CN115174154A

CN115174154A - Advanced threat event processing method and device, terminal equipment and storage medium

Info

Publication number: CN115174154A
Application number: CN202210661835.6A
Authority: CN
Inventors: 白日
Original assignee: Yingshi Huizhong Shanghai Information Consulting Partnership LP
Current assignee: Yingshi Huizhong Shanghai Information Consulting Partnership LP
Priority date: 2022-06-13
Filing date: 2022-06-13
Publication date: 2022-10-11

Abstract

The invention relates to a processing method, a device, terminal equipment and a storage medium of an advanced threat event, which are characterized in that a knowledge graph is formed by collecting original data, detecting threats and analyzing the event, and finally a life cycle of event management is completed, so that a continuous cycle forms a continuously iterative management process, the capability of coping with various advanced threats can be continuously improved, the advanced threat event management can be effectively constructed in a systematized, framed and flow mode, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional process of coping with the advanced threat event are solved.

Description

Advanced threat event processing method and device, terminal equipment and storage medium

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for processing an advanced threat event, a terminal device, and a storage medium.

Background

Cyber threats and attacks can be broadly classified into the following three types: conventional Threat (Conventional thread), mass Attack (Mass attach), targeted attach. The conventional threats mainly refer to traditional viruses, trojans, worms, backdoors, malicious programs, malicious scripts, malicious web pages and sites, malicious mails, general vulnerability attacks and the like, and generally the threats only relate to single threat activities and do not relate to complex attack scenes; the large-scale attack refers to organized large-scale black production activities such as lasso, ore digging, fishing and online advertising fraud; the directional attack has clear political, economic, commercial, military and other intentions, obtains information or carries out destructive organized hacking activities aiming at the long-term infiltration of a specific value target, and can be divided according to the severity: national-level APT (Advanced Persistent attack), business-level APT, red-blue confrontation, etc. Whether targeted attacks represented by APT or large-scale attacks represented by lasso, mine excavation, phishing and advertising fraud, attackers continuously try to use novel attack techniques in an attempt to bypass the traditional detection mechanism to attack targets to achieve a certain purpose, and the threat is called as a high-level threat.

For an organization, conventional threats can be intercepted through the traditional technologies such as signatures, feature codes and credit libraries, but for high-level threats, a large number of botnets, 0Day/N Day bugs, phishing mails, no file attacks, various novel malicious program variants, various novel attack techniques and the like are widely used, so that the organization is disadvantaged, various threat events are frequent, malignant events such as tissue infiltration and invasion, core asset stealing, core service damage and the like frequently occur, but the organization lacks systematic high-level threat countermeasures, and particularly for the attack events, the organization often seems to be unconscious.

The traditional detection technologies such as file signatures, feature codes and reputation libraries can only intercept known conventional threats such as malicious viruses, trojans, worms, malicious URLs, IP addresses, domain names and the like. However, advanced threat attacks can often bypass the traditional detection mode easily, and therefore a novel detection mode is needed, and in recent years, detection modes such as threat information, sandboxes, ATT & CK technical and tactics and the like appear, however, a large number of alarms are generated by the detection, various alarms are gathered to a large data platform, noise reduction and analysis are needed to be carried out on the alarms while the context is lacked, and finally various products are integrated to carry out linkage response.

Disclosure of Invention

The invention aims to provide a method, a device, a terminal device and a storage medium for processing a high-level threat event, so as to solve the defects in the prior art.

In a first aspect, an embodiment of the present invention provides a method for processing an advanced threat event, where the method includes:

acquiring dotting information in the execution process of the neurons according to a preset acquisition rule;

detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules;

respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of a high-level threat event according to an analysis result;

and sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat events, wherein the knowledge graph is used for determining attack modes corresponding to the advanced threat events and converting the attack modes into various rules or support data in the steps.

Optionally, the dotting information at least includes: the method comprises the following steps of obtaining dotting data of each neuron, wherein the neuron at least comprises one or more of a terminal, a network, a host, a Web system, a mail system, a database system, a business system and an application program, the dotting data of the terminal at least comprises one or more of files, processes, communication, a registry, user login, account creation and modification, the dotting data of the network at least comprises one or more of transverse movement data, external connection access data and data stream data, and attachment calling process data and external URL access data from mails, the dotting data of the host at least comprises configuration modification data, instance creation and modification data, container operation data and privileged access data, and the dotting data of the Web system at least comprises one or more of visitor information, file uploading, SQL statements and cross-site scripts; the dotting data of the mail system at least comprises one or more of a sender/receiver of the mail, a mail attachment and a mail embedded URL; dotting data of the database system at least comprises one or more of SQL statements and visitor information; the dotting data of other business systems and application programs at least comprises one or more of creator information, visitor information, business system logs and application program logs.

Optionally, the detecting the dotting information by a preset detection rule, and generating an alarm message according to a detection result includes:

the dotting information is detected by adopting one or more of a static medium detection rule, a dynamic behavior detection rule or a big data detection rule, and alarm information is generated according to a detection result, and the method specifically comprises the following steps:

adopting a static medium detection rule to detect the dotting information and generating alarm information according to a detection result, wherein the method comprises the following steps:

detecting dotting information of a static medium containing files, URLs (uniform resource locators), IP (Internet protocol) addresses and domain names by adopting a feature code, a credit library, threat information and sandbox tool, and obtaining a detection result;

if the dotting information of the static medium is judged to accord with a suspicious rule or a malicious rule, generating alarm information according to the detection result;

detecting the dotting information by adopting a dynamic behavior detection rule, and generating alarm information according to a detection result, wherein the method comprises the following steps:

detecting dotting information containing single behavior activities by adopting a pre-established behavior detection model and detection rules, and determining context dotting information associated with the dotting information of the single behavior activities;

detecting dotting information of the single behavior activity and the context dotting information every other first preset time period to obtain a detection result;

if the detection result meets the alarm detection rule, generating alarm information;

adopting big data detection rule to detect the dotting information and generating alarm information according to the detection result, including:

performing baseline modeling on dotting information in a second preset time period by adopting big data statistics and a big data baseline model, and detecting the dotting information according to a baseline rule to obtain a detection result;

and if the detection result meets the alarm detection rule, generating alarm information.

Optionally, the performing qualitative analysis and quantitative analysis on the alarm information, and determining an event report of a high-level threat event according to an analysis result includes:

confirming and investigating the alarm information, and determining suspicious events corresponding to the alarm information;

and performing context correlation analysis on the suspicious event according to a preset correlation rule to generate an event report of the high-level threat event.

Optionally, the confirming and investigating the alarm information and determining a suspicious event corresponding to the alarm information includes:

processing the alarm information by means of a damage-checking rule and big data association analysis, associating context dotting information, determining the suspicious event and determining the priority of the suspicious event;

the performing context correlation analysis on the suspicious event according to a preset correlation rule to generate an event report of a high-level threat event includes:

adopting a evidence obtaining rule, performing event investigation processing on the suspicious event through big data association analysis, and determining attack information corresponding to the high-level threat event;

generating the event report according to the attack information, wherein the event comprises at least a machine-readable report, and the machine-readable report at least comprises: attack start time, attack attributes, attacker intent, attacker attributes, attack severity, asset range of attack impact, attack detection time and response time, proposed response strategy, complete raw log, complete attack chain information, complete attack technique tactics annotation, complete raw attack medium and its corresponding threat intelligence information.

Optionally, the sorting and analyzing the event report to generate a knowledge graph corresponding to the advanced threat event includes:

determining an attack knowledge graph and an attack mode corresponding to the advanced threat event according to the event, wherein the attack mode at least comprises the essence and intention of various attacks and one or more of an attack tactical mode, a static medium set involved in the attack and a dynamic behavior set;

and correcting the acquisition rule, the detection rule, the injury checking rule and the evidence obtaining rule according to the attack mode.

Optionally, the modifying the collection rule, the detection rule, the association rule, and the forensics rule according to the attack mode includes:

and converting the attack tactical mode, the static medium set and the dynamic behavior set involved in the attack mode to obtain a corrected acquisition rule, a detection rule, an injury checking rule and a evidence obtaining rule.

In a second aspect, an embodiment of the present invention provides an apparatus for processing advanced threat events, where the apparatus includes:

the acquisition module is used for acquiring dotting information in the execution process of the neuron according to a preset acquisition rule;

the detection module is used for detecting the dotting information through a preset detection rule and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules;

the analysis module is used for respectively carrying out qualitative analysis and quantitative analysis on the alarm information and determining an event report of a high-level threat event according to an analysis result;

and the feedback module is used for sorting and analyzing the event report to generate a knowledge graph corresponding to the advanced threat event, and the knowledge graph is used for determining an attack mode corresponding to the advanced threat event and converting the attack mode into various rules or support data in the steps.

Optionally, the dotting information at least includes: the method comprises the following steps that point data of each neuron at least comprise one or more of a terminal, a network, a host, a Web system, a mail system, a database system, a business system and an application program, wherein the point data of the terminal at least comprise one or more of files, processes, communication, a registry, user login, account creation and modification, the point data of the network at least comprise one or more of lateral movement data, external connection access data and data flow data, and attachment calling process data and external URL access data from mails, the point data of the host at least comprise configuration modification data, instance creation and modification data, container operation data and authorized access data, and the point data of the Web system at least comprise one or more of visitor information, file uploading, SQL statements and cross-site scripts; the dotting data of the mail system at least comprises one or more of a sender/receiver of the mail, a mail attachment and a mail embedded URL; dotting data of the database system at least comprises one or more of SQL statements and visitor information; the dotting data of other business systems and application programs at least comprises one or more of creator information, visitor information, business system logs and application program logs.

Optionally, the detecting module is configured to:

the method for detecting the dotting information by adopting one or more of a static medium detection rule, a dynamic behavior detection rule or a big data detection rule and generating alarm information according to a detection result specifically comprises the following steps:

the detection module is specifically configured to:

detecting dotting information of a static medium containing files, URLs (uniform resource locators), IP (Internet protocol) addresses and domain names by adopting a feature code, a credit library, threat information and a sandbox tool, and obtaining a detection result;

if the dotting information of the static medium is judged to accord with suspicious rules or malicious rules, generating alarm information according to the detection result;

the detection module is specifically configured to:

detecting dotting information containing single behavior activities by adopting a pre-established behavior detection model and a detection rule, and determining context dotting information associated with the dotting information of the single behavior activities;

the detection module is specifically configured to:

Optionally, the analysis module is configured to:

Optionally, the analysis module is to:

processing the alarm information by big data correlation analysis by means of a damage inspection rule, correlating context dotting information, determining the suspicious event and determining the priority of the suspicious event;

generating the event report according to the attack information, wherein the event comprises at least a machine-readable report, and the machine-readable report at least comprises: attack initiation time, attack attributes, attacker intent, attacker attributes, attack severity, asset scope of attack impact, attack detection time and response time, proposed response strategy, complete raw logs, complete attack chain information, complete attack skills annotation, complete raw attack medium and its corresponding threat intelligence information.

Optionally, the feedback module is configured to:

Optionally, the feedback module is specifically configured to:

In a third aspect, an embodiment of the present invention provides a terminal device, including: at least one processor and memory;

the memory stores a computer program; the at least one processor executes the computer program stored by the memory to implement the method for handling high-level threat events provided by the first aspect.

In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed, implements the processing method for high-level threat events provided in the first aspect.

The embodiment of the invention has the following advantages:

according to the processing method, the processing device, the terminal equipment and the storage medium for the advanced threat event, dotting information in the execution process of the neuron is obtained according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of a high-level threat event according to an analysis result; and (4) sorting and analyzing the event reports to generate a knowledge graph corresponding to the high-level threat events, wherein the knowledge graph is used for determining an attack mode corresponding to the high-level threat events and converting the attack mode into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of knowledge maps and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed by continuous circulation, the corresponding capability of various high-level threats can be continuously improved, the high-level threat event management can be effectively constructed in a systematized, framed and flow mode, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional process of dealing with the high-level threat events are solved.

Drawings

FIG. 1 is a flow chart of the steps of one embodiment of a method of processing high-level threat events of the present invention;

FIG. 2 is a high level threat hierarchy description model of the present invention;

FIG. 3 is an advanced threat event management system of the present invention;

FIG. 4 is an advanced threat event remediation process of the present invention;

FIG. 5 is a block diagram of an embodiment of an advanced threat event processing apparatus of the present invention;

fig. 6 is a schematic structural diagram of a terminal device of the present invention.

Detailed Description

It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.

One embodiment of the invention provides a method for processing advanced threat events, which is used for processing advanced threat events. The execution subject of the embodiment is a processing device of a high-level threat event, and is arranged on a terminal device, for example, the terminal device at least includes a mobile phone terminal, a tablet terminal, a computer terminal, and the like.

Referring to fig. 1, a flow chart of steps of an embodiment of a method for processing advanced threat events according to the present invention is shown, and the method may specifically include the following steps:

s101, obtaining dotting information in a neuron execution process according to a preset acquisition rule;

wherein, dotting information at least comprises: the method comprises the following steps of obtaining dotting data of each neuron, wherein the neuron at least comprises one or more of a terminal, a network and a host, the dotting data of the terminal at least comprises one or more of files, processes, communication, a registry, user login, account creation and modification, the dotting data of the network at least comprises one or more of horizontal movement data, external connection access data and data stream data, attachment calling process data and external URL access data from mails, and the dotting data of the host at least comprises one or more of configuration modification data, instance creation and modification data, container operation data and authorized access data.

Specifically, various neurons are adopted to execute a business system, the various neurons comprise a terminal, a network and a host, different neurons correspond to different dotting data, a user can set different dotting information according to needs, for example, the user can set the dotting information by adopting a preset acquisition rule, and when the dotting information is acquired, the user can acquire the dotting information by adopting the preset acquisition rule or according to an acquisition rule set by an expert;

specifically, the neuron at least comprises one or more of a terminal, a network, a host, a Web system, a mail system, a database system, a business system and an application program, wherein dotting data of the terminal at least comprises one or more of files, processes, communication, a registry, user login, account creation and modification, dotting data of the network at least comprises one or more of lateral movement data, external connection access data and data stream data, and attachment calling process data and external URL access data from the mail, dotting data of the host at least comprises configuration modification data, instance creation and modification data, container operation data and privileged access data, and dotting data of the Web system at least comprises one or more of visitor information, file uploading, SQL statements and cross-site scripts; the dotting data of the mail system at least comprises one or more of a sender/receiver of the mail, a mail attachment and a mail embedded URL; dotting data of the database system at least comprises one or more of SQL statements and visitor information; the dotting data of other business systems and application programs at least comprises one or more of creator information, visitor information, business system logs and application program logs.

S102, detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules;

different detection rules are adopted according to different requirements, and the static medium detection rules can be used for real-time detection and analysis; the dynamic behavior detection rules can be used for quasi-real-time short-period detection analysis; the big data gold detection rule is used for carrying out baseline modeling on dotting information of a specified monitoring object in a long time period by means of big data statistics and a big data baseline model, finding abnormality according to the baseline rule and generating alarm information;

in a specific implementation process, the terminal device may detect the dotting information according to any one of the detection rules, or may detect multiple types of dotting information and generate the alarm information, where the multiple types refer to two types or more.

S103, respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of a high-level threat event according to an analysis result;

specifically, after acquiring the alarm information, the terminal device performs qualitative analysis on the alarm information of each neuron, and the inspection refers to rapid analysis according to the alarm information generated at the lower layer, so that the reliability of the alarm is improved, the authenticity of the attack, the nature of the attack and the intention of an attacker are preliminarily confirmed, and a suspicious event is determined;

and then, adopting a forensics rule to process the suspicious event to generate an event report, namely forensics refers to executing event investigation through big data context correlation analysis aiming at the suspicious event by means of the forensics rule, wherein the event investigation comprises backtracking a complete attack scene, judging the attack severity, evaluating the influence and range of the attack, tracing an attacker, providing a repair and remediation suggestion, and finally generating the event report.

And S104, sorting and analyzing the event reports to generate a knowledge graph corresponding to the high-level threat events, wherein the knowledge graph is used for determining attack modes corresponding to the high-level threat events and converting the attack modes into various rules or support data in the steps.

Specifically, the terminal device generalizes the structured data in the event reports to form an attack knowledge graph and refines an attack mode, and after an event is investigated and completed to form an event report, the event report can be generalized to a knowledge graph of the type of the event, such as a certain type of APT attack knowledge graph, an encrypted leson attack knowledge graph, an ore mining attack knowledge graph, a fishing attack knowledge graph and the like, and the knowledge graph is generally classified according to attack attributes and scenes. By combing various attack knowledge maps, attack tactics and attack media which are commonly used for certain kinds of attacks can be found, attack rules and attack modes are summarized, even the back attack organization is found, the attack mode is obtained, and the attack mode generally comprises the essence and intention of various kinds of attacks, the commonly used attack tactics mode and attack media set and the like.

And further writing the novel attack techniques and attack media accumulated in the attack mode into dotting rules, threat intelligence, sandbox detection rules, behavior detection rules, injury-testing association analysis rules, evidence-taking association analysis rules and the like used in the dotting, detecting and analyzing stages. The conversion results can further improve the dotting precision, the detection breadth, the alarm reliability, the suspicious event precision and the automation degree of injury verification and evidence obtaining, so that the advanced threat countermeasures of the user can be further improved. The learning process from the attack knowledge graph to the attack mode and the conversion process for forming various rules can be realized by means of AI or machine learning and other technologies.

According to the processing method of the advanced threat event, dotting information in the execution process of the neuron is obtained according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of the high-level threat event according to the analysis result; and sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat events, wherein the knowledge graph is used for determining attack modes corresponding to the advanced threat events and converting the attack modes into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of the knowledge map and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed in a continuous cycle, the coping capability of various advanced threats can be continuously improved, the advanced threat event management can be effectively constructed in a systematized, framed and flow manner, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional advanced threat event management process are solved.

The present invention further provides a supplementary explanation for the method for processing advanced threat events provided in the above embodiments.

Optionally, the detecting the dotting information by presetting a detection rule, and generating alarm information according to a detection result includes:

adopting static medium detection rules to detect dotting information and generating alarm information according to detection results, comprising:

if the dotting information of the static medium is judged to accord with the suspicious rule or the malicious rule, generating alarm information according to the detection result;

the dynamic behavior detection rule is adopted to detect the dotting information and generate alarm information according to the detection result, and the method comprises the following steps:

detecting dotting information and context dotting information of single behavior activities every other first preset time period to obtain a detection result;

adopting big data detection rule, detecting the dotting information, and generating alarm information according to the detection result, including:

performing baseline modeling on dotting information in a second preset time period by adopting big data statistics and a big data baseline model, and judging the dotting information according to a baseline rule;

and if the dotting information is abnormal information, generating alarm information.

Optionally, the qualitatively analyzing and quantitatively analyzing the alarm information, and determining an event report of the high-level threat event according to the analysis result, includes:

Optionally, the confirming and investigating the alarm information, and determining a suspicious event corresponding to the alarm information, includes:

processing the alarm information by means of a damage-checking rule and big data association analysis, associating context dotting information, determining suspicious events and determining the priority of the suspicious events;

according to a preset association rule, performing context association analysis on the suspicious event to generate an event report of the high-level threat event, wherein the event report comprises:

adopting a forensics rule, performing event investigation processing on the suspicious event through big data association analysis, and determining attack information corresponding to the high-level threat event;

generating an event report according to the attack information, wherein the event comprises at least a machine-readable report, and the machine-readable report at least comprises: attack start time, attack attributes, attacker intent, attacker attributes, attack severity, asset range of attack impact, attack detection time and response time, proposed response strategy, complete raw log, complete attack chain information, complete attack technique tactics annotation, complete raw attack medium and its corresponding threat intelligence information.

Optionally, sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat event, including:

determining an attack knowledge graph and an attack mode corresponding to the high-level threat event according to the event, wherein the attack mode at least comprises the essence and intention of various attacks and one or more of an attack technology mode, a static medium set involved in the attack and a dynamic behavior set;

and correcting the acquisition rule, the detection rule, the association rule and the evidence obtaining rule according to the attack mode.

Optionally, modifying the collection rule, the detection rule, the association rule, and the forensics rule according to the attack mode, including:

and converting the attack technology and tactical mode in the attack mode, the static medium set and the dynamic behavior set involved in the attack to obtain the corrected acquisition rule, detection rule, damage testing rule and evidence obtaining rule.

Fig. 2 is a high-level threat hierarchical description model of the present invention, as shown in fig. 2, an embodiment of the present invention provides a design method of a network high-level threat event management system, in order to unify descriptions for high-level threats, in the process of the design method, the present invention firstly proposes a set of high-level threat hierarchical description model, describes the composition of high-level threats in a structured manner, divides the high-level threats into four levels of points, lines, planes, and bodies, as shown in fig. 2, and respectively describes as follows:

1. point (basic attack element)

Constitute the basic elements of the attack, namely the attack elements used by the attacker. Attack elements are divided into static media elements and dynamic behavior elements. Static media elements refer primarily to attack media such as: malicious documents, malicious URLs (Uniform Resource locators) (including IP addresses, C & C, etc.), malicious mails, vulnerabilities (vulnerabilities such as documents/systems/communications/services/applications), malicious apps, penetration tools, and the like; the dynamic behavior elements mainly refer to attack behaviors such as: malicious network, terminal and host behaviors, etc., which are commonly referred to as port detection, vulnerability exploitation, C & C external connection, right lifting, traversing, blasting, asset detection, etc.

2. Line (Single attack activity)

A single attack behavior or activity composed of people, things, time, channels, threat elements, etc., i.e., a specific activity at a certain stage in the attack chain, such as: an attacker sends a social engineering attack mail to a certain user of a target enterprise through a certain IP at a certain time; a backdoor program accesses a malicious C & C site at a certain time through a certain host; an IP tries a login account/password of a host several times in a certain period of time.

3. Noodle (complete attack event)

And (3) orderly associating a plurality of related attack activities to form a complete attack event, namely a complete attack chain. As some complete APT attack event: an attacker sends a social engineering attack mail to a certain user of a target enterprise through a certain IP at a certain time, so that the terminal of the user is implanted into a backdoor; the backdoor program accesses a certain C & C site in an outconnection mode at a certain time and downloads a certain malicious penetration tool; the penetration tool tries to penetrate other hosts in the network for multiple times within a certain time, and successfully acquires the user permission of a certain host; the attacker traverses the files of the host at a certain time and packages and uploads some key files.

4. Body (general attack pattern)

And the comprehensive attack map is formed by a plurality of attack events or attack activities, namely the comprehensive attack situation. Attack modes can be summarized through attribution analysis such as big data AI/ML, statistical analysis, mode analysis and the like, novel attack characteristics are extracted, and then new attack activities, attack events and attack development trends are found, and the attack perception capability is preliminarily possessed.

Fig. 3 is a high-level threat event management system of the present invention, and as shown in fig. 3, an embodiment of the present invention provides a management method and a system structure for a high-level threat event, the method and the system correspond to threat layered description models one to one, and are sequentially divided into four levels of dotting, detecting, analyzing, and feeding back, each level defines an action to be executed and a technology to be prepared, and a complete management process is realized between layers through a tight input-output relationship, so that the acquisition of original data, the detection of threats, the analysis of events, the transformation of a knowledge graph into various basic capabilities required by dotting, detecting, and analyzing are finally completed, and a life cycle of event management is finally completed, so that the continuous cycle constitutes a continuously iterative management process, and the capability of coping with various high-level threats is finally improved.

The method is formed by the method model and the system, can effectively construct the advanced threat event management in a systematized, framed and flow mode, and solves the problems of serious fragmentation, low efficiency, no change, blind construction, lack of overall planning and the like in the process of dealing with the advanced threat event in the prior art.

The architecture model corresponds to the high-level threat hierarchical description model in fig. 2, and describes the input and output of each layer, the executed actions, and the required technologies, specifically as follows:

1. dotting

Inputting: rule of dotting

And (3) outputting: dotting information

Dotting refers to collecting data according to a specified rule. The early dotting rules are set by expert experience, along with continuous iteration of the system, the dotting rules can be further adjusted and optimized through knowledge conversion of an attack map and are issued to various neurons of a terminal, a network and a host, the neurons execute data dotting according to the dotting rules, activities such as file, process, communication, registry, user login, account creation and modification and the like from the terminal, activities such as horizontal movement, external access and data flow from the network, activities such as attachment calling process and external URL access from a mail, activities such as configuration modification, instance creation and modification, container operation and privileged access and the like from the host are collected, and finally various activity logs (including activity executors, host/terminal/network information, time, channels, media, behaviors and the like) are generated, namely dotting information.

2. Detection of

Inputting: dotting information

And (3) outputting: alarm information

Detection techniques can be divided into the following three types:

static medium detection

The dotting information of static media including files, URLs (uniform resource locators), IP (Internet protocol) addresses, domain names and the like is detected mainly by means of tools such as feature codes, credit libraries, threat intelligence, sandboxes and the like, and if the static media are judged to be suspicious or malicious, alarm information can be generated. Because the judgment process only needs static media such as files, URLs (uniform resource locators), IP (Internet protocol) addresses, domain names and the like, and other dotting information does not need to be associated, the static medium detection can be generally used for real-time detection and analysis.

Dynamic behavior detection

The dotting information containing single behavior activity is detected mainly by means of a behavior detection model and a detection rule. Many attack behavior scenarios are detailed in the ATT & CK model, and the behavior detection model and the detection rules mainly detect the scenarios. Since such detection typically requires correlation of multiple pieces of context dotting information in close proximity to each other, and detection needs to be performed over a short period of time, dynamic behavior detection can be used as quasi-real-time short-period detection analysis. These multiple pieces of context dotting information that are close to each other may come from the same terminal, network or host, or may cross the terminal, network or host, and therefore, the acquisition capability of data across the terminal, network and host is required to perform such detection. Examples are: after a certain terminal is attacked by powershell without files, the cloud service is attacked by using xp _ cmdshell, the dotting information for calling powershell on the terminal and the dotting information for calling xp _ cmdshell on the network need to be associated for detection according to the behavior detection rule, and if the behavior detection rule accords with the detection rule, alarm information can be generated.

Big data detection

The method mainly comprises the steps of carrying out baseline modeling on dotting information of a specified monitored object in a long time period by means of big data statistics and a big data baseline model, finding out abnormality according to a baseline rule, and generating alarm information.

3. Analysis of

The analysis is to further confirm and investigate the alarm information, confirm the authenticity of the attack, and complete the analysis, study and judgment of events and the source tracing of the attack. The analysis generally comprises two phases, namely qualitative analysis and quantitative analysis: qualitative analysis, i.e., injury testing (age), and quantitative analysis, i.e., evidence collection (forcensics).

3.1 injury from experience

Inputting: alarm information

And (3) outputting: suspicious events

The verification refers to rapid analysis according to the alarm information generated at the lower layer, so that the reliability of the alarm is improved, and the authenticity of the attack, the nature of the attack and the intention of an attacker are preliminarily confirmed. The process mainly uses a damage checking rule, and through big data association analysis, takes alarm information as an entry point, and associates the dotting information of a context and other data clues to quickly confirm the authenticity, essence and intention of an attack, generate a high-quality accurate alarm called as a suspicious event, and determine the priority of the suspicious event. So that the security personnel can focus attention on more critical problems and reduce attention diversion caused by false alarm.

Examples are as follows: the security personnel find out the network side alarm information 1-suspicious external connection communication, and find out other two data clues through big data association analysis (injury test rule): network side thread 2-suspicious phishing mail, and terminal side thread 3-open attachment creates a suspicious process. The security personnel can quickly determine the credibility of the alarm information 1 by associating the clue 2 and the clue 3, combine the clue 1, the clue 2 and the clue 3 together and generate an accurate alarm, namely, an event can be doubted, so that the security personnel can pertinently start the complete event investigation activity and avoid the large sea of fishing needles.

3.2 obtaining evidence

Inputting: suspicious event

And (3) outputting: event reporting

Evidence collection refers to performing event investigation through big data context correlation analysis by means of evidence collection rules aiming at suspicious events, wherein the event investigation comprises backtracking of a complete attack scene, judgment of attack severity, evaluation of attack influence and scope, source tracing of an attacker, provision of repair and remediation suggestions and finally generation of an event report. The event report comprises a human-read report and a machine-read report, wherein the human-read report is just like a file of a court and a medical record of a hospital, the machine-read report is formed by sorting and recording various data in the event report according to a structured method so as to be readable and inquired by a later machine, and the machine-read report comprises the following steps: attack start time, attack attributes, attacker intent, attacker attributes (pictorial information), attack severity, asset range of attack impact, attack detection time and response time, proposed response strategy, complete raw log (dotting information, alarm information, event clue, etc.), complete attack chain information, complete ATT & CK labeling, complete raw attack medium and its corresponding IOC (threat intelligence) information, other machine-readable data, etc.

4. Feedback

The various machine-readable event reports generated at the lower layer are further classified, sorted and summarized, a huge attack knowledge graph can be precipitated, and the knowledge graph can form key capabilities used in the stages of dotting, detecting and analyzing through two stages of learning and conversion, so that the feedback of the forward capability is formed.

4.1 learning

Inputting: event reporting

And (3) outputting: attack mode

Learning refers to the process of generalizing the structured data in the event reports to form an attack knowledge graph and refine attack patterns, and the learning process may also be referred to as attribution analysis. After an event is investigated and completed to form an event report, the event report can be induced into the knowledge graph of the event type, such as a certain type of APT attack knowledge graph, encrypted leson attack knowledge graph, mining attack knowledge graph, fishing attack knowledge graph and the like, and the knowledge graph is generally classified according to attack attributes and scenes. By combing various attack knowledge maps, attack techniques and attack media commonly used for certain kinds of attacks can be found, attack rules and attack modes are summarized, and even the back attack organization is found. The output of this process is an attack pattern, which generally includes the nature and intent of various types of attacks, as well as the commonly used attack technique and attack medium set, and so on.

4.2 transformation

Inputting: attack mode

And (3) outputting: rules of all kinds

The conversion means that the novel attack techniques and attack media accumulated in the attack mode are further written into dotting rules, threat intelligence, sandbox detection rules, behavior detection rules, injury-testing association analysis rules, evidence-taking association analysis rules and the like used in the dotting, detecting and analyzing stages. The conversion results can further improve the dotting precision, the detection breadth, the alarm reliability, the suspicious event precision and the automation degree of injury verification and evidence obtaining, so that the advanced threat countermeasures of the user can be further improved. The learning process from the attack knowledge graph to the attack mode and then the conversion process for forming various rules can be realized by means of AI or machine learning and other technologies.

Fig. 4 is a high-level threat event management process of the present invention, as shown in fig. 4, an embodiment of the present invention provides a high-level threat hierarchical description model and a corresponding management system, and the management of a high-level threat attack and defense event is divided into four processes of dotting 1, detecting 2, analyzing 3 (verifying 3.1 and obtaining evidence 3.2) and feeding back 4 (learning 4.1 and converting 4.2) by the method and the system, and the four processes respectively generate dotting information, alarm information, suspicious event & event reports, attack modes and various rules, the output of the former process can be used as the input of the next process, so that the whole process of high-level threat attack and defense event management can be completed in sequence, and finally, the core capability is fed back to the former processes by feeding back, so that the forward cycle of the management system is realized, and the confrontation capability of high-level threats can be continuously improved. Through systematic precise arrangement, the method realizes the purposes of dotting and collecting original data, detecting and alarming, completing event investigation by injury checking and evidence obtaining, then settling knowledge maps, extracting attack modes and supplementing various required abilities, and finally forming a treatment closed loop. The system enables the advanced threat event to be managed in a targeted, flow, complete and efficient mode, avoids the problems that system support is lacked, process fragmentation is serious, correlation does not exist among technologies, connection is lacked among products, personnel cannot cooperate with each other, analysis and judgment on the attack event cannot go deep, a knowledge base cannot be deposited, forward capability is converted, and the like in the traditional situation, and finally the countervailability of the advanced threat attack on the network can be effectively improved.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.

According to the processing method of the advanced threat event, dotting information in the execution process of the neuron is obtained according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of the high-level threat event according to the analysis result; and sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat events, wherein the knowledge graph is used for determining attack modes corresponding to the advanced threat events and converting the attack modes into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of knowledge maps and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed by continuous circulation, the corresponding capability of various high-level threats can be continuously improved, the high-level threat event management can be effectively constructed in a systematized, framed and flow mode, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional process of dealing with the high-level threat events are solved.

Another embodiment of the present invention provides a device for processing advanced threat events, which is used to execute the method for processing advanced threat events provided in the above embodiment.

Referring to fig. 5, a block diagram of an embodiment of an advanced threat event processing apparatus according to the present invention is shown, and the apparatus may specifically include the following modules: an acquisition module 501, a detection module 502, an analysis module 503, and a feedback module 504, wherein:

the acquisition module 501 is configured to acquire dotting information in the execution process of the neuron according to a preset acquisition rule;

the detection module 502 is configured to detect the dotting information according to a preset detection rule, and generate alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules;

the analysis module 503 is configured to perform qualitative analysis and quantitative analysis on the alarm information, and determine an event report of the high-level threat event according to an analysis result;

the feedback module 504 is configured to sort and analyze the event reports to generate a knowledge graph corresponding to the advanced threat events, where the knowledge graph is used to determine an attack mode corresponding to the advanced threat events and convert the attack mode into various rules or support data in the above steps.

According to the processing device of the advanced threat event, dotting information in the execution process of the neuron is obtained according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of the high-level threat event according to the analysis result; and (4) sorting and analyzing the event reports to generate a knowledge graph corresponding to the high-level threat events, wherein the knowledge graph is used for determining an attack mode corresponding to the high-level threat events and converting the attack mode into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of the knowledge map and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed in a continuous cycle, the coping capability of various advanced threats can be continuously improved, the advanced threat event management can be effectively constructed in a systematized, framed and flow manner, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional advanced threat event management process are solved.

The present invention further provides a supplementary explanation for the advanced threat event processing apparatus provided in the above embodiments.

Optionally, the data of the neurons at least comprises one or more of a terminal, a network, a host, a Web system, a mail system, a database system, a business system and an application program, wherein the data of the terminal at least comprises one or more of a file, a process, a communication, a registry, a user login, an account creation and modification, the data of the network at least comprises one or more of lateral movement data, external connection access data and data stream data, and an attachment calling process data and external URL access data from the mail, the data of the host at least comprises configuration modification data, instance creation and modification data, container operation data and authorized access data, and the data of the Web system at least comprises one or more of visitor information, file upload, SQL statements and cross-site scripts; the dotting data of the mail system at least comprises one or more of a mail sender/receiver, a mail attachment and a mail embedded URL; dotting data of the database system at least comprises one or more of SQL statements and visitor information; the dotting data of other business systems and application programs at least comprises one or more of creator information, visitor information, business system logs and application program logs.

Optionally, the detection module is configured to:

the method for detecting the dotting information by adopting one or more of a static medium detection rule, a dynamic behavior detection rule or a big data detection rule and generating the alarm information according to the detection result specifically comprises the following steps:

a detection module specifically configured to:

if the dotting information of the static medium is judged to accord with the suspicious rules or the malicious rules, generating alarm information according to the detection result;

the detection module is specifically configured to:

a detection module specifically configured to:

Optionally, the analysis module is to:

Optionally, the feedback module is configured to:

determining an attack knowledge graph and an attack mode corresponding to the advanced threat event according to the event, wherein the attack mode at least comprises the essence and intention of various attacks and one or more of an attack technology tactical mode, a static medium set involved in the attack and a dynamic behavior set;

Optionally, the feedback module is specifically configured to:

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

Still another embodiment of the present invention provides a terminal device, configured to execute the method for processing advanced threat events provided in the foregoing embodiment.

Fig. 6 is a schematic structural diagram of a terminal device of the present invention, and as shown in fig. 6, the terminal device includes: at least one processor 601 and memory 602;

the memory stores a computer program; at least one processor executes the memory-stored computer program to implement the methods of handling high-level threat events provided by the above-described embodiments.

According to the terminal device provided by the embodiment, dotting information in the execution process of the neuron is acquired according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of the high-level threat event according to the analysis result; and sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat events, wherein the knowledge graph is used for determining attack modes corresponding to the advanced threat events and converting the attack modes into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of knowledge maps and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed by continuous circulation, the corresponding capability of various high-level threats can be continuously improved, the high-level threat event management can be effectively constructed in a systematized, framed and flow mode, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional process of dealing with the high-level threat events are solved.

Yet another embodiment of the present application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed, the method for processing the advanced threat event provided in any of the above embodiments is implemented.

According to the computer-readable storage medium of the embodiment, dotting information in the execution process of the neuron is acquired according to a preset acquisition rule; detecting the dotting information through a preset detection rule, and generating alarm information according to a detection result; the preset detection rules at least comprise one or more of static medium detection rules, dynamic behavior detection rules or big data detection rules; respectively carrying out qualitative analysis and quantitative analysis on the alarm information, and determining an event report of the high-level threat event according to the analysis result; and sorting and analyzing the event reports to generate a knowledge graph corresponding to the advanced threat events, wherein the knowledge graph is used for determining attack modes corresponding to the advanced threat events and converting the attack modes into various rules or support data in the steps. According to the embodiment of the invention, the acquisition of original data, the detection of threats, the analysis of events, the formation of knowledge maps and the completion of a life cycle of event management are realized, so that a continuous iterative management process is formed by continuous circulation, the corresponding capability of various high-level threats can be continuously improved, the high-level threat event management can be effectively constructed in a systematized, framed and flow mode, and the problems of serious fragmentation, low efficiency, blind construction, lack of overall planning and the like in the conventional process of dealing with the high-level threat events are solved.

It should be noted that the above detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular is intended to include the plural unless the context clearly indicates otherwise. Furthermore, it will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in other sequences than those illustrated or otherwise described herein.

Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not explicitly listed or inherent to such process, method, article, or apparatus.

For ease of description, spatially relative terms such as "over 8230 \ 8230;,"' over 8230;, \8230; upper surface "," above ", etc. may be used herein to describe the spatial relationship of one device or feature to another device or feature as shown in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if a device in the figures is turned over, devices described as "above" or "on" other devices or configurations would then be oriented "below" or "under" the other devices or configurations. Thus, the exemplary terms "at 8230; \8230; 'above" may include both orientations "at 8230; \8230;' above 8230; 'at 8230;' below 8230;" above ". The device may also be oriented in other different ways, such as by rotating it 90 degrees or at other orientations, and the spatially relative descriptors used herein interpreted accordingly.

In the foregoing detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, like numerals typically identify like components, unless context dictates otherwise. The illustrated embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here.

The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A method for handling advanced threat events, the method comprising:

obtaining dotting information in the execution process of the neuron according to a preset acquisition rule;

and sorting and analyzing the event reports to generate a knowledge graph corresponding to the high-level threat events, wherein the knowledge graph is used for determining an attack mode corresponding to the high-level threat events and converting the attack mode into various rules or support data in the steps.

2. The method of claim 1, wherein the dotting information comprises at least: the method comprises the following steps that point data of each neuron at least comprise one or more of a terminal, a network, a host, a Web system, a mail system, a database system, a business system and an application program, wherein the point data of the terminal at least comprise one or more of files, processes, communication, a registry, user login, account creation and modification, the point data of the network at least comprise one or more of lateral movement data, external connection access data and data flow data, and attachment calling process data and external URL access data from mails, the point data of the host at least comprise configuration modification data, instance creation and modification data, container operation data and authorized access data, and the point data of the Web system at least comprise one or more of visitor information, file uploading, SQL statements and cross-site scripts; the dotting data of the mail system at least comprises one or more of a sender/receiver of the mail, a mail attachment and a mail embedded URL; dotting data of the database system at least comprises one or more of SQL statements and visitor information; the dotting data of other business systems and application programs at least comprises one or more of creator information, visitor information, business system logs and application program logs.

3. The method according to claim 2, wherein the detecting the dotting information according to a preset detection rule and generating an alarm according to a detection result comprises:

4. The method of claim 1, wherein the performing qualitative analysis and quantitative analysis on the alarm information and determining an event report of a high-level threat event according to the analysis result respectively comprises:

5. The method of claim 4, wherein the qualitative determination and the qualitative determination of the alarm information and the suspicious event corresponding to the alarm information comprise:

6. The method of claim 1, wherein the collating the event reports to generate a knowledge-graph corresponding to the high-level threat events comprises:

according to the event, determining an attack knowledge graph and determining an attack mode corresponding to the advanced threat event, wherein the attack mode at least comprises the essence and intention of various attacks and one or more of an attack technology and tactical mode, a static medium set involved in the attack and a dynamic behavior set;

7. The method of claim 1, wherein modifying the collection rules, detection rules, association rules, and forensics rules according to the attack pattern comprises:

and converting the attack technology and tactical mode, the static medium set involved in the attack and the dynamic behavior set in the attack mode to obtain a corrected acquisition rule, a detection rule, an injury checking rule and a evidence obtaining rule.

8. An advanced threat event processing apparatus, the apparatus comprising:

and the feedback module is used for sorting and analyzing the event report to generate a knowledge graph corresponding to the advanced threat event, wherein the knowledge graph is used for determining an attack mode corresponding to the advanced threat event and converting the attack mode into various rules or support data in the steps.

9. A terminal device, comprising: at least one processor and a memory;

the memory stores a computer program; the at least one processor executes the memory-stored computer program to implement the method of processing the high-level threat event of any one of claims 1 to 7.

10. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of handling advanced threat events of any one of claims 1 to 7.