CN115277247A - Information processing method, apparatus, electronic device, storage medium, and program product - Google Patents

Information processing method, apparatus, electronic device, storage medium, and program product Download PDF

Info

Publication number
CN115277247A
CN115277247A CN202210974864.8A CN202210974864A CN115277247A CN 115277247 A CN115277247 A CN 115277247A CN 202210974864 A CN202210974864 A CN 202210974864A CN 115277247 A CN115277247 A CN 115277247A
Authority
CN
China
Prior art keywords
information
intelligence
target
processing method
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210974864.8A
Other languages
Chinese (zh)
Other versions
CN115277247B (en
Inventor
余盖青
吴逍
谢圆良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210974864.8A priority Critical patent/CN115277247B/en
Publication of CN115277247A publication Critical patent/CN115277247A/en
Application granted granted Critical
Publication of CN115277247B publication Critical patent/CN115277247B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The disclosure provides an information processing method, relates to the technical field of computer security, and can be applied to the financial field or other fields. The information processing method comprises the following steps: acquiring a plurality of first informations, wherein at least two first informations come from different information libraries, and each first information comprises a first object and threat information of the first object; extracting first information, which is matched with a first object and a target object configured in a first main table, from the plurality of first information; associating threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object; and sending alarm information to the target mechanism according to the comprehensive threat intelligence of each second object and the defense means of at least one target mechanism to the second object. The disclosure also provides an information processing apparatus, an electronic device, a storage medium, and a program product.

Description

Information processing method, apparatus, electronic device, storage medium, and program product
Technical Field
The present disclosure relates to the field of computer security technologies, and more particularly, to an information processing method and apparatus, an electronic device, a storage medium, and a program product.
Background
With the development of network technology, network security becomes an important part in ensuring the smooth operation of each member participating therein.
At present, network security can be monitored by acquiring information data provided by an information platform, but the data sources of a plurality of information platforms are single, so that the content of the information data is not perfect. This limits the scope of use of the intelligence data obtained from these intelligence platforms, and it is difficult to accurately and quickly grasp the network security status based on these intelligence data.
Disclosure of Invention
In view of the foregoing, the present disclosure provides an intelligence processing method, apparatus, electronic device, storage medium, and program product.
According to a first aspect of the present disclosure, there is provided an intelligence processing method, including:
acquiring a plurality of first informations, wherein at least two first informations come from different information banks, and each first information comprises a first object and threat information of the first object;
extracting first information matching the first object with a second object arranged in a first main table from a plurality of first information;
associating the threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object;
and sending out alarm information to a target mechanism according to the comprehensive threat intelligence of each second object and the defense means of at least one target mechanism to the second object.
According to an embodiment of the present disclosure, the obtaining a plurality of first informations includes:
obtaining second information from at least one information base;
classifying the obtained second information according to the information types, and respectively configuring corresponding operation items for the second information according to classification results;
merging the classified second information according to the timestamp of the second information;
and carrying out data filtering on the merged second information, and converting the second information into a target data format to obtain the first information.
According to an embodiment of the present disclosure, the first master table includes address information of each second object, and the extracting first intelligence that the first object matches with a second object arranged in the first master table from among the plurality of first intelligence includes: performing the following steps for each of the second objects:
matching address information of the second object with the first object of each of the first informations;
and extracting the first intelligence which is successfully matched.
According to an embodiment of the present disclosure, associating the extracted threat intelligence in the first intelligence with the second object as a dimension to obtain a comprehensive threat intelligence of each second object, includes:
generating a visual operation interface according to the comprehensive threat intelligence, wherein a first operation item is arranged in the visual operation interface, and the first operation item is configured to respond to a first operation and execute the following steps:
determining a target network segment;
extracting the second object matched with the target network segment according to the target network segment, and displaying the second object;
and responding to a second operation of the user on the displayed second object, and displaying the comprehensive threat intelligence of the second object.
According to an embodiment of the present disclosure, the issuing an alarm message to at least one target organization according to the comprehensive threat intelligence of each second object and a defense measure taken by the target organization against the second object, includes:
performing the following steps for each of the second objects:
determining whether the second object is a high-risk object according to the comprehensive threat information;
obtaining the defense currently taken by at least one target institution against the second object;
and when the second object is a high-risk object and the current defense means adopted by at least one target mechanism to the second object does not meet the preset condition, sending the alarm information to the target mechanism.
According to an embodiment of the present disclosure, the defending means includes a blocking means, and the sending the warning message to the target entity when the second object is a high-risk object and the defending means currently taken by at least one target entity for the second object does not meet a preset condition includes:
when the second object is a high-risk object and the defense means adopted by at least one target mechanism to the second object currently does not meet the preset condition, judging whether the target mechanism is a preset mechanism or not;
and when the target mechanism is the preset mechanism, sending the alarm information to the target mechanism, and carrying out a blocking operation on the second object.
According to an embodiment of the present disclosure, the first master table includes:
a pre-configured fixed master table; or
And the dynamic master table is automatically generated according to the local protection log.
A second aspect of the present disclosure provides an intelligence processing apparatus, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a plurality of first informations, at least two first informations come from different information libraries, and each first information comprises a first object and threat information of the first object;
an extraction module, configured to extract first information that matches the first object with a second object configured in a first master table from the plurality of first information;
the integration module is used for associating the threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object;
and the warning module is used for sending warning information to the target mechanism according to the comprehensive threat intelligence of each second object and the defense means of at least one target mechanism to the second object.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the intelligence processing method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the intelligence processing method described above.
A fifth aspect of the disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the intelligence processing method described above.
One or more of the above-described embodiments may have the following advantages or benefits:
by adopting the information processing method of the embodiment of the disclosure, the first information of a plurality of information banks can be obtained, and the first information of the plurality of information banks is correlated by taking the second object as a dimensionality to obtain the comprehensive threat information of each second object, so that the diversified analysis and display of the information data are realized, and the risk of each second object is comprehensively controlled. Because the comprehensive threat information is combined with the first information in the plurality of information libraries, the information is accurate and comprehensive, on the basis, whether the target mechanism is dangerous or not can be accurately analyzed by combining the defense means adopted by each target mechanism, and then the alarm information is sent out for the dangerous target mechanism, so that the alarm accuracy and timeliness are greatly improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an intelligence processing method, apparatus, electronic device, storage medium, and program product in accordance with embodiments of the disclosure;
FIG. 2 schematically illustrates a flow diagram of an intelligence processing method in accordance with an embodiment of the disclosure;
FIG. 3 schematically shows a flow chart for obtaining first intelligence according to an embodiment of the disclosure;
figure 4 schematically shows a flow chart for matching a first object with a second object in first intelligence according to an embodiment of the disclosure;
FIG. 5 schematically illustrates a flow diagram for correlating threat intelligence in a first intelligence, in accordance with an embodiment of the disclosure;
FIG. 6 schematically shows one of the flow diagrams for issuing an alert message to a target authority in accordance with an embodiment of the present disclosure;
figure 7 schematically illustrates a second flow chart of issuing an alert message to a target entity in accordance with an embodiment of the present disclosure;
figure 8 schematically shows a block diagram of an intelligence processing apparatus according to an embodiment of the disclosure;
figure 9 schematically shows a block diagram of an electronic device suitable for implementing an intelligence processing method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
In those instances where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
It should be noted that the intelligence processing method, apparatus, electronic device, storage medium and program product provided by the present disclosure relate to the technical field of computer security. The intelligence processing method, apparatus, electronic device, storage medium, and program product provided by the embodiments of the present disclosure may be applied to the financial field or any field other than the financial field, for example, the intelligence processing method, apparatus, electronic device, storage medium, and program product provided by the embodiments of the present disclosure may be applied to an intelligence processing service in the financial field. The present disclosure does not limit the application fields of the intelligence processing method, apparatus, electronic device, storage medium, and program product.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure, application and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations, necessary confidentiality measures are taken, and the customs of the public order is not violated.
An embodiment of the present disclosure provides an intelligence processing method, including: acquiring a plurality of first informations, wherein at least two first informations come from different information libraries, and each first information comprises a first object and threat information of the first object; extracting first information in which a first object matches a second object arranged in a first master table from the plurality of first information; associating threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object; and sending alarm information to the target organization according to the comprehensive threat intelligence of each second object and the defense means of at least one target organization to the second object.
By adopting the information processing method of the embodiment of the disclosure, the first information of a plurality of information banks can be obtained, and the first information of the plurality of information banks is correlated by taking the second object as a dimensionality to obtain the comprehensive threat information of each second object, so that the diversified analysis and display of the information data are realized, and the risk of each second object is comprehensively controlled. Because the comprehensive threat information is combined with the first information in the plurality of information libraries, the information is accurate and comprehensive, on the basis, whether the target mechanism is dangerous or not can be accurately analyzed by combining the defense means adopted by each target mechanism, and then the alarm information is sent out for the dangerous target mechanism, so that the alarm accuracy and timeliness are greatly improved.
Fig. 1 schematically shows an application scenario diagram of an intelligence processing method, apparatus, electronic device, storage medium and program product according to an embodiment of the present disclosure, and as shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the intelligence processing method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the intelligence processing apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The intelligence processing method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the intelligence processing apparatus provided by the embodiment of the present disclosure may also be provided in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
The intelligence processing method of the disclosed embodiment will be described in detail below with fig. 2 to 7 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flowchart of an intelligence processing method according to an embodiment of the present disclosure, and as shown in fig. 2, the intelligence processing method of the embodiment includes steps S210 to S240, and it should be noted that, although the steps in fig. 2 are shown in order as indicated by arrows, the steps are not necessarily executed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless otherwise indicated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, in different orders, and may be performed in turn or in alternation with other steps or at least some of the sub-steps or stages of other steps.
In step S210, a plurality of first intelligence is obtained, at least two first intelligence come from different intelligence libraries, wherein each first intelligence includes a first object and threat intelligence of the first object.
In the embodiment of the disclosure, the first object may include unique identification information such as an IP address, and the obtained first informations may be from a plurality of information banks, and optionally, the plurality of information banks may include a local information bank, an information bank of a specific organization, an information bank of a third party, and the like. For example, the plurality of first intelligence may include first intelligence A1, first intelligence A2 and first intelligence A3, and the plurality of intelligence repositories may include intelligence repository B1, intelligence repository B2 and intelligence repository B3. Wherein, the first information A1 is from the information bank B1, the first information A2 is from the information bank B2, and the first information A3 is from the information bank B3.
Alternatively, the first objects in the plurality of first informations may be the same or different, for example, the first information A1 includes a first object C1, and the first information A2 and the first information A3 include a first object C2.
Optionally, the threat intelligence may include attack details, such as number of attacks and type of attacks, among others.
Optionally, threat intelligence may also include intelligence sources (e.g., which intelligence platform threat intelligence is from, etc.), and the like.
In step S220, first information that matches the first object with the second object arranged in the first master table is extracted from the plurality of first information.
In embodiments of the present disclosure, the second object may include unique identification information such as an IP address.
In the embodiment of the present disclosure, it may be determined whether the first object and the second object are matched according to whether the unique identification information of the first object and the second object is consistent.
For example, the first intelligence A1 includes a first object C1, the first intelligence A2 and the first intelligence A3 include a first object C2, and the first master table includes a second object D2, where the unique identification information of the first object C2 and the unique identification information of the second object D2 are identical, and at this time, the first intelligence A2 and the first intelligence A3 may be extracted from the plurality of first intelligence.
In step S230, the threat intelligence in the extracted first intelligence is correlated with the second object as a dimension to obtain a comprehensive threat intelligence for each second object.
In the embodiment of the present disclosure, threat intelligence in the first intelligence may be integrated to realize association, for example, threat intelligence of the first intelligence A2 includes "attack frequency of the first object C1 is 3 times", threat intelligence of the first intelligence A3 includes "malicious attack of the first object C1 is of class M", and after two independent intelligence of the first intelligence A2 and the first intelligence A3 are integrated, comprehensive threat intelligence of the first object C1 may be obtained, for example, the comprehensive threat intelligence may include: "the number of attacks of the first object C1 is 3 times, and the malicious attack is largely classified into M class".
In step S240, an alarm message is sent to the target entity according to the comprehensive threat intelligence of each second object and the defense measures taken by the at least one target entity against the second object.
In the embodiment of the present disclosure, the target institution may include an enterprise monitored or managed by the method, and the like. The target organization can manage the access request of the second object to realize communication interaction and other operations.
By adopting the information processing method of the embodiment of the disclosure, the first information of a plurality of information banks can be obtained, and the first information of the plurality of information banks is correlated by taking the second object as a dimensionality to obtain the comprehensive threat information of each second object, so that the diversified analysis and display of the information data are realized, and the risk of each second object is comprehensively controlled. Because the comprehensive threat information is combined with the first information in the plurality of information libraries, the information is accurate and comprehensive, on the basis, whether the target mechanism is dangerous or not can be accurately analyzed by combining the defense means adopted by each target mechanism, and then the alarm information is sent out for the dangerous target mechanism, so that the alarm accuracy and timeliness are greatly improved.
The intelligence processing method according to the embodiment of the present disclosure is further described below with reference to fig. 2 to 7.
Fig. 3 schematically shows a flowchart of obtaining first intelligence according to an embodiment of the disclosure, and as shown in fig. 3, in some embodiments, step S210 includes step S211 to step S214.
In step S211, second information is obtained from at least one information repository.
In the embodiment of the present disclosure, the second intelligence may refer to initial intelligence data obtained from intelligence libraries, and since different intelligence libraries may belong to different intelligence platforms, the second intelligence in different intelligence libraries may also be different, for example, different intelligence libraries may adopt different data formats. In order to facilitate the integration and association of the first information in the subsequent steps, after the second information is obtained from the information library, the second information needs to be preprocessed, so that the processed data can reach the standardization and then serve as the first information for the subsequent processing. For example, the second intelligence repository may be preprocessed by data filtering, cleansing, format conversion, etc. so that the obtained first intelligence has a uniform data format, etc.
In the embodiment of the disclosure, the second intelligence can be obtained from a plurality of intelligence banks, wherein the plurality of intelligence banks can include a local intelligence bank, an intelligence bank of a specific institution, an intelligence bank of a third party, and the like. For example, the local intelligence repository may include a local security device, and a huge amount of protection logs are stored in the security device, so that the required protection logs may be extracted from the local security device to obtain the second intelligence.
In step S212, the obtained second information is classified according to the information types, and corresponding operation items are configured for the second information according to the classification result.
In an embodiment of the present disclosure, the second intelligence may be classified as: IP information, domain name information, file information, safety leak information and the like, and different operation requirements and the like can be met by configuring different operation items for different types of information. For example, for IP class information, an operation item for performing statistics or analysis according to the IP may be arranged, and for security breach class information, an operation item for performing statistics or analysis according to the security breach type may be arranged. The specific operation item configured for each type of intelligence can be determined according to actual needs, and is not limited herein.
In step S213, the sorted second information is merged according to the timestamp of the second information.
In the embodiment of the disclosure, the second intelligence can be merged to different databases according to the timestamp of the second intelligence, so that optimization of a user in querying the first intelligence (i.e. the preprocessed second intelligence) is realized. For example, the second intelligence may be merged into a current day repository or a history repository according to its timestamp. In this way, when the user wants to search for a first report, the user can be configured to preferentially search from the current day library, so that the search amount is reduced and the search speed is increased. Furthermore, the method can be configured to query from the historical library when the required first report is not queried in the daily library, so that omission is avoided.
In step S214, the merged second information is filtered and converted into a target data format to obtain the first information.
In the embodiment of the disclosure, data filtering can be performed through steps of data cleaning, data screening, data throughput and the like.
For example, some dirty data in the second intelligence, data not within the monitoring range, may be culled through data cleaning.
For example, according to different service scene requirements, a required part can be screened from the data of the second intelligence through data screening, and necessary fields are reserved.
Alternatively, data screening may be performed by the sql executor.
Alternatively, for more complex second information, data filtering may be performed using a bloom filter or the like.
For example, the second information can be made more computer readable by counting. Illustratively, the second intelligence such as "country to which the attack belongs" may be processed as a country code or the like.
Optionally, a mapping relationship between the words and the codes may be configured in the data dictionary, so that the word presentation may be realized by querying the data dictionary.
Alternatively, the above data processing may be implemented based on a distributed framework to increase the processing speed. For example, the data processing described above may be realized by a Flink model or the like.
In some embodiments, the first master table comprises a pre-configured fixed master table, or a dynamic master table automatically generated from a local protection log.
The fixed master table may refer to a manually entered master table having fixed second objects. The dynamic master table may include a master table that automatically configures (e.g., adds or deletes) at least one second object in real-time from the local attack log.
For example, when the first main table includes a fixed main table, the first main table may include the second object D1, the second object D2, and the second object D3. When the first master table includes a dynamic master table, the second object D1 may be automatically configured in the first master table when the second object D1 appears in a guard log in the local for a first period of time. At a second, later time period, when the second objects D2 and D3 appear in the local guard log, the second objects D2 and D3 may be automatically configured in the first master table.
In some embodiments, the first master table includes address information, such as IP address information, for each second object. Fig. 4 schematically shows a flowchart for matching a first object with a second object in first intelligence according to an embodiment of the present disclosure, as shown in fig. 4, step S220 includes: step S221 and step S222 are performed for each second object in the first master table.
In step S221, address information of the second object is matched with the first object of each first information.
In the embodiment of the present disclosure, the IP address information of each second object in the first master table may be collided with the IP address information of each first intelligence to perform matching, and the objects having the same IP address information are successful in collision, that is, successful in matching.
In step S222, the first information matching successfully is extracted.
In the embodiment of the present disclosure, the address information of the second object may be matched with the address information of the first object of each first intelligence at a preset cycle.
In the embodiment of the present disclosure, the preset period may be determined according to actual needs, for example, the preset period may be set to "half an hour", that is, matching is performed every half an hour.
In some embodiments, step S230 includes visually presenting the integrated threat intelligence for querying and analysis.
Fig. 5 schematically illustrates a flowchart of associating threat intelligence in first intelligence according to an embodiment of the present disclosure, and as shown in fig. 5, in some embodiments, step S230 further includes steps S231 to S234.
In step S231, a visual operation interface is generated according to the comprehensive threat intelligence, the visual operation interface being provided with a first operation item, the first operation item being configured to execute steps S232 to S234 in response to a first operation.
In the disclosed embodiment, the visual operation interface may comprise an IP overview interface, the first operation item may comprise an IP search bar, the first operation may comprise an IP search operation, and the like. Of course, the visual operation interface may also include other operation interfaces, such as an intelligence repository overview interface, etc., then the first operation item may include an intelligence repository search bar, and the first operation may include an intelligence repository search operation, etc.
In step S232, a target network segment is determined.
In the embodiment of the present disclosure, the second object includes an IP address, the visual operation interface may include an IP overview interface, and the first operation may include an IP search operation, and optionally, in the IP search operation, the target network segment may be determined by an IP and a subnet mask.
For example, input IP and subnet mask, for IPV4, subnet mask range may be set to [1,32], including boundary values. For IPV6, the subnet mask range may be set to 128.
In step S233, according to the target network segment, the second object matching the target network segment is extracted and displayed.
In step S234, in response to a second operation of the user on the second presented object, comprehensive threat intelligence of the second object is presented.
In embodiments of the present disclosure, all second objects within the target network segment may be listed by IP and subnet mask, and optionally, a corresponding page may be generated in response to the user through a second operation (e.g., a jump operation) to reveal comprehensive threat intelligence of the first intelligence corresponding to the second object.
For example, the plurality of second objects includes a second object C1 and a second object C2, both of which include IP address information, the second object C1 and the second object C2 both belonging to the target network segment C. When the user queries the target network segment C by inputting IP and subnet mask, the second object C1 and the second object C2 may be presented in the form of a list. The comprehensive threat information of the second object C1 comprises the information obtained according to the first information A1, the comprehensive threat information of the second object C2 comprises the information obtained by integrating the first information A2 and the first information A3, and when the user clicks the displayed second object C2, the user can execute skipping to display the comprehensive threat information of the second object C1.
Fig. 6 schematically illustrates one of the flowcharts for issuing the warning message to the target authority according to the embodiment of the present disclosure, and as shown in fig. 6, in some specific embodiments, step S240 includes performing steps S241 to S243 on each second object.
In step S241, it is determined whether the second object is a high-risk object according to the comprehensive threat information.
In an embodiment of the disclosure, the threat intelligence may include a risk level of the second object in the at least one intelligence repository, and when the risk level of the second object in the at least one intelligence repository is higher, the second object may be determined to be a high-risk object.
Alternatively, when the risk level of the second object in any one of the intelligence repositories is higher than a preset level, the second object may be confirmed as a high-risk object. Or, when the risk level of the second object in the at least two information repositories is higher than a preset level, the second object can be confirmed to be a high-risk object. Or when the risk level of the second object in at least two information bases is higher than the preset level, the risk level scoring is carried out on the second object according to the weight configured for each information base, and further, when the risk level scoring is higher than the preset value, the second object can be confirmed to be a high-risk object.
In step S242, the current defense measures taken by the at least one target entity against the second object are obtained.
In step S243, when the second object is a high-risk object and the current defense means taken by at least one target entity for the second object does not meet the preset condition, an alarm message is sent to the target entity. Otherwise, no processing is performed.
Optionally, when the defense measure taken by the target institution is insufficient to deal with the second object, a warning message may be sent to the target institution to prompt the target institution to deal with in time. For example, the defense means that can be taken by the target organization may include a plurality of means with low to high security, and when the security of the defense means taken by the target organization is lower than the danger level of the second object, a warning message may be issued to the target organization.
Fig. 7 schematically illustrates a second flowchart of issuing an alarm message to a target entity according to an embodiment of the present disclosure, and as shown in fig. 7, in some specific embodiments, the defense means includes a blocking means, and step S243 includes steps S2431 to S2434.
In step S2431, when the second object is a high-risk object and the current defense measure taken by the at least one target institution for the second object does not satisfy the preset condition, step S2432 is executed.
In step S2432, it is determined whether the target entity is a preset entity, such as a local entity, and if so, step S2433 is performed; if not, go to step S2434.
In step S2433, an alarm message is issued to the target authority, and a blocking operation is taken for the second object.
In step S2434, an alarm message is sent to the target entity to prompt the target entity, and the target entity determines whether to take a blocking operation on the second object.
By adopting the information processing method of the embodiment of the disclosure, the data is classified, processed and aggregated by accessing various information libraries to form the specific information library. The information of different information banks is subjected to collision and correlation analysis, so that warning information is provided for multiple parties, high-risk behaviors dispersed in each system are processed in a centralized manner, and short boards of each independent safety device are supplemented.
Based on the information processing method, the disclosure also provides an information processing device. The apparatus will be described in detail below with reference to fig. 8.
Fig. 8 schematically illustrates a block diagram of a intelligence processing apparatus according to an embodiment of the disclosure, and as shown in fig. 8, the intelligence processing apparatus 800 of this embodiment includes an obtaining module 810, an extracting module 820, an integrating module 830, and an alerting module 840.
The obtaining module 810 is configured to obtain a plurality of first informations, where at least two of the first informations are from different information bases, and each of the first informations includes a first object and threat intelligence of the first object. In an embodiment, the obtaining module 810 may be configured to perform the step S210 described above, which is not described herein again.
The extracting module 820 is used for extracting first information that matches the first object with a second object arranged in the first main table from the plurality of first information. In an embodiment, the extracting module 820 may be configured to perform the step S220 described above, which is not described herein again.
The integration module 830 is configured to associate the extracted threat intelligence in the first intelligence with the second object as a dimension to obtain a comprehensive threat intelligence of each second object. In an embodiment, the integration module 830 may be configured to perform the step S230 described above, and is not described herein again.
The alarm module 840 is configured to send alarm information to the target entity according to the comprehensive threat intelligence of each second object and the defense measures taken by at least one target entity against the second object. In an embodiment, the alarm module 840 may be configured to perform the step S240 described above, which is not described herein again.
By adopting the information processing device of the embodiment of the disclosure, the first information of a plurality of information banks can be obtained, the first information of the plurality of information banks is correlated by taking the second object as a dimensionality, so that the comprehensive threat information of each second object is obtained, the diversified analysis and display of the information data are realized, and the risk of each second object is comprehensively controlled. Because the comprehensive threat information is combined with the first information in the plurality of information libraries, the information is accurate and comprehensive, on the basis, whether the target mechanism is dangerous or not can be accurately analyzed by combining the defense means adopted by each target mechanism, and then the alarm information is sent out for the dangerous target mechanism, so that the alarm accuracy and timeliness are greatly improved.
According to an embodiment of the present disclosure, any multiple modules of the obtaining module 810, the extracting module 820, the integrating module 830 and the alarming module 840 may be combined into one module to be implemented, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the obtaining module 810, the extracting module 820, the integrating module 830 and the alarming module 840 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or any suitable combination of any of them. Alternatively, at least one of the obtaining module 810, the extracting module 820, the integrating module 830 and the alerting module 840 may be at least partially implemented as a computer program module which, when executed, may perform a corresponding function.
Fig. 9 schematically shows a block diagram of an electronic device suitable for implementing an intelligence processing method according to an embodiment of the present disclosure, and as shown in fig. 9, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. Processor 901 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic apparatus 900 are stored. The processor 901, ROM 902, and RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the programs may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 900 may also include input/output (I/O) interface 905, input/output (I/O) interface 905 also connected to bus 904, according to an embodiment of the present disclosure. The electronic device 900 may also include one or more of the following components connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 908 including a hard disk and the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as necessary. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 910 as necessary so that a computer program read out therefrom is mounted into the storage section 908 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the intelligence processing method according to the embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 902 and/or the RAM 903 described above and/or one or more memories other than the ROM 902 and the RAM 903.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. The program code is for causing a computer system to carry out the intelligence processing method provided by the embodiments of the disclosure when the computer program product is run on the computer system.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 901. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, and the like. In another embodiment, the computer program may also be transmitted in the form of a signal over a network medium, distributed, and downloaded and installed via the communication section 909 and/or installed from the removable medium 911. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 909 and/or installed from the removable medium 911. The computer program, when executed by the processor 901, performs the above-described functions defined in the system of the embodiment of the present disclosure. The above described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by a person skilled in the art that various combinations or/and combinations of features recited in the various embodiments of the disclosure and/or in the claims may be made, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. An information processing method, comprising:
acquiring a plurality of first informations, wherein at least two first informations come from different information libraries, and each first information comprises a first object and threat information of the first object;
extracting first information matching the first object with a second object arranged in a first main table from a plurality of first information;
associating the threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object;
and sending out alarm information to the target mechanism according to the comprehensive threat intelligence of each second object and the defense means of at least one target mechanism to the second object.
2. The intelligence processing method of claim 1, wherein the obtaining the plurality of first intelligence comprises:
obtaining second information from at least one information base;
classifying the obtained second information according to the information types, and respectively configuring corresponding operation items for the second information according to classification results;
merging the classified second information according to the timestamp of the second information;
and carrying out data filtering on the merged second information, and converting the merged second information into a target data format to obtain the first information.
3. The intelligence processing method of claim 1, wherein the first master table includes address information of each second object, and the extracting first intelligence that matches the first object with a second object arranged in the first master table from among a plurality of the first intelligence includes: performing the following steps for each of the second objects:
matching address information of the second object with the first object of each of the first informations;
and extracting the first intelligence which is successfully matched.
4. The intelligence processing method according to claim 1, wherein the associating the threat intelligence in the extracted first intelligence with the second object as a dimension to obtain comprehensive threat intelligence for each second object comprises:
generating a visual operation interface according to the comprehensive threat intelligence, wherein a first operation item is arranged in the visual operation interface, and the first operation item is configured to respond to a first operation and execute the following steps:
determining a target network segment;
extracting the second object matched with the target network segment according to the target network segment, and displaying the second object;
and in response to a second operation of the user on the displayed second object, displaying the comprehensive threat intelligence of the second object.
5. Intelligence processing method according to claim 1, wherein said issuing of alert information to said target authority based on said comprehensive threat intelligence of each of said second objects and a defensive measure taken by at least one target authority against said second object comprises:
performing the following steps for each of the second objects:
determining whether the second object is a high-risk object or not according to the comprehensive threat information;
acquiring the defense means currently taken by at least one target mechanism against the second object;
and when the second object is a high-risk object and the current defense means adopted by at least one target mechanism to the second object does not meet the preset condition, sending the alarm information to the target mechanism.
6. The intelligence processing method of claim 5, wherein the defense means comprises a blocking means, and the issuing of the alarm message to the target entity when the second object is a high-risk object and the defense means currently taken by at least one target entity for the second object does not satisfy a preset condition comprises:
when the second object is a high-risk object and the defense means currently taken by at least one target mechanism for the second object does not meet the preset condition, judging whether the target mechanism is a preset mechanism or not;
and when the target mechanism is the preset mechanism, sending the alarm information to the target mechanism, and carrying out a sealing operation on the second object.
7. The intelligence processing method of claim 1, wherein the first master table comprises:
a pre-configured fixed master table; or
And the dynamic master table is automatically generated according to the local protection log.
8. An information processing apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a plurality of first informations, at least two first informations come from different information libraries, and each first information comprises a first object and threat information of the first object;
an extraction module, configured to extract first information that matches the first object with a second object configured in a first master table from the plurality of first information;
the integration module is used for associating the threat intelligence in the extracted first intelligence by taking the second object as a dimension so as to obtain comprehensive threat intelligence of each second object;
and the warning module is used for sending warning information to the target mechanism according to the comprehensive threat intelligence of each second object and defense means taken by at least one target mechanism for the second object.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the intelligence processing method of any of claims 1-7.
10. A computer-readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the intelligence processing method of any of claims 1-7.
11. A computer program product, comprising a computer program which, when executed by a processor, implements an intelligence processing method according to any of claims 1-7.
CN202210974864.8A 2022-08-15 2022-08-15 Information processing method, apparatus, electronic device, storage medium, and program product Active CN115277247B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210974864.8A CN115277247B (en) 2022-08-15 2022-08-15 Information processing method, apparatus, electronic device, storage medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210974864.8A CN115277247B (en) 2022-08-15 2022-08-15 Information processing method, apparatus, electronic device, storage medium, and program product

Publications (2)

Publication Number Publication Date
CN115277247A true CN115277247A (en) 2022-11-01
CN115277247B CN115277247B (en) 2024-08-09

Family

ID=83750587

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210974864.8A Active CN115277247B (en) 2022-08-15 2022-08-15 Information processing method, apparatus, electronic device, storage medium, and program product

Country Status (1)

Country Link
CN (1) CN115277247B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370763A (en) * 2017-09-04 2017-11-21 中国移动通信集团广东有限公司 Assets security method for early warning and device based on outside threat intelligence analysis
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN111988341A (en) * 2020-09-10 2020-11-24 奇安信科技集团股份有限公司 Data processing method, device, computer system and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370763A (en) * 2017-09-04 2017-11-21 中国移动通信集团广东有限公司 Assets security method for early warning and device based on outside threat intelligence analysis
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN111988341A (en) * 2020-09-10 2020-11-24 奇安信科技集团股份有限公司 Data processing method, device, computer system and storage medium

Also Published As

Publication number Publication date
CN115277247B (en) 2024-08-09

Similar Documents

Publication Publication Date Title
US11586972B2 (en) Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs
US11032304B2 (en) Ontology based persistent attack campaign detection
US9479518B1 (en) Low false positive behavioral fraud detection
US10521446B2 (en) System and method for dynamically refactoring business data objects
US11580259B1 (en) Identity security architecture systems and methods
CN107872454B (en) Threat information monitoring and analyzing system and method for ultra-large Internet platform
US20180191759A1 (en) Systems and methods for modeling and monitoring data access behavior
RU2702269C1 (en) Intelligent control system for cyberthreats
CN111680068B (en) Verification method, device, equipment and storage medium
US20230244812A1 (en) Identifying Sensitive Data Risks in Cloud-Based Enterprise Deployments Based on Graph Analytics
CN113965389B (en) Network security management method, device and medium based on firewall log
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
CN112738040A (en) Network security threat detection method, system and device based on DNS log
CN114070619A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
KR102516819B1 (en) Method for allowing threat events to be analyzed and handled based on big data and server using the same
US10360128B2 (en) System and method for dynamic scaling of concurrent processing threads
CN117273429A (en) Event monitoring method, system, electronic equipment and storage medium
Hemdan et al. Spark-based log data analysis for reconstruction of cybercrime events in cloud environment
Itria et al. Identification of critical situations via event processing and event trust analysis
CN114218283A (en) Abnormality detection method, apparatus, device, and medium
WO2023192051A1 (en) System and method for predicting investigation queries based on prior investigations
CN113495978A (en) Data retrieval method and device
KR20180075279A (en) System for integrally analyzing and auditing heterogeneous personal information protection products
CN110677271A (en) Big data alarm method, device, equipment and storage medium based on ELK
CN115277247B (en) Information processing method, apparatus, electronic device, storage medium, and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant