/or a related abnormality to the network environment.
A threat-defense situational awareness apparatus, comprising:
the information acquisition unit is used for acquiring the alarm information and calling log information related to the alarm information in the network environment; the log information comprises system log information and log information of the network node;
the information arrangement unit is used for arranging the log information to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment;
the information marking unit is used for acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in a network environment;
and the information defense unit is used for calling a corresponding defense scheme in the situation awareness threat database to perform combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
A situational awareness system for defending against threats, comprising:
a network node for transceiving data;
the situation awareness system is used for periodically detecting the network node triggering the alarm and carrying out security analysis on the log information of the network node;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node; the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment; and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
Based on the advantages and positive effects, the invention has the advantages that: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node; the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment; and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
Further, the step of analyzing the unknown threat information comprises the steps of extracting threat characteristics in the unknown threat information, marking the types of the threat characteristics, and counting the number of the threat characteristics corresponding to each type; selecting the type with the largest number of threat characteristics as a preferred defense type, and selecting a corresponding defense scheme from the preset situation awareness threat database based on the preferred defense type; based on the foregoing defense scheme, heuristic defense is performed.
Further, the heuristic defense comprises adopting one defense scheme or adopting a sequence defense of a plurality of defense schemes, or adopting an out-of-sequence defense of a plurality of defense schemes; the out-of-order defense means that all threat characteristics extracted from the unknown threat information are sequenced from primary to secondary to common according to the state of the influence on the network environment threat, and steps and sequences for defense in the defense scheme are correspondingly adjusted.
Further, the threat characteristics contained in the called defense scheme have a smaller number and type of threat characteristics than the threat characteristics contained in the unknown threat information; and after the heuristic defense corresponding to the first-selected defense type is finished, aiming at other defense types except the first-selected defense type, selecting a corresponding defense scheme from the situation awareness threat database for defense.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is another flow chart provided by the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Description of reference numerals:
the device 200, an information acquisition unit 201, an information arrangement unit 202, an information marking unit 203 and an information defense unit 204;
system 300, network node 301, situational awareness system 302, system server 303.
Detailed Description
The situation awareness method, apparatus and system for defending against threats disclosed in the present invention are further described in detail with reference to the accompanying drawings and specific embodiments. It should be noted that technical features or combinations of technical features described in the following embodiments should not be considered as being isolated, and they may be combined with each other to achieve better technical effects. In the drawings of the embodiments described below, the same reference numerals appearing in the respective drawings denote the same features or components, and may be applied to different embodiments. Thus, once an item is defined in one drawing, it need not be further discussed in subsequent drawings.
It should be noted that the structures, proportions, sizes, and other dimensions shown in the drawings and described in the specification are only for the purpose of understanding and reading the present disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, and any modifications of the structures, changes in the proportions and adjustments of the sizes and other dimensions, should be construed as falling within the scope of the invention unless the function and objectives of the invention are affected. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be executed out of order from that described or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flow chart provided by an embodiment of the invention is shown. The implementation step S100 of the method is as follows:
s101, collecting alarm information and calling log information related to the alarm information in a network environment; the log information includes system log information and log information of the network node.
In a preferred implementation manner of this embodiment, the alarm is an event report used for transmitting alarm information, which is also called an alarm event, and is called an alarm for short. It can be well defined by the manufacturer, and also can be defined by the network management personnel in combination with the alarm in the network. In one alarm, the monitoring unit of the network management system gives an alarm signal according to the fault condition, the system represents the occurrence of one alarm event when receiving the alarm signal once, carries out fault description in the form of alarm information and displays the alarm information in the alarm information management center of the network management system. The failure is the cause of an alarm event generated by a device in the network.
The alarm information comprises alarm information of the network node and alarm information for triggering the alarm of the network node. The alarm information includes, but is not limited to, information about the name of the faulty device, the faulty symptom, the location of occurrence, the time of occurrence, the cause of occurrence, and the like.
Meanwhile, the alarm information can be divided into historical alarm information and real-time alarm information according to time.
The system log is managed and protected by the system and cannot be changed arbitrarily. The system log records the system behavior strictly, and potential system intrusion can be recorded and predicted timely through the system log information.
By way of example and not limitation, when the system log records that the system receives an uninterrupted and repeated connection request for a network port for a short time, it can be determined that the system is suffering from an access operation behavior of an intruder using a port scanner to externally scan the system for an indication of the connection. Then, according to the intrusion trace in the system log information, the network equipment used by the intruder can be tracked, and corresponding defense operation is adopted to ensure the stable operation of the network security.
The system log information includes, but is not limited to: system security logs, network logs, audit data, access operation behavior information of each network node in the network environment, and the like.
The network node refers to a terminal having an independent network address and data processing function in a network environment, and the data processing function includes, but is not limited to, a function of transmitting data, receiving data, and/or analyzing data. The network nodes may be workstations, clients, network users or personal computers, servers, printers and other network-connected devices.
The network environment comprises a plurality of network nodes which are connected through communication lines to form a network topology. The communication line may be a wired communication system or a wireless communication system.
The log information of the network node refers to event records generated during operation of network equipment, systems, service programs and the like, wherein each row of log records descriptions of related operations such as date, time, users, actions and the like. The log information of the network node includes, but is not limited to, the duration of the connection, the protocol type, the network service type of the target host, the state of the connection as normal or error, the number of bytes of data from the source host to the target host, the number of bytes of data from the target host to the source host, the number of erroneous segments, the number of urgent packets, and the like.
S102, the log information is sorted for threat information analysis to obtain threat information; the threat intelligence information includes threat item information and abnormal item information in a network environment.
The sorting may preferably be performed before the log information is analyzed, and the data processing includes, but is not limited to, performing operations such as data filtering, data normalization processing, data cleaning, and the like on the log information in the prior art, so as to facilitate subsequent data analysis and reduce resource waste during calculation.
The threat intelligence can obtain information of a threat source based on threat intelligence analysis rules, and further obtain threat intelligence information. The threat source may be a network node that is threatened in a network environment, a device that is subject to a network vulnerability, a node that is subject to a network attack, and the like.
The threat intelligence may originate from two aspects: the method comprises the following steps that firstly, internal threat intelligence is provided, and the data source of the internal threat intelligence relates to asset and environment attribute class data to be protected in an enterprise internal network environment, log data on various internal devices and systems, alarm data, captured data packet information, statistical information, metadata and the like; external threat intelligence, i.e., data collected from an external network environment relative to the enterprise internal network environment, and associating the data with data collected from the internal threat intelligence sources, is considered external threat intelligence when associated with the protected object.
And the threat intelligence analysis is to analyze the log information based on a preset threat intelligence analysis rule so as to obtain threat intelligence information. Wherein the threat intelligence information is used for describing threat intelligence in a network environment, and the threat intelligence information can describe a path of a threat item positioned in a network node in a user terminal, file characteristics of the threat item, such as MD5 characteristics and the like.
The threat information analysis is used for carrying out correlation analysis on data information such as access flow and log information of network nodes by utilizing a threat information library, so that threat events which possibly occur are identified, wherein the threat events mainly comprise intrusion behaviors which are not easy to directly find, such as malicious domain name access, malicious download source access and malicious IP access.
The threat intelligence analysis rules are based on correlation analysis of threat intelligence data. The existence of the threat intelligence analysis rule can improve the security event analysis efficiency and the detection capability and response speed of the threat behavior.
The threat intelligence analysis rules may be automatically obtained from a threat intelligence repository of a network security database. Often, the threat intelligence analysis rule includes multiple sub-rules, where each sub-rule may be used to handle one or more threats.
When the method is based on the preset threat information analysis rule, firstly, the method can analyze and obtain the problem that the threatened object is invaded based on the problem from the log, such as abnormal CPU occupation and abnormal memory occupation, and then extract the related log and flow in the server to obtain some monitoring indexes, wherein the indexes can be response time delay, downloading speed and the like; further, the attack route thereof can be determined according to the time sequence. It should be noted that the aforementioned threatened object may be an affected system, device, process, or the like.
The threat item may be a system object, a non-system object, etc. that presents a threat and/or poses a threat to network nodes. By way of example and not limitation, the threat item may be a process, a URL (Uniform Resource Locator) access behavior, an IP (Internet Protocol) access, a port access, a DNS (Domain Name System), a mailbox address, or a mail attachment, etc.
The abnormal items refer to warnings or errors occurring in the running process of the program or the system, and the abnormal items can affect the robustness, reliability and safety of the program. By way of example and not limitation, the exception items include, but are not limited to, exception states, exception signals, exception operations, exception behaviors, exception values, and the like in a network environment.
In a preferred implementation of this embodiment, the abnormal item may preferably be an abnormal situation in which the aforementioned threat item causes an existence in the network environment. The abnormal items may be system objects, non-system objects, etc. that are and/or may be compromised, and the abnormal items may be compromised computers, compromised ports, access and control rights, etc.
The exception items may include, but are not limited to, processes, URL access behavior, IP access, port access, DNS, mailbox addresses, mail attachments, get access and control rights, and the like.
It is also worth noting that the threat item and the exception item may be the same system object, non-system object, etc. That is, when the threat item poses a threat to a network node and/or associated network nodes, there is a possibility that the threat item is an abnormal item in the network environment.
When a threat item exists in the network environment, a new abnormal item also occurs in the network environment, so that the threat item and the abnormal item in the network environment are different system objects, non-system objects and the like.
By way of example and not limitation, when a threat item in a network environment is a system object a or a non-system object B, an abnormal item in the network environment is the same system object a or non-system object B; or, when the abnormal item is the system object a1 or the non-system object B1 obtained after the system object a or the non-system object B is mirrored through the network, the system object a1 or the non-system object B1 is regarded as the same as the system object a or the non-system object B, that is, the threat item in the network environment is the same as the abnormal item and is the same system object or the non-system object.
Similarly, when the threat item in the network environment is the system object a or the non-system object B, new abnormal items C and D are caused to appear in the network environment, so that the threat item and the abnormal items in the network environment are different system objects, non-system objects and the like.
S103, acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in a network environment.
The target threat items can be selected by a user from the threat items, or can be automatically selected by a situation awareness system, for example, the situation awareness system can select one of the threat items with the largest threat influence as the target threat item.
The target abnormal item can be selected by a user from the abnormal items, or can be automatically selected by a situational awareness system, for example, the situational awareness system can select one of the abnormal items with the largest abnormal influence as the target abnormal item.
The tracking mark can set marks on the target threat item and the target abnormal item so as to track and track the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in the network environment.
The associated threat refers to a situation that the associated network node has a relevant threat item due to the target threat item when the network node carrying the target threat item performs relevant operations (such as access, copy, upload, and the like) in a network environment.
The association exception refers to a situation that when a network node carrying the target exception item performs a relevant operation (for example, an access right exception, a CPU cache exception, or the like) in a network environment, the target exception item causes a relevant exception item to exist in the association network node.
And S104, calling a corresponding defense scheme in the situation awareness threat database to perform combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
Defense schemes in the situation-aware threat database may include, but are not limited to: establishing a threat intrusion prevention system for rapidly detecting, preventing and suppressing threat intrusion; putting the process with the threat into an isolation area, intercepting URL, IP or DNS and the like with the threat through a firewall rule, intercepting a certain mailbox address through a mail server, and revoking the attachment with the threat through the mail server; and adding the source IP address, the terminal identification number and the user identification which are displayed abnormally into a blacklist, adding the source IP address, the terminal identification number and the user identification which are not displayed abnormally into a white list, and controlling data request access authority and the like according to the blacklist and the white list.
The operation has the advantage that after the threat item is detected, the defense scheme of the situation awareness threat database corresponding to the threat item can be automatically called to carry out corresponding operation of network security defense.
The joint defense may be preferably a defensive operation performed by calling a corresponding defense scheme in the situation-aware threat database after combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
The defensive operation includes, but is not limited to, detection, protection, interception and the like of the target threat item and/or the target abnormal item and the associated threat and/or associated abnormality after combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormality information thereof.
Preferably, the threat intelligence comprises known threat intelligence and unknown threat intelligence; when the threat intelligence is stored in a threat intelligence database of a situational awareness system, the threat intelligence is known threat intelligence; otherwise, the threat intelligence is unknown threat intelligence.
Preferably, when the known threat situation is judged to be reported, calling a preset defense scheme in a threat situation awareness system database to defend the threat item in the threat situation awareness information; when the unknown threat information is judged to be the unknown threat information, abnormal items corresponding to the triggered alarm in the threat information are analyzed to call a defense scheme of the network security database to deal with the unknown threat information.
Referring to fig. 2, another flowchart is provided for the embodiment of the present invention, wherein the step S110 of analyzing the unknown threat intelligence information is as follows,
s111, extracting threat characteristics in the unknown threat information, marking the types of the threat characteristics, and counting the number of the threat characteristics corresponding to each type.
The threat features include, but are not limited to, malicious code transmission behavior, exposure to C & C attacks, malicious IP addresses, malicious Uniform Resource Locators (URLs), malicious domain names, malicious patterns MD5, and the like.
The types of the threat characteristics can be classified into HASH values, IP addresses, domain names, network or host characteristics and the like according to the attributes of the threat characteristics; or according to the use scene, the threat characteristics are divided into tactical situation reports which mainly use automatic detection and analysis, operation level situation reports which aim at safety response analysis, strategic situation reports which guide the whole safety investment strategy and the like; the threat characteristics may also be divided into single-numerical, non-numerical, and combined characteristics, etc., according to the type of the threat characteristics.
By way of example and not limitation, all technical features in the unknown threat intelligence information a are obtained as threat feature 1, threat feature 2,. and threat feature N (N is a positive integer greater than or equal to 2), and the types of threat features 1 to N are marked.
At this time, the types of the threat signatures 1 to N may be sequentially labeled as type 1, type 2,.. and type M (M is a positive integer less than or equal to N), and the number of the threat signatures corresponding to each type is counted, i.e., P1, P2,.. and PL (P1 to PL are positive integers less than or equal to N, and the sum of the number of the threat signatures corresponding to each type is equal to N).
And S112, selecting the type with the largest number of contained threat characteristics as a preferred defense type, and selecting a corresponding defense scheme from the preset situation awareness threat database based on the preferred defense type.
By way of example and not limitation, when the types of the threat signatures 1 to N are sequentially labeled as type 1, type 2, and type M (M is a positive integer less than or equal to N), and the number of the threat signatures of each type is counted, i.e., P1, P2, and.
Selecting a defense scheme from the preset situation awareness threat database, and comparing the defense scheme with the threat characteristics, the type of the threat characteristics and the number of the threat characteristics. For example, the threat signatures are 7, N =7, the threat signatures are of the type 1, 2 and 3, M =3, the number of threat signatures is 4, 2 and 1 corresponding to the type, P1=4, P2=2, P3= 1. Since P1 is largest, when selecting a defense scheme, the preferred defense class is class 1, i.e., the defense scheme is first selected based on class 1.
Because the threat characteristics are all from unknown threat information, it is difficult to select a defense scheme matched with the threat characteristics, the types of the threat characteristics and the number of the threat characteristics one by one from the preset situation awareness threat database so as to perform accurate network security defense. In practical situations, most of the threat characteristics, the types of the threat characteristics and the number of the threat characteristics of unknown threat intelligence are more than the threat characteristics, the types of the threat characteristics and the number of the threat characteristics provided by a defense scheme in a situation-aware threat database.
When threat characteristics, types of threat characteristics and the number of threat characteristics of unknown threat information are more than threat characteristics, types of threat characteristics and the number of threat characteristics provided by a defense scheme in a situation awareness threat database, the threat characteristic type with the largest number of threat characteristics contained in the unknown threat information can be preferentially selected as a preferred defense type to select the defense scheme for tentative defense.
S113, based on the defense scheme, heuristic defense is conducted.
When the heuristic defense scheme is provided with a plurality of defense schemes arranged in sequence based on the existing threat intelligence defense scheme, the heuristic defense scheme can be sequentially provided as a heuristic defense scheme 1, a heuristic defense scheme 2, a. At this time, the system will try to perform security defense in sequence according to the sequence of the heuristic defense scheme until the defense succeeds.
In order to shorten the time for finding a suitable heuristic defense scheme, the heuristic defense schemes can be arranged in sequence according to the criteria of most recent use, most prior use, most frequent use and the like in the sequencing.
Preferably, the heuristic defense comprises adopting one defense scheme or adopting a sequence defense of a plurality of defense schemes, or adopting an out-of-sequence defense of a plurality of defense schemes; the out-of-order defense means that all threat characteristics extracted from the unknown threat information are sequenced from primary to secondary to common according to the state of the influence on the network environment threat, and steps and sequences for defense in the defense scheme are correspondingly adjusted.
The out-of-order defense is a defense scheme which is combined according to a certain defense order after the defense order of the defense scheme in the preset situation awareness threat database is disturbed.
By way of example and not limitation, the out-of-order defense may be performed by sorting the threat characteristics in the unknown threat information in a primary, secondary, and common order according to the situation that the threat characteristics affect the network environment threat, and adjusting the steps and the order of defending the technical characteristics according to the steps and the order of defending in the defense scheme for the sorted technical characteristics, so as to make the sorted technical characteristics become a new defense scheme.
The evaluation of the state of the network environment threat influence can be based on the evaluation index in the existing situation awareness technology to evaluate the state of the network environment threat influence caused by the threat characteristics in the unknown threat information.
Preferably, the threat characteristics included in the called defense scheme have a smaller number and type of threat characteristics than the threat characteristics included in the unknown threat information; and after the heuristic defense corresponding to the first-selected defense type is finished, aiming at other defense types except the first-selected defense type, selecting a corresponding defense scheme from the situation awareness threat database for defense.
By way of example and not limitation, the number of threat signatures is 7, N =7, the categories of threat signatures are category 1, category 2 and category 3, M =3, the number of threat signatures is 4, 2 and 1 in order corresponding to the categories, P1=4, P2=2, P3= 1. Since P1 is largest, when selecting a defense scheme, the preferred defense class is class 1, i.e., the defense scheme is first selected based on class 1.
After the defense scheme is selected based on the type 1, aiming at other defense types except the preferred defense type, the corresponding defense scheme is selected from the situation awareness threat database for defense. Namely, corresponding defense schemes are selected from the situation awareness threat database for the type 2 and the type 3 to defend.
It should be noted that, when the defense schemes are selected for the category 2 and the category 3, the defense schemes may be selected together for the threat characteristics in the category 2 and the category 3; or selecting a defense scheme for the threat characteristics in the category 2 and then selecting a defense scheme for the threat characteristics in the category 3; the defense scheme can also be selected for the threat characteristics in category 3 first, and then for the threat characteristics in category 2.
Preferably, whether the prediction of the situation awareness trend is correct or not is judged by combining the associated threats and/or associated anomalies caused by the threat items and/or the abnormal items to the network environment, wherein threat intelligence information corresponding to the threat intelligence refers to behavior description information for generating the network threat in real time, and the network threat comprises network attack, Trojan horse virus and advanced persistent threat.
For example, but not by way of limitation, for example, when the preset associated threat is that malicious code transmission behaviors exist in the network environment and the network environment is simultaneously attacked by C & C, the preset associated threat is the associated threat, when the prediction of the situation awareness trend is the threat, the judgment is correct, otherwise, the judgment is wrong.
In addition, for example, when the preset association anomaly is that the port flow of the network node in the network environment is abnormal, and the memory occupancy rate of the network node is also abnormal, that is, the association anomaly is determined, when the prediction of the situation awareness trend is abnormal, the judgment is correct, otherwise, the judgment is wrong.
Preferably, the alarm includes an alarm for the threat item and/or the abnormal item, and an alarm for the threat item and/or the abnormal item causing associated threat and/or associated abnormality to the network environment.
It is worth to be noted that the alarm includes the historical alarm, the real-time alarm and the prediction alarm collected by the situation awareness system. When the alarm is triggered, the alarm can display the port information of the network node aiming at the alarm triggered, and simultaneously, the execution operation of the ports of other network nodes which do not trigger the alarm is monitored, so that the real-time or pre-arrangement control of the network safety can be ensured, and the ports and/or the IP network segments can keep normal communication and stable operation with other network nodes when the alarm is not triggered.
Optionally, data monitoring is performed on the input/output port of the network node, and when the network environment changes abnormally, the operation executed on the network node is labeled and traced back.
When data monitoring is carried out, the situation awareness system can monitor ports and/or IP network segments which do not trigger alarms in network nodes with alarms, and the ports and/or the IP network segments are communicated in a multiplexing mode.
Other technical features are referred to in the previous embodiments and are not described herein.
Referring to fig. 3, an embodiment of the present invention provides a threat-defense situational awareness apparatus 200, comprising:
the information acquisition unit 201 is used for acquiring alarm information and calling log information related to the alarm information in a network environment; the log information includes system log information and log information of the network node.
An information sorting unit 202 for sorting the log information to perform threat information analysis to obtain threat information; the threat intelligence information includes threat item information and abnormal item information in a network environment.
The information marking unit 203 is configured to obtain a target threat item and/or a target abnormal item, set a tracking mark for the target threat item and/or the target abnormal item, and track a related threat and/or a related abnormality caused by the target threat item and/or the target abnormal item in a network environment.
And the information defense unit 204 is used for calling a corresponding defense scheme in the situation awareness threat database to perform combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
Referring also to fig. 4, an embodiment of the present invention provides a situation awareness system 300 for defending against threats, comprising:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically detects the network node triggering the alarm, and performs security analysis on the log information of the network node.
The situation awareness system integrates a plurality of data information systems such as a virus-proof wall, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
The regular detection can set detection time or detection time period, and the items of the regular detection can include but are not limited to webpage tamper resistance, process abnormal behavior, abnormal login and the like.
A system server 303, said system server 303 connecting the network node 301 and the situational awareness system 302.
The system server 303 is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node; the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment; acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment; and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
Other technical features are referred to in the previous embodiment and are not described in detail herein.
In the description above, the various components may be selectively and operatively combined in any number within the intended scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be interpreted as inclusive or open-ended, rather than exclusive or closed-ended, by default, unless explicitly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. Common terms found in dictionaries should not be interpreted too ideally or too realistically in the context of related art documents unless the present disclosure expressly limits them to that.
While exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is by way of description of the preferred embodiments of the present disclosure only, and is not intended to limit the scope of the present disclosure in any way, which includes additional implementations in which functions may be performed out of the order of presentation or discussion. Any changes and modifications of the present invention based on the above disclosure will be within the scope of the appended claims.

Claims (10)

1. A situational awareness method of defending against threats, comprising the steps of,
collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node;
the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment;
and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
2. The method of claim 1, wherein the threat intelligence comprises known threat intelligence and unknown threat intelligence; when the threat intelligence is stored in a threat intelligence database of a situational awareness system, the threat intelligence is known threat intelligence; otherwise, the threat intelligence is unknown threat intelligence.
3. The method according to claim 2, characterized in that when the threat situation is determined to be known, a defense scheme in a threat situation awareness system threat situation database is called to defend the threat item in the threat situation awareness system; when the unknown threat information is judged to be the unknown threat information, abnormal items corresponding to the triggered alarm in the threat information are analyzed to call a defense scheme of the network security database to deal with the unknown threat information.
4. The method of claim 3, wherein the step of analyzing the unknown threat intelligence information is performed as follows,
extracting threat characteristics in the unknown threat information, marking the types of the threat characteristics, and counting the number of the threat characteristics corresponding to each type;
selecting the type with the largest number of threat characteristics as a preferred defense type, and selecting a corresponding defense scheme from the preset situation awareness threat database based on the preferred defense type;
based on the foregoing defense scheme, heuristic defense is performed.
5. The method of claim 4, wherein the heuristic defense includes taking one defense scheme or taking a sequential defense of a plurality of defense schemes, or taking an out-of-order defense of a plurality of defense schemes; the out-of-order defense means that all threat characteristics extracted from the unknown threat information are sequenced from primary to secondary to common according to the state of the influence on the network environment threat, and steps and sequences for defense in the defense scheme are correspondingly adjusted.
6. The method of claim 5, wherein the deployed defense scheme includes threat signatures having a smaller number and type of threat signatures than threat signatures included in the unknown threat intelligence information;
and after the heuristic defense corresponding to the first-selected defense type is finished, aiming at other defense types except the first-selected defense type, selecting a corresponding defense scheme from the situation awareness threat database for defense.
7. The method according to claim 1, wherein whether the prediction of the situation awareness trend is correct or not is determined in combination with the associated threat and/or the associated anomaly caused by the threat item and/or the abnormal item to the network environment, wherein the threat intelligence information corresponding to the threat intelligence is behavioral description information for generating the network threat in real time, and the network threat comprises network attack, Trojan horse virus and advanced persistent threat.
8. The method of claim 1, wherein the alerts comprise alerts of the threat item and/or the abnormal item, and wherein the threat item and/or the abnormal item cause associated threats and/or associated abnormalities to the network environment.
9. A threat-defense situational awareness apparatus, comprising:
the information acquisition unit is used for acquiring the alarm information and calling log information related to the alarm information in the network environment; the log information comprises system log information and log information of the network node;
the information arrangement unit is used for arranging the log information to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment;
the information marking unit is used for acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking the associated threat and/or the associated abnormality caused by the target threat item and/or the target abnormal item in a network environment;
and the information defense unit is used for calling a corresponding defense scheme in the situation awareness threat database to perform combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or the associated abnormal information thereof.
10. A situational awareness system for defending against threats, comprising:
a network node for transceiving data;
the situation awareness system is used for periodically detecting the network node triggering the alarm and carrying out security analysis on the log information of the network node;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: collecting alarm information and calling log information related to the alarm information in a network environment; the log information comprises system log information and log information of the network node;
the log information is sorted to carry out threat information analysis to obtain threat information; the threat intelligence information comprises threat item information and abnormal item information in a network environment;
acquiring a target threat item and/or a target abnormal item, setting a tracking mark for the target threat item and/or the target abnormal item, and tracking associated threats and/or associated abnormalities caused by the target threat item and/or the target abnormal item in a network environment;
and calling a corresponding defense scheme in the situation awareness threat database to carry out combined defense by combining the target threat item and/or the target abnormal item and the associated threat and/or associated abnormal information thereof.
CN202111375012.9A 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat Active CN114189361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111375012.9A CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111375012.9A CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Publications (2)

Publication Number Publication Date
CN114189361A true CN114189361A (en) 2022-03-15
CN114189361B CN114189361B (en) 2023-06-02

Family

ID=80541015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111375012.9A Active CN114189361B (en) 2021-11-19 2021-11-19 Situation awareness method, device and system for defending threat

Country Status (1)

Country Link
CN (1) CN114189361B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116055286A (en) * 2023-03-03 2023-05-02 北京赛博易安科技有限公司 Threat warning information comprehensive analysis method and system based on killing chain
WO2024001666A1 (en) * 2022-06-29 2024-01-04 华为技术有限公司 Network risk assessment method and related apparatus

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
US20170230410A1 (en) * 2016-02-10 2017-08-10 Accenture Global Solutions Limited Telemetry Analysis System for Physical Process Anomaly Detection
CN108881271A (en) * 2018-07-03 2018-11-23 杭州安恒信息技术股份有限公司 A kind of the backward tracing source tracing method and device of proxy
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN112995187A (en) * 2021-03-09 2021-06-18 中国人民解放军空军工程大学 Network cooperative defense system and method based on community structure
CN113329029A (en) * 2021-06-18 2021-08-31 上海纽盾科技股份有限公司 Situation awareness node defense method and system for APT attack
CN113422771A (en) * 2021-06-22 2021-09-21 北京华圣龙源科技有限公司 Threat early warning method and system
US11159546B1 (en) * 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
US20170230410A1 (en) * 2016-02-10 2017-08-10 Accenture Global Solutions Limited Telemetry Analysis System for Physical Process Anomaly Detection
CN108881271A (en) * 2018-07-03 2018-11-23 杭州安恒信息技术股份有限公司 A kind of the backward tracing source tracing method and device of proxy
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN112995187A (en) * 2021-03-09 2021-06-18 中国人民解放军空军工程大学 Network cooperative defense system and method based on community structure
US11159546B1 (en) * 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection
CN113329029A (en) * 2021-06-18 2021-08-31 上海纽盾科技股份有限公司 Situation awareness node defense method and system for APT attack
CN113422771A (en) * 2021-06-22 2021-09-21 北京华圣龙源科技有限公司 Threat early warning method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LIF, PATRIK ET AL.: "Development and validation of technique to measure cyber situation awareness", 《2017 INTERNATIONAL CONFERENCE ON CYBER SITUATIONAL AWARENESS, DATA ANALYTICS AND ASSESSMENT (CYBER SA)》, pages 1 - 8 *
俎东峰: "关键信息基础设施网络安全防护体系", 《信息与电脑(理论版)》, no. 13, pages 198 - 199 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024001666A1 (en) * 2022-06-29 2024-01-04 华为技术有限公司 Network risk assessment method and related apparatus
CN116055286A (en) * 2023-03-03 2023-05-02 北京赛博易安科技有限公司 Threat warning information comprehensive analysis method and system based on killing chain

Also Published As

Publication number Publication date
CN114189361B (en) 2023-06-02

Similar Documents

Publication Publication Date Title
EP2953298B1 (en) Log analysis device, information processing method and program
US7752665B1 (en) Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory
US8099782B1 (en) Event aggregation in a network
IL262866A (en) Automated forensics of computer systems using behavioral intelligence
US20030084318A1 (en) System and method of graphically correlating data for an intrusion protection system
CN106537872B (en) Method for detecting attacks in a computer network
CN113839935B (en) Network situation awareness method, device and system
EP1418484A2 (en) Event sequence detection
US20030083847A1 (en) User interface for presenting data for an intrusion protection system
CN114006723B (en) Network security prediction method, device and system based on threat information
CN110460481B (en) Identification method of network key assets
CN113660115B (en) Alarm-based network security data processing method, device and system
CN114189361B (en) Situation awareness method, device and system for defending threat
Debar et al. Intrusion detection: Introduction to intrusion detection and security information management
US20030084340A1 (en) System and method of graphically displaying data for an intrusion protection system
CN114124516B (en) Situation awareness prediction method, device and system
CN113794590B (en) Method, device and system for processing network security situation awareness information
CN114301700A (en) Method, device, system and storage medium for adjusting network security defense scheme
CN114006719B (en) AI verification method, device and system based on situation awareness
CN114301796B (en) Verification method, device and system for prediction situation awareness
CN113660223B (en) Network security data processing method, device and system based on alarm information
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN114006722B (en) Situation awareness verification method, device and system for detecting threat
CN113904920B (en) Network security defense method, device and system based on collapse equipment
CN114172881A (en) Network security verification method, device and system based on prediction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant