CN115396239B - Intelligent platform and application method and system thereof in auxiliary criminal investigation - Google Patents
Intelligent platform and application method and system thereof in auxiliary criminal investigation Download PDFInfo
- Publication number
- CN115396239B CN115396239B CN202211330734.7A CN202211330734A CN115396239B CN 115396239 B CN115396239 B CN 115396239B CN 202211330734 A CN202211330734 A CN 202211330734A CN 115396239 B CN115396239 B CN 115396239B
- Authority
- CN
- China
- Prior art keywords
- module
- information
- attack
- personnel
- intelligent platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 238000011840 criminal investigation Methods 0.000 title claims abstract description 19
- 238000004458 analytical method Methods 0.000 claims abstract description 47
- 230000009471 action Effects 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims description 54
- 238000011835 investigation Methods 0.000 claims description 34
- 230000006399 behavior Effects 0.000 claims description 30
- 230000008520 organization Effects 0.000 claims description 23
- 230000008859 change Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 5
- 230000000670 limiting effect Effects 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 2
- 238000011112 process operation Methods 0.000 claims description 2
- 238000013519 translation Methods 0.000 claims description 2
- 238000013475 authorization Methods 0.000 claims 1
- 238000002360 preparation method Methods 0.000 claims 1
- 230000036961 partial effect Effects 0.000 abstract description 2
- 230000005540 biological transmission Effects 0.000 description 19
- 238000007726 management method Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 13
- 239000000306 component Substances 0.000 description 11
- 238000013515 script Methods 0.000 description 11
- 238000001514 detection method Methods 0.000 description 9
- 230000000694 effects Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 230000015572 biosynthetic process Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000005336 cracking Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 208000001613 Gambling Diseases 0.000 description 2
- 230000002411 adverse Effects 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 108010028930 invariant chain Proteins 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 230000002829 reductive effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 101000606504 Drosophila melanogaster Tyrosine-protein kinase-like otk Proteins 0.000 description 1
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000002244 precipitate Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000036962 time dependent Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000004383 yellowing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
- G06Q50/265—Personal security, identity or safety
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Tourism & Hospitality (AREA)
- Strategic Management (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Development Economics (AREA)
- General Physics & Mathematics (AREA)
- Marketing (AREA)
- General Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Game Theory and Decision Science (AREA)
- Operations Research (AREA)
- Entrepreneurship & Innovation (AREA)
- Virology (AREA)
- Educational Administration (AREA)
- Primary Health Care (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an intelligent platform and an application method and a system thereof in assisting criminal investigation, wherein the intelligent platform comprises an information module and an execution module, the information module can be used for inputting target organizations and/or personnel to a range of key observation targets in advance based on a specific selection rule, wherein one class of key personnel is personnel and/or appointed personnel according with the specific selection rule of the information module; the second class of key personnel is at least partial personnel having a specific character relationship with the first class of key personnel, and the intelligence information related to the assets acquired by the intelligence module can be utilized by the execution module, so that the execution module can perform association and collection operations on the trunk objects related to the target assets when performing information collection on the case objects to form a graphical relationship tree. The application system at least comprises an intelligent platform and a collaboration end associated with the intelligent platform. The application method comprises the following steps: intelligence analysis prediction and action flow.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intelligent platform and an application method and system thereof in assisting criminal investigation.
Background
The investigation and the investigation of a large number of criminal cases and critical cases can not be conducted, and the investigation and the evidence collection can be carried out. The construction of the capability of case-handling investigation evidence-obtaining and rapid analysis follows the development of times and law, the development of intelligent investigation is adapted, especially for the increasingly frequent network over-orbit behavior, the appearance trend is continuously increasing, the technology is continuously improved, the corresponding evidence-obtaining analysis is rapid, the safety and the concealment are ensured, and the due auxiliary effect can be played in the criminal investigation process.
CN111090779A discloses a cloud storage and retrieval analysis method for case-handling investigation evidence-obtaining data, which is based on the investigation evidence-obtaining big data obtained in investigation case handling by applying force to guide the thought of investigation work and develop the construction of an investigation evidence-obtaining data cloud system-big data cloud storage and quick search correlation analysis information system; on the basis of realizing cloud storage of case handling, investigation and evidence obtaining data, a third-party data interface is reserved, electronic data are rapidly searched and serially analyzed, investigation data information construction is strengthened, investigation and evidence obtaining data of various criminal cases are collected, analyzed, researched and utilized, clue evidences are obtained, the behavior, characteristics and rules of the derailment behavior are known and mastered in time, investigation is guided through data information, investigation direction and emphasis are accurately researched and judged, investigation capability is effectively improved, investigation work is purposefully developed, and scientific development of intelligent criminal investigation work in the big data era is realized.
However, in order to evade the attack, a strategy of "doloma triple cavern" may be adopted on the network assets, a plurality of domain names may exist in the same partner network assets at the same time, the string plan analysis needs manual judgment, the manual energy association dimension is single before the target breaks through, and if the target cannot be successfully associated first, the breaking through cannot be obtained, and the network assets become a dead knot. Therefore, when facing some complicated cases, such as many involved persons, many links, complex cases, and the like, especially cases related to the over-orbit behavior of the novel network, how to quickly comb people, affairs and object relationships, construct a relationship network, describe a group structure, and present an over-orbit behavior trajectory, so as to achieve the purpose of accurately locking and attacking a true core target, which is also a technical problem to be solved urgently in the field.
Furthermore, on the one hand, due to the differences in understanding to the person skilled in the art; on the other hand, since the applicant has studied a great deal of literature and patents when making the present invention, but the disclosure is not limited thereto and the details and contents thereof are not listed in detail, it is by no means the present invention has these prior art features, but the present invention has all the features of the prior art, and the applicant reserves the right to increase the related prior art in the background.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an intelligent platform and an application method and an application system thereof in assisting criminal investigation, so as to solve the technical problems.
The invention discloses an intelligent platform which comprises an intelligence module and an execution module, wherein the intelligence module is used for collecting various types of intelligence information to analyze and predict cases, and the execution module is used for executing operations of collecting information to obtain authority for case targets.
The information module can input at least part of target organizations and/or personnel to a key observation target range in advance based on a specific selection rule, wherein one key personnel is the personnel according with the specific selection rule of the information module and/or designated personnel; the second class of key personnel is at least partial personnel having specific character relationship with at least one class of key personnel, and the intelligence information acquired by the intelligence module and related to assets can be utilized by the execution module, so that the execution module can perform association and collection operation on other main system objects related to the target assets when performing information collection on case objects to form a graphical relationship tree.
Preferably, the intelligence module can enter at least part of the target organization and/or personnel into the range of the key observation target in advance based on a specific selection rule, so as to quickly judge whether the personnel has behaviors of executing or intentionally executing related violations of national laws and/or has activities of participating or intentionally participating in related violations of national laws based on the behavior trend, wherein the specific selection rule of the intelligence module can be at least that the personnel having the records of the antecedent discipline of the derailment behavior and the organization and other personnel of the organization can be entered into the range of the key observation target in advance by the intelligence module. Preferably, the intelligence module can also screen for people with a tendency to cross-track behavior under specific topics, wherein the specific topics can be, for example, social topics, economic policy topics, and the like. Furthermore, the information module can at least divide the personnel input into the range of the key observation target based on the specific selection rule into a class I key personnel and a class II key personnel, and the information module can respectively collect and analyze the information of different degrees for the class I key personnel and the class II key personnel, wherein the class I key personnel are the personnel according with the specific selection rule of the information module and/or the personnel designated by the management module; the second category of emphasized persons is at least some of the persons having a certain human relationship with at least one category of emphasized persons, and the human relationship may comprise a real space human relationship and/or a cyber space human relationship.
Furthermore, when two types of key personnel are classified into one type of key personnel according to specific selection rules and/or due to the designation of the management module, at least part of personnel having a certain person relationship with the personnel can be used as the corresponding two types of key personnel to be recorded by the information module. Preferably, when the same person uses different relationships of persons as two types of key persons related to different types of key persons, the intelligence module may determine whether to classify the person into one type of key person based on the actual relevance and relationship closeness between the person and the corresponding multiple types of key persons. Preferably, the intelligence module may classify a plurality of classes of key people having actual relevance in the same potential organization, i.e. a plurality of classes of key people in a potential organization may have the feasibility of forming a new organization in the future because they originally belong to the same organization or may be aggregated based on a relationship network of one or more classes of key people and have the feasibility of forming a new organization in the future. Further, the intelligence module can collect relevant intelligence information of a class of key personnel with emphasis, particularly for the situation that frequent contact exists among a plurality of classes of key personnel in the same potential organization and/or for the situation that contact is suddenly established among a plurality of classes of key personnel in different potential organizations, and the formation situation and the contact situation of each potential organization can be timely mastered and fed back to the intelligent platform when the potential organizations have formation trends and/or combination trends and/or cooperation trends.
According to a preferred embodiment, the intelligence module acquires corresponding intelligence information in a mode of dynamically dividing the categories of key personnel, and determines the case setting condition and the importance degree of the case after the case setting after analyzing and predicting the intelligence information.
According to a preferred embodiment, the execution module executes attack operation on targets with relatively higher relevance based on a formed graphical relational tree in a priority-improved mode, wherein the priority sequence of the execution module aiming at a plurality of targets of the same case is related to the graphical relational tree formed by the case, and the execution module needs to refer to the importance degree of each case when processing a plurality of cases.
According to a preferred embodiment, the security module assigns an initial value to the importance level of each case, and the security module adjusts the importance level of the case in which the corresponding execution module is responsible for according to the change factor of each case.
According to a preferred embodiment, the security module grants corresponding capabilities to the execution module processing the corresponding case based on the importance degree of each case, wherein the anonymous network link established by the security module can cover the auxiliary criminal investigation process by means of multiple encryption and multi-node jump when the intelligence module performs intelligence information collection operation and/or when the execution module performs investigation operation and attack operation.
According to a preferred embodiment, when a plurality of attack hosts with security modules distributed in different regions determine to attack targets according to priorities, the selected attack hosts can receive attack codes sent by the execution module through the established anonymous network link to execute breakthrough attacks on the targets, wherein the attack codes can be transmitted in the anonymous network link in a random jump mode, and nodes through which transmission passes can be set by the security module in a variable mode.
According to a preferred embodiment, the execution module performs rapid information collection work on a target website in a first process, and performs automatic association and information collection on target associated assets; performing depth analysis on the target in a second process to determine available vulnerabilities; and attacking based on the found available vulnerability in the third process to acquire the corresponding authority or key data of the target.
According to a preferred embodiment, the tools required by the execution module to perform the action flow are built into the tool module, so that the execution module can call up the tools in the tool module after the security module authorizes the tools.
The invention also discloses an application system of the intelligent platform, which at least comprises the intelligent platform and a collaboration end associated with the intelligent platform, wherein the collaboration end can receive a case collaboration request initiated by the intelligent platform and assist an operator to complete investigation and attack tasks of a case-involved website by performing information interaction with the intelligent platform.
The invention also discloses an application method of the intelligent platform in assisting criminal investigation, which comprises the following steps:
and (3) information analysis and prediction: collecting information of target organizations and/or persons in a target range of important observation, analyzing and predicting cases based on the collected information, limiting the types of important persons according to dynamically changed person relationships, constructing related real space person relationships and/or network space person relationships, and forming a graphical relationship tree based on target associated assets;
and (3) an action flow: the method comprises the steps that full-process operation from information collection to authority acquisition is completed through a first process, a second process and a third process, wherein the first process performs rapid information collection work on a target website, and performs automatic association and information collection on target associated assets; the second process carries out deep analysis on the target to determine available vulnerabilities; and the third process attacks based on the found available vulnerabilities to acquire the corresponding permissions or key data of the target.
The intelligent platform, the application system and the corresponding application method constructed by the invention can enable operators, particularly county and county case handling personnel to handle cases on the premise of not revealing an attack tool. The method aims at preventing fraud, anti-gambling, anti-network-related economic over-orbit behaviors and anti-yellowing, realizes the standardization of medium and small-sized case detection means, the flow of detection ideas and the automation of detection tools, reduces the detection threshold of network-related cases, deepens the attack depth of the network-related over-orbit behaviors and precipitates mature case handling means. The invention can become the most efficient and convenient net-related case reconnaissance assistant, and can feed back the early warning capability of the over-orbit behavior, thereby reducing the case rate of the district.
Drawings
FIG. 1 is a simplified module connectivity diagram of an intelligent platform in a preferred embodiment;
FIG. 2 is a graph comparing security module optimized covert link performance with prior art bandwidth performance;
fig. 3 is a graph of security module optimized covert link versus prior art delay performance.
List of reference numerals
100: an intelligent platform; 10: an intelligence module; 20: an execution module; 30: a security module; 40: and a tool module.
Detailed Description
The following detailed description is made with reference to the accompanying drawings.
FIG. 1 is a simplified module connectivity diagram of an intelligent platform 100 in a preferred embodiment; FIG. 2 is a graph of optimized covert link and prior art bandwidth performance of security module 30; fig. 3 is a graph of the optimized covert link performance of the security module 30 compared to the prior art delay performance.
The present invention discloses an intelligent platform 100 which can be applied at least in assisting criminal investigation. Preferably, the intelligent platform 100 may at least include the intelligence module 10, the execution module 20 and the security module 30, wherein the security module 30 may provide more stable and reliable security protection for the intelligence module 10 and the execution module 20 to ensure security and concealment in the process of assisting criminal investigation.
According to a preferred embodiment, the cases processed by the intelligent platform 100 in the process of assisting criminal investigation can be automatically entered by the intelligence module 10 after analysis and prediction based on the collected intelligence information, and/or issued by the management module 30, and/or manually entered by the operator.
Preferably, the intelligence module 10 can enter at least part of the target organization and/or the personnel into the scope of the key observation target in advance based on the specific selection rule, so as to quickly judge whether the personnel has the behavior of executing or intentionally executing the related violated national laws and/or has the activity of participating or intentionally participating in the related violated national laws based on the behavior trend, wherein the specific selection rule of the intelligence module 10 can be at least that the personnel having the records of the antecedent of the derailment behavior and the other personnel of the organization and the organization in which the personnel is located can be entered into the scope of the key observation target in advance by the intelligence module 10. Preferably, intelligence module 10 can also screen for people with trends in off-track behavior under specific topics, where specific topics can be, for example, social topics, economic policy topics, and the like.
Further, the information module 10 can at least classify the persons entered into the range of the key observation target based on the specific selection rule into a first class key person and a second class key person, and the information module 10 can collect and analyze information of different degrees for the first class key person and the second class key person respectively, wherein the first class key person is a person according with the specific selection rule of the information module 10 and/or a person specified by the management module; the second category of emphasized people is at least some of the people with at least one type of emphasized people having a human relationship, which may include a real space human relationship and/or a cyber space human relationship.
Preferably, the real-space character relationship of the key person can be established based on the track of the life, study and/or work of the key person.
Preferably, the network space character relationship more complicated than the real space character relationship can be reconstructed based on a character library, an organization library, a virtual character crypt translation library and other databases established by corresponding key personnel, wherein the reconstructed network space character relationship can comprise character images, reputation ratings, character ratings, personnel relationships, interpersonal relationships, space-time positioning and the like.
Further, when two types of key personnel are classified into one type of key personnel according to a specific selection rule and/or due to the designation of the management module, at least some personnel having a certain person relationship with the person can be recorded by the information module 10 as corresponding two types of key personnel.
Preferably, when the same person has different relationships between people as two types of key people related to different key people, the intelligence module 10 can determine whether to classify the person into one type of key people based on the actual relevance and relationship closeness between the person and the corresponding key people of multiple types.
Preferably, intelligence module 10 may classify a plurality of classes of key people with actual relevance in the same potential organization, i.e., a plurality of classes of key people in a potential organization may have a feasibility of forming a new organization in the future because they originally belong to the same organization or may be aggregated based on a relationship network of one or more classes of key people and have a feasibility of forming a new organization in the future.
Further, the intelligence module 10 can focus on collecting relevant intelligence information of a type of key-point people, especially in the case of frequent contact among a plurality of types of key-point people in the same potential organization, and/or in the case of sudden contact establishment among a plurality of types of key-point people in different potential organizations, and timely control the formation and contact of each potential organization and feed back the information to the intelligent platform 100 when the information has a formation trend and/or a combination trend and/or a cooperation trend.
Preferably, the information module 10 can obtain various types of information, and analyze and judge various types of information to establish an intelligent information early warning mechanism, wherein the intelligent information early warning mechanism can include one or more of deep information such as basic information, dynamic information, prediction information, character information, economic information, social information, military information, geographic information, political information and the like.
Further, the information module 10 can obtain at least one of the above information as the raw information material for analysis and study activities, wherein the analysis and study activities are all established on the recombined raw information material.
Preferably, the analysis of the intelligence information by intelligence module 10 may include: the method comprises the following steps of SaaS virtual simulation, file decoding, analysis, import and export, format conversion, multilingual OCR offline recognition, file mail attachment analysis, full-text retrieval and the like.
According to a preferred embodiment, the intelligence module 10 can determine whether to plan for the target after analysis and prediction based on the collected intelligence information, wherein the object of plan can include a person performing an over-orbit behavior in the network, an organization where the person is located, a tool used by the person, and the like. The over-orbit behavior refers to the behavior of violating the laws and regulations, the behavior rules, the value concept or the moral standard of a certain society. Since traditional cross-track behavior is evolving towards networking, network cross-track behavior events are frequent, telecommunication phishing cases are highly active, and fraud and gambling cross-track behaviors conducted over the network are also continuously high, the targets placed by the intelligence module 10 can include such tools as the APP and/or websites used by the aforementioned personnel.
Preferably, the case that is manually entered by the operator may be placed according to the report information of the relevant victim, the report information of the relevant involved person, the clue information of the relevant lineman, and the like, for the purpose of placing a case that is partially not collected by the information module 10 and is related to the information.
Preferably, the intelligent platform 100 may complete an action process from information collection to authority acquisition on a case through the execution module 20 when completing an auxiliary criminal investigation process related to the network derailment behavior, wherein the execution module 20 may sequentially perform a first process, a second process and a third process for the network derailment behavior. Preferably, the execution module 20 may complete the fast mining survey work when executing the first flow, so as to perform the fast information collection work on the target, and perform automatic association and information collection on the target-associated asset; the execution module 20 may complete the target probing work when executing the second process, and perform depth analysis through the target to determine the available vulnerabilities; the execution module 20 may complete the remote evidence obtaining work when executing the third process, and obtain the corresponding target permission or the key data based on multiple attack manners. Further, the execution module 20 can complete the collection of various types of data information related to the network of the target through the first flow, so as to facilitate the criminal investigation work of the network over-orbit behavior, and when the information module 10 needs to safely and covertly acquire the data information related to the network of the target in the early information collection process, the execution module 20 can also be driven to perform fast mining and fast surveying operation instead, so as to complete the fast network information collection work.
In the first process, the system can automatically associate and collect information of the target associated assets in the process of quickly collecting the information to form an asset relationship tree expanded by a target and a target associator, and analyze the generated target associated asset relationship tree to form a target probing direction for the second process. For example, most fraud websites have multiple participating parties, i.e. website owners, technology providers and service providers, etc., simultaneously, the relationship between them is complex and has associated asset relationship, the system can automatically associate all assets (e.g. the assets of technology providers, service providers and asset relationship) associated with a target object (e.g. website owner) and form a relationship tree, so that reasonable probing directions can be separated from asset relationship information, for example, some explicit regular fund flows can be selected as probing directions.
According to a preferred embodiment, in order to obtain the target network-related data information securely and covertly, the security module 30 configured in the intelligent platform 100 may have a function of concealing an attack path, that is, the security module 30 may establish a secure, stable, reliable, and easy-to-use anonymous network link, so as to at least ensure the security, covertness and traceability of the execution module 20 during the full-flow operation process. The security module 30 may employ multiple encryption techniques and multi-node hopping to hide the real physical exit IP address of the network, providing security shielding for assisting in criminal investigation procedures.
The security module 30 implements a hidden attack path function through six sub-modules of a central service, an agent service, a directory service, a wall-crossing service, a relay service and an exit service for the execution module 20, and further implements management of an attack host to implement concealment and stability of an operator when an object is detected, wherein the central service sub-module can provide a central service of an anonymous link; the proxy service sub-module can realize random distribution and optimization of connection of network nodes among anonymous links; the directory service sub-module can encrypt and package the acquired network transmission protocol; the through-wall service sub-module can bypass the protection of the domestic protection wall, and the penetration of the network barrier is realized; the relay service sub-module can realize automatic skipping of nodes in network transmission; the egress service may implement random hopping of network egress nodes. When manual configuration is not performed, the security module 30 may automatically select an optimal link, ensure that an operator and the intelligent platform 100 have access to the hidden network, and may also manually perform operations such as modifying, setting, and disabling the link.
According to a preferred embodiment, the hidden link solutions in the prior art all have the problem that the concealment and the bandwidth are not compatible. Besides, in practice, severe problems such as poor scalability of network nodes, difficult deployment, centralization, single point of failure and the like are found. For example, the hidden link solutions commonly used in the art may include a Tor network networking mode, an SS/SSR/V2RAY multi-level hopping mode, and an encryption mode, and all of the three hidden link solutions have the above-mentioned problems.
The security module 30 of the present invention is a high-speed secure communication network product based on block chain networking, completely decentralized, and elastically expandable, and has the following advantages compared to the above-mentioned common hidden link solutions: the concealment is high, the bandwidth is large, and the bandwidth can be dynamically configured; the link can be dynamically expanded, and the network node can join the network or leave the network at any time; the system is safe and private without a central server for communication, and completely decentralized networking is realized.
Further, the security module 30 uses a network aggregation acceleration technique to enable multi-path data transmission to be possible, so that the transmission of the same data block between single nodes is changed into the transmission between multiple nodes, and the network bandwidth is greatly improved.
Further, the security module 30 uses a new generation routing algorithm based on DHT to search for the optimal node through the neighbor, so that the delay of reaching the target is greatly reduced.
Further, the security module 30 may provide or obtain a relay transmission certificate, which may have a set of signature chains for data transmission. The traditional hidden link scheme cannot check the forged flow and has certain insecurity. Under the condition that the relay transmission proves to exist, an attacker only has the private keys of all the routing nodes and can forge the signature chain, so that the safety and the credibility of link transmission are greatly improved.
Preferably, the security module 30 is deployed at a competent entity having law enforcement authority.
Further, the security module 30 may configure multiple execution modules 20 with multi-level hopping, unlike the conventional scheme, to support dynamic hopping, and furthermore, the next relay node of the same target may be changed, so that the link transmission has uncertainty, and preferably, the lowest level of 5 hopping greatly increases the concealment of the link.
Preferably, the anonymous network link constructed by the security module 30 can be used in different courses of action of the execution module 20.
Preferably, executive module 20 is deployed at a personnel device authorized to perform a reconnaissance mission. The execution modules 20 are deployed at a plurality of locations, respectively, and the execution modules 20 may have different rights. Furthermore, depending on the location at which the respective execution module 20 is deployed, the "strength" of the current execution module 20, i.e., the strength of the unit in which the respective execution module 20 is located, may be determined from the compilation of the units in which it is located.
Preferably or alternatively, the execution module 20 and the attack host of the intelligent platform 100 may belong to different entity servers or server clusters, for example, the execution module 20 itself is a server. Preferably or alternatively, execution module 20 may be two virtual machines deployed on the same physical server at the same time as the attack host. Alternatively or additionally, the execution module 20 may be an application on an attack host, which configures for an attack task, such as constructing an attack environment, forming an attack script, and collecting data for an attack, for example, building an attack virtual machine as an attack host on demand.
Preferably, the execution module 20 in the first process may perform one or more operations of IP positioning analysis, domain name resolution analysis, website record information analysis, domain name information analysis, website fingerprint analysis, threat intelligence analysis, and the like.
Preferably, the execution module 20 also performs synchronous analysis (for example, by instructing the attack host to perform related tasks) for other important clues filled by the operator, and the analysis content may include personnel information analysis and string merger association analysis.
Preferably, for an APK software package transmitted by an operator into the intelligent platform 100, the execution module 20 supports automatic decryption, decapsulation, decompression, and search analysis of the package.
Preferably, the execution module 20 executing the second process (for example, by instructing the attack host to execute relevant tasks) may deeply analyze the target open port, running service, web middleware, web framework, open source, available bugs, etc. to perform target spying work with the most complete attack plane as the target.
Preferably, the execution module 20 may also support multi-threaded target information probing by using its own built-in vulnerability scanner, so that the target probing process is fast and has little influence on the target by sending packets very lightly.
Preferably, for various targets such as a Windows host, a Linux host, a Web site, a network device, and the like, the execution module 20 may also quickly analyze protocol information corresponding to the port, determine various information of the target host, and quickly return a result generation report to be displayed in the intelligent platform 100. Such analysis tools are not of an aggressive nature, but rather are common software tools. Security module 30 of intelligent platform 100 may audit such activity.
Unlike a common vulnerability scanning tool, the intelligent platform 100 may preset a vulnerability detection engine (threatening attack tool) with an attack effect, for example, by simulating a vulnerability environment in a network, coding a vulnerability recurrence flow, implementing automatic vulnerability verification, accurately judging whether a target object has a usable vulnerability, and helping a reconnaissance staff to quickly find a breach of the target. According to the present invention, the intelligent platform 100 stores such vulnerability detection engine (threatening attack tool) and its configuration data in the server with higher defense capability of the upper level administration unit, only when the attack needs to be executed, the security module 30 provides the relevant tool to at least one execution module 20, and preferably provides the relevant tool to the execution module 20 in an encryption shell manner, the execution module 20 deploys the received data packet with the encryption shell together with the script to the attack host, and the attack host executes the relevant task.
Preferably, the execution module 20 may provide the encrypted data to the attack host, so as to distinguish "difficulty of actual attack exploitation" and "high or low of the obtained shell right" of the vulnerability explored by the target, and use different vulnerability exploitation tools when remote forensics needs to be performed, so as to obtain the corresponding right or key data of the target.
Preferably, the execution module 20 executing the third flow (e.g., by attacking the host) may take a variety of attack forms, such as a middleware vulnerability attack, a framework vulnerability attack, an integrated environment vulnerability attack, an open source program vulnerability attack, a CMS vulnerability attack, a brute force attack, an Nday vulnerability attack, a 0day vulnerability attack, and the like.
Further, the intelligent platform 100 integrates corresponding vulnerability characteristics and utilization codes for JAVA middleware, PHP integration environment, or various open source programs, etc., so that an operator can quickly and conveniently obtain the rights of the target host. In the present invention, however, the security module 30 provides relevant tools to at least one execution module 20 only when an attack needs to be executed, and preferably provides the execution module 20 with encrypted encrustation, and the execution module 20 deploys the received encrypted encrusted data packet to the attack host along with the script, and the attack host executes relevant tasks.
Preferably, the management procedure of the security module 30 may include commissioning management, tool library management, alarm management, spy management. For example, by means of the alarm management program of the security module 30, when the intelligent platform finds that the attack host has an access right beyond the authority or the data cracking operation is performed (for example, the CPU occupation time of the attack host by means of the tool-loading script exceeds a normal threshold), the alarm management program can execute alarm for possible attack tool leakage. Preferably, in order to ensure that the attacking host is traceable and completes trace cleaning work quickly, the security module 30 adopts a technology of combining the distributed attacking host and dynamic issuing of the attacking task to ensure the security of the attacking host while constructing an anonymous network link.
Preferably, the intelligent platform 100 can be associated with a plurality of attack hosts all over the world and performs heartbeat communication with the attack hosts through a hidden link, and all the attack hosts are not provided with any attack tool and only build an environment in which an attack script needs to run. After receiving the attack instruction, the intelligent platform 100 can automatically select the optimal attack host according to the management execution result, send the attack code to the attack host, and lock the host to prevent other users from using the attack host. And after receiving the attack instruction and the attack code, the attack host starts to execute the target attack task, returns an execution result to the intelligent platform 100, and simultaneously restores the host to clear traces and unlocks the host. Preferably, more than 20 attack hosts can be configured globally. Preferably, several attack hosts, which are not configured with attack tools, but only build the environment in which the attack script needs to be run, may be distributed over at least two regions, for example over at least two execution modules 20 in two regions.
The security module 30 may also secure the attacker through a distributed technique and a task issuing technique, for example, to issue to different attack hosts via the execution modules 20 deployed at different locations. The tools that each execution module 20 needs to invoke to perform the reconnaissance and the attack are managed, supervised and afterwards supervised by the security module 30. In the task issuing process, the attack host (on which the execution module 20 of the intelligent platform 100 can be carried) selected by the security module 30 of the intelligent platform 100 has randomness governed by using management, and the possibility of tracing the attack tool by the attack host associated with the intelligent platform 100 can be effectively reduced by matching with the function of hiding the attack path; moreover, all attack hosts (for example, virtual machines carried on the same physical host as the execution module 20) associated with the intelligent platform 100 automatically perform reset and restore operations after the investigation task is executed, and thus the bidirectional tracing can be effectively blocked.
Because the networking and over-orbit behavior industrial chain is huge, a technical provider for providing website/APP construction, a data service provider for providing server leasing, a third party for providing online bank payment, a fourth party and the like are provided, the intelligent platform 100 is provided with a main over-orbit behavior industrial chain service provider leak utilization tool or a data acquisition tool and a platform database to help operators to accurately check and rapidly obtain evidences.
According to a preferred embodiment, tens of attack tools may be configured in tool module 40 to facilitate execution module 20 in quickly selecting corresponding tools based on different courses of action.
The security module 30 of the intelligent platform 100 exposes the performance and type of the attack tool in the tool module 40 by means of the tool manager and the tool library manager, and passes the call behavior to the call manager for recording.
Preferably, the links and flow modules of the intelligent platform 100 are componentized, while freeing the foot operator to create space, but also avoiding tool abuse and leakage. On the premise of ensuring the lower limit of the operation of the intelligent platform 100, the upper limit of the use is increased, so that operators with technical bases are not limited by the fixed flow of the intelligent platform 100 any more, and more hit ideas related to the website are expanded within the permission range of legal authorities. A matched striking flow can be designed for websites with the same architecture, so that the rapid striking is facilitated.
The contents of the security module 30 of the intelligent platform 100 for managing the tool module 40 through the tool management program and the tool library management program include: the method comprises the following steps of tool integrity checking, access authority checking, tool call record checking and tool access record checking, wherein the core component and the auxiliary component respectively obtain traceable audit records. Preferably, the tool module 40 can have a custom function, so that the action flow of the intelligent platform 100 is diversified. The intelligent platform 100 can package some of the functions required in an action flow into multiple components, such as probes, port scanners, service scanners, catalog scanners, crawlers, status code queriers, and the like. The intelligent platform 100 can package and install various vulnerability testing components and attack components. An operator can set the sequence of each component by himself, and different functional components are reasonably arranged and combined to form a brand new attack mode. The vulnerability testing component and the attacking component not only contain a large amount of Nday and framework vulnerability attacking codes, but also contain conventional vulnerabilities such as sql injection, brute force cracking, directory browsing and file containing.
After an operator forms a brand-new action flow by using the self-defined function and completes corresponding case detection, the intelligent platform 100 can store and share the composition sequencing mode of the action flow, so that when the operator or other operators use the intelligent platform 100 to process similar websites, the operator or other operators can more quickly and directly make corresponding attack schemes, and can summarize the attack results of the similar websites, and a better action flow can be obtained by means of comparison, screening, improvement and the like.
Preferably, the intelligent platform 100 may also include one or more of a number of auxiliary components such as input components, output components, filters, integrators, converters, and the like.
Preferably, when the executing module 20 executes the corresponding instruction operation on the target, the security module 30 establishes an anonymous network link capable of achieving corresponding imperceptibility and imperceptibility based on the anonymous tracing-prevention level of the link that the target needs to configure, wherein the security module 30 can adjust the established link by changing the number and/or the order of the relay nodes at the corresponding transmission interval, the changing manner of the number and/or the order of the relay nodes is determined at least based on the corresponding anonymous tracing-prevention level, and the anonymous tracing-prevention level is determined at least based on different action flows executed by the executing module 20. For example, when the execution module 20 executes the first, second, and third processes divided according to its authority, investigation, and mission, the execution module 20 is given different anonymous anti-tracing levels, so as to not only prevent the investigation target from being alert, but also prevent the attack weapon and its attack mode from being mastered in detail by the execution module 20 (for example, deployed at the device of a specific executive), thereby causing other adverse effects. In other words, the invention not only realizes the evasive tracing pursued by the prior art, but also avoids the leakage of the attack weapon through the anonymous traceability, particularly prevents the leakage of the attack mode of the attack weapon, and further causes adverse effects on the network security environment and future investigation.
Preferably, when the execution module 20 executes the first flow of the rapid information collection work on the target, the security module 30 sets a first anonymous traceability level for the reconnaissance target, wherein the execution module 20 responds to the reconnaissance instruction issued by the security module 30 to execute the rapid information collection work related to the reconnaissance instruction. Preferably, the private information related to the reconnaissance target may be provided to the execution module 20 in an encrypted manner, in particular, in an asymmetric encrypted manner, with a system exclusive right, so that the execution module 20 performs a rapid information collection operation on the target in a manner that prevents a person who deploys the execution module 20 from tracing the private information related to the reconnaissance target. Through the measures, the execution module 20 cannot rewrite the related private information of the reconnaissance target even if the administrator authority is adopted, the reconnaissance object is prevented from being mistakenly selected by Zhangguan, meanwhile, the execution module 20 and the operation terminal for deploying the execution module 20 do not have the private information for directly mastering the reconnaissance target, and compliance of the enforcement law and honor the private privacy of the citizen are ensured. Preferably, when executing module 20 executes a rapid information collection job associated with a scout instruction, upon issuing of a scout instruction by security module 30 to at least one of execution modules 20, the respective execution module 20, in response to receipt of the scout instruction, records the execution of its rapid information collection job and submits it to security module 30 in the form of a time-stamped feedback record, such that security module 30 records, in a time-dependent manner, the course of the first flow of rapid information collection jobs performed by the respective execution module 20 on a given destination. In other words, the security module 30 takes "commission management" for "rapid information collection work performed against a target" such that each commission is traced back in a manner that correlates time, action, and execution module 20.
Preferably, when the execution module 20 executes the second process of performing the deep analysis on the target, the security module 30 sets a second anonymous traceability level for the deep analysis tool, wherein the execution module 20, in response to the deep analysis instruction issued by the security module 30, executes the deep analysis work related to the deep analysis instruction, and before executing the deep analysis work, the security module 30 further adjusts a specific configuration of the second anonymous traceability level according to the authority set by the execution module 20 and the authority of the person operating the execution module 20. Since the investigation tools needed to be used for the deep analysis of the object may be highly destructive to the computer information system, before such investigation tools are used, the security module 30 checks the authority of the corresponding execution module 20 or the authority preset thereto, and applies a second anonymous traceability level after adjusting the specific configuration according to the current authority of the corresponding execution module 20 determined by the check and in combination with the strength of the corresponding execution module 20 and the unit in which it is deployed. According to the present invention, preferably, for the network hazard of the tool required to be used for "executing the second process of performing the deep analysis on the target", the security module 30 sets the second anonymous traceability level for the deep analysis tool or adjusts the specific configuration of the second anonymous traceability level in combination with the strength of the corresponding execution module 20 and the unit where the corresponding execution module is deployed, so that the security module 30 evaluates and applies the security measures taken for the deep analysis tool by the operational capability of the corresponding execution module 20 and the unit where the corresponding execution module is deployed. Therefore, the most economical, rapid and safer deployment scheme is found out between the operation efficiency and the anonymous traceability. Preferably or alternatively, the security module 30 determines a second anonymous traceability level for the target determined after the execution of the first procedure; for the detection of the target with higher urgency, it is not suitable to adopt the encryption measure of layer-by-layer shell addition, because the operation speed of the deep analysis tool is too slow due to the too high operation overhead, which results in the loss of the real-time property of the target detection. Alternatively, the security module 30 according to the present invention gives or authorizes the corresponding execution module 20 to use the instant depth analysis tool for detecting the object with higher urgency determined by the first process, wherein, during detecting the object with higher urgency, the security module 30 takes over the configuration work of at least part of the parameters of the instant depth analysis tool for use, or the security module 30 issues the pre-configured instant depth analysis tool to the execution module 20, for example, in the form of an instant virtual machine.
Preferably, when the execution module 20 executes a third process for acquiring the corresponding authority or key data of the target, the security module 30 sets a third anonymous traceability level, wherein the security module 30 sets the third anonymous traceability level for the risk of the tool acquiring the authority or key data to the execution module 20 and its carried data and current tool, wherein, under the third anonymous traceability level, the security module 30 may deploy the tool acquiring the corresponding authority or key data of the target to the first execution module, and respectively load the suspected host authority information as the target and the key data acquired from the target to a second execution module whose deployment positions are inconsistent, wherein, a plurality of relay nodes managed by the security module 30 in terms of the number and order of nodes exist between the first execution module and the second execution module, so that under the third anonymous traceability level, the number and the order of the called relay nodes are anonymous and untraceable for the first and second execution modules. Preferably, the intelligence module 10 can also collect intelligence information by using the anonymous network link established by the security module 30, so as to ensure the security and the confidentiality of the intelligence platform 100 in the intelligence information collecting process, wherein the anonymous network link established by the security module 30 may not be used or may be used as little as possible for the public intelligence information collection, and the anonymous network link established by the security module 30 may be selectively used for the information collection of each object within the range of the object under emphasized observation, and especially for the key personnel with network correlation techniques and/or the key personnel with strong anti-spy awareness, the anonymous network link established by the security module 30 may be used more, so as to avoid being discovered by the key personnel in the intelligence information collecting process to affect the subsequent spying process.
Further, the object of the information module 10 is usually a case that has not been filed yet, and it is possible to assign a temporary case number to an important object within an important observation object range and assign a public case number to a popular object, so as to facilitate case management and node division of the security module 30.
Further, the security module 30 may dynamically adjust the established anonymous network link based on the reconnaissance environment in which the intelligent platform 100 is located, wherein the security module 30 may be expanded at any time; export countries can be selected and timing switching can be performed; the link jump times can be dynamically distributed according to the network capacity and the route; the bandwidth may also be limited according to preset or manually entered thresholds and adjusted based on usage requirements.
Preferably, for the execution module 20 that prepares and is executing remote evidence obtaining, the security module 30 may, in addition to configuring links of corresponding anonymous traceability levels for the execution module, utilize a plurality of attack hosts (which may be virtual machines) that build environments in which attack scripts need to run to execute on-demand configuration (on-demand) of the attack tool, and under the condition that it is ensured that the build attack scripts temporarily carried by the attack hosts obtain encryption with consistent computing capability, the execution module 20 instructs corresponding at least one attack host to execute an attack on a specified target. According to the invention, only the attack host which needs to run the environment to build the attack script loads the attack tool and the tool data in a specified time period only when executing the attack task, the execution of the attack host does not depend on the operator, but the instruction and the data of the execution module 20 of the intelligent platform 100 are originated from, and the execution module 20 of the intelligent platform 100 logs in the attack host with the system authority (anonymous to the operator), so that the encrypted attack tool and the tool data can be prevented from being leaked by the attack host except for the measures of encryption and shell adding. Particularly, when the execution module 20 provides an attack tool to an attack host that needs to run an environment in which the attack script is built in an asymmetric encrypted compressed packet + script manner, the execution module 20 itself cannot extract the attack tool from the huge data, and the attack host executes a self-destruction program after execution is completed, so that the attack tool stays in the virtual environment and cannot be grasped by an operator. Therefore, a three-body problem with relatively high cracking difficulty is formed among the security module 30, the execution module 20 and the attack host, and effective use management of the attack tool is achieved.
Preferably, after receiving the attack requirement of the lawful authorized spying user, the security module 30 can automatically select the optimal attack host according to the operation management execution result, and send down the attack code (through the corresponding execution module 20) to the attack host. At this point, the security module 30 may lock the attacking host in a "busy" state, preventing use by other cases or other similar users of the lawfully authorized spy user. When the lawfully authorized reconnaissance user needs to use the host executing the attack task while synchronously performing other reconnaissance processes, the intelligent platform 100 can recommend the user to select an alternative attack host or wait for the optimal attack host to be used after the task execution is completed, the recommendation basis of the two schemes by the intelligent platform 100 can be based on the timeliness of the case to be reconnaissance and the difference amplitude of the alternative attack host, wherein the difference amplitude of the alternative attack host is a numerical result difference value existing when the alternative attack host and the optimal attack host complete the attack task with the same target, and the intelligent platform 100 can be provided with a corresponding difference threshold value to judge the feasibility of the alternative attack host for executing the attack task.
Preferably, the intelligent platform 100 implements heartbeat communication with the attack host through the link configured by the security module 30 and having a corresponding anonymous traceability level, and issues the attack code to the selected attack host through the link. Further, the anonymous network link with the relay transmission proof can be provided with a set of data transmission signature chain so as to at least guarantee the safety and the credibility of the link transmission when the attack code is issued.
Further, when performing link transmission, the security module 30 may flexibly change the relay node of the link based on the anonymous traceability level, so that the link transmission for the same target has uncertainty, thereby improving concealment of the link. The security module 30 of the present invention generally configures a link with at least 5-level hops, so that a plurality of relay nodes exist between a communication starting point and a communication end point, and in order to ensure the concealment of the link, the security module 30 can flexibly change at least one relay node of the link at any transmission interval, so that the hopping manner of the whole link is changed, wherein the security module 30 can determine the change number and/or the order of the relay nodes according to the anonymous anti-tracing level of the link required by the current operation. The relay node has a bit number limited by the connection relationship between the communication starting point and the communication end point, the relay node closer to the communication starting point has a lower bit number, the relay node closer to the communication end point has a higher bit number, the bit numbers of other relay nodes may change synchronously with the change of at least one relay node in the link, and the same relay node may have different bit numbers in different links. Preferably, the frequency of link changes is flexibly adjustable based at least on the level of anonymous backtracking prevention. Preferably, the relay node with a larger order in the link may have a frequency that is changed more frequently than the relay node with a smaller order, and after multiple communications, all relay nodes through which the link passes between the communication starting point and the communication ending point are changed to ensure the security and concealment of link transmission. The security module 30 regulates and controls the use state and change frequency of each relay node, so that the intelligent platform 100 can better distribute case processing sequences, particularly endow corresponding importance degrees to different cases, and complete the arrangement of the case processing sequences based on the node distribution of the security module 30 on the time sequence even if a large number of cases are accumulated in a short time.
Preferably, when the number of cases related to the internet is large, the intelligent platform 100 may rank the importance levels of the cases and may prioritize the cases with higher importance levels, wherein the importance levels of the same case may be flexibly adjusted. Preferably, the degree of importance of a case may be determined based on the intelligence information obtained by intelligence module 10. Preferably, the degree of importance of a case may also be referred to as the urgency of case investigation. Furthermore, the importance degree of the same case can be adjusted based on the number of involved cases, the affected area, the technical advancement and/or the timeliness, wherein the importance degree of the same case is at least gradually increased along with the extension of the acceptance time, and the intelligent platform 100 considering the timeliness factor can prevent a part of cases with lower initial importance degree from being continuously inserted into the team by the cases with higher initial importance degree and being delayed beyond the optimal investigation opportunity, especially, a part of APP/websites can be effectively accessed only in a certain time period and cannot be accessed when the investigation is performed after the optimal investigation opportunity is exceeded. Further, the influence of the timeliness factor on the case importance degree can be in a nonlinear synchronous increase relationship, wherein as the acceptance time is prolonged, the case importance degree can be increased in a manner of having a larger increase amplitude compared with the previous unit time for each unit time. Preferably, the case importance level can increase exponentially or exponentially like with the acceptance time. Preferably, the operator and/or director can customize the importance of each case.
According to a preferred embodiment, the security module 30 deployed in the administrative unit with law enforcement authority can obtain the encrypted approval command before the execution module 20 executes the action flow, and obtain the authority to execute the corresponding operation after decryption according to the matched key, wherein the approval command may include a command to allow execution, a host to allow execution, and/or an object to allow execution. All instructions executed by the execution module 20 are approved and legal by the competent entity.
Preferably, the security module 30 is able to assign several relay nodes, whose number and order match the approval command content, to the corresponding execution module 20 to build up a plurality of non-interfering independent links.
Preferably, the allocation of the relay nodes by the security module 30 can be determined based on the strength of the unit where the different execution modules 20 are located and the anonymous traceability level of the action flow where the case is responsible, so that the relay nodes are reasonably allocated. The security module 30 may dynamically adjust the allocation manner of the relay nodes based on the change of the strength of the unit where any execution module 20 is located and/or the change of the case in which any execution module 20 is responsible for, and when the number and/or the bit number of the relay nodes obtained by the execution module 20 changes, the link construction is completed in another set of hop manner again.
Preferably, the degree of importance of the case in which the executive module 20 is responsible may affect the allocation of the relay nodes to the security module 30.
Further, the execution module 20 can send the evidence associated with time to the administrative entity deploying the security module 30 in a manner of binding the encryption key after completing the action flow, so as to complete case reporting and archiving. The security module 30 may adjust the allocation tendencies of subsequent relay nodes and attack hosts based on case completion.
Preferably, the host computer can make, modify and delete the personnel selection rules of the intelligence module 10, and can directly adjust the categories of some personnel.
Preferably, the intelligent platform 100 can give corresponding investigation advice based on the importance degree of each case, for example, a plurality of cases with relatively high and relatively low importance degrees can be executed simultaneously to reasonably and efficiently use the intelligent platform 100. After obtaining the information of a plurality of involved websites in the first process, the execution module 20 may automatically associate with the historical investigation data, and perform a multi-dimensional association analysis on the similar involved websites (web page features, domain names) and the similar involved persons (virtual ID, mobile phone number, identification number, bank card) to determine whether a serial parallel situation exists. Because the serial and parallel cases usually involve many persons, involve a large amount of money, involve a wide range, influence badly, the social hazard is serious, when judging that there is the serial and parallel cases, the executive module 20 can merge and detect a plurality of cases with association, and meanwhile, endow the serial cases formed by merging with importance degree again, wherein the importance degree of the serial and parallel cases is usually higher than that of a single case.
According to a preferred embodiment, the present invention further discloses an application system of the intelligent platform 100, which may include the intelligent platform 100 and a collaboration end associated with the intelligent platform 100, so that an operator may apply for case collaboration when the intelligent platform 100 cannot provide effective help or provides insufficient data. Further, after the operator initiates the collaboration, the intelligent platform 100 will automatically and synchronously send the reports generated in each sub-process of the action process to the collaborators using the collaboration end, so that the collaborators can assist the operator to further complete the hit task of the involved website.
Preferably, the collaborator may receive a case collaboration request initiated by the intelligent platform 100 through the collaboration end, and may feed back the performed key nodes, the obtained staged breakthroughs, the obtained key data, and the like to the intelligent platform 100 in the collaboration process, so as to help the operator to perform diffusion investigation quickly. After collaboration is complete, a complete collaboration report may be submitted by collaborators to the intelligent platform 100 to assist in case archiving and replication.
According to a preferred embodiment, the present invention also discloses a method for applying the intelligent platform 100 in assisting criminal investigation, which may comprise the following steps:
and (3) information analysis and prediction: collecting information of target organizations and/or persons in the range of the key observation target, limiting the types of key persons based on the dynamically changed person relationship, and constructing the related real space person relationship and/or network space person relationship;
and (3) an action flow: completing the action flow from information collection to authority acquisition through a first flow, a second flow and a third flow, wherein the first flow can carry out rapid information collection work on a target website and carry out automatic association and information collection on target associated assets; the second process can carry out depth analysis on the target to determine available vulnerabilities; the third process may attack based on the discovered available vulnerabilities to obtain rights or critical data corresponding to the target.
It should be noted that the above-mentioned embodiments are exemplary, and that those skilled in the art, having benefit of this disclosure, may devise various solutions which are within the scope of this disclosure and are within the scope of the invention. It should be understood by those skilled in the art that the present specification and figures are illustrative only and are not limiting upon the claims. The scope of the invention is defined by the claims and their equivalents. The present description contains several inventive concepts, such as "preferably", "according to a preferred embodiment" or "optionally", each indicating that the respective paragraph discloses a separate concept, the applicant reserves the right to submit divisional applications according to each inventive concept. Throughout this document, the features referred to as "preferably" are only optional and should not be understood as necessarily requiring that such applicant reserves the right to disclaim or delete any relevant preferred feature at any time.
Claims (10)
1. An intelligent platform (100), comprising:
an intelligence module (10) for collecting various types of intelligence information to perform case analysis and prediction,
an execution module (20) for executing operations from information gathering to rights acquisition on case objects,
it is characterized in that the preparation method is characterized in that,
the information module (10) can input target organizations and/or personnel to a key observation target range in advance based on a specific selection rule, wherein one class of key personnel is the personnel and/or appointed personnel according with the specific selection rule of the information module (10), and the specific selection rule is at least that personnel with the antecedent record of the derailment behavior and the organizations where the personnel and other personnel in the organizations where the personnel are input to the key observation target range in advance by the information module (10); the second class of key personnel is personnel having specific character relations with the first class of key personnel, the specific character relations comprise real space character relations and/or network space character relations, the real space character relations are established based on tracks comprising living, learning and/or working aspects of the real space character relations, the network space character relations are reconstructed based on databases comprising a character library, an organization library and a virtual character crypt translation library, which are established by corresponding key personnel, the reconstructed network space character relations comprise character images, reputation ratings, character ratings, personnel relations, human relations and space-time positioning, information which is obtained by the information module (10) and contains information related to assets can be utilized by the execution module (20), so that the execution module (20) can carry out correlation and collection operation on the main system objects related to target organizations and/or personnel assets when information of case objects is collected, and a graphical relation tree is formed.
2. The intelligent platform (100) according to claim 1, wherein the intelligence module (10) obtains corresponding intelligence information by dynamically classifying each key person, and determines the case setting situation and the importance degree of the case after setting after analyzing and predicting the intelligence information.
3. The intelligent platform (100) according to claim 2, wherein the execution module (20) performs attack operation in a manner of raising priority on target organizations and/or persons with relatively higher relevance based on the formed graphical relationship tree, wherein the priority ranking of the execution module (20) for a plurality of targets of the same case is related to the graphical relationship tree formed by the case, and the execution module (20) needs to refer to the importance degree of each case when processing a plurality of cases.
4. The intelligent platform (100) according to claim 3, wherein the importance level of each case is assigned an initial value by the security module (30), and the security module (30) adjusts the importance level of the case in charge of the corresponding execution module (20) according to the change factor of each case.
5. The intelligent platform (100) according to claim 4, wherein the security module (30) grants corresponding capabilities to the execution module (20) that handles the respective case based on the importance level of each case, wherein the anonymous network link established by the security module (30) can cover the auxiliary criminal investigation process by means of multiple encryption and multiple node jumps when the intelligence module (10) performs intelligence information collection operations and/or when the execution module (20) performs investigation operations and attack operations.
6. The intelligent platform (100) according to claim 5, wherein when the security module (30) is deployed in a plurality of attack hosts in different regions, and the attack hosts attack targets according to the priority, the selected attack hosts can receive attack codes sent by the execution module (20) through the established anonymous network link to execute breakthrough attack on the targets, wherein the attack codes can be transmitted in the anonymous network link in a random jump manner, and nodes through which the attack codes are transmitted can be variably set by the security module (30).
7. The intelligent platform (100) according to claim 6, wherein the execution module (20) performs a fast information collection task on a target website in a first process, and performs automatic association and information collection on a target associated asset; performing deep analysis on the target website in a second process to determine available vulnerabilities; and attacking based on the found available vulnerability in the third process to acquire the corresponding authority or key data of the target website.
8. The intelligent platform (100) according to claim 7, wherein the tools required by the execution module (20) to perform the action flow are built into the tool module (40) so that the execution module (20) can invoke the tools in the tool module (40) after authorization by the security module (30).
9. An application system of an intelligent platform in assisting criminal investigation, which is characterized in that the application system at least comprises the intelligent platform (100) according to any one of claims 1 to 8 and a collaboration end associated with the intelligent platform (100), wherein the collaboration end can receive a case collaboration request initiated by the intelligent platform (100) and assist an operator in completing investigation and attack tasks of a case-involved website by performing information interaction with the intelligent platform (100).
10. A method of applying the intelligent platform (100) according to any one of claims 1 to 8 in assisted criminal investigation, characterized in that the method of applying comprises the following steps:
and (3) information analysis and prediction: collecting information of target organizations and/or persons in a target range of important observation, analyzing and predicting cases based on the collected information, limiting the types of important persons according to dynamically changed person relationships, constructing related real space person relationships and/or network space person relationships, and forming a graphical relationship tree based on target associated assets;
and (3) an action flow: the method comprises the steps that full-process operation from information collection to authority acquisition is completed through a first process, a second process and a third process, wherein the first process performs rapid information collection work on a target website, and performs automatic association and information collection on target associated assets; a second process carries out deep analysis on the target website to determine available vulnerabilities; and attacking the third process based on the found available vulnerability so as to acquire the corresponding authority or key data of the target website.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211330734.7A CN115396239B (en) | 2022-10-28 | 2022-10-28 | Intelligent platform and application method and system thereof in auxiliary criminal investigation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211330734.7A CN115396239B (en) | 2022-10-28 | 2022-10-28 | Intelligent platform and application method and system thereof in auxiliary criminal investigation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115396239A CN115396239A (en) | 2022-11-25 |
| CN115396239B true CN115396239B (en) | 2023-01-24 |
Family
ID=84115117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211330734.7A Active CN115396239B (en) | 2022-10-28 | 2022-10-28 | Intelligent platform and application method and system thereof in auxiliary criminal investigation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115396239B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177255A (en) * | 2019-05-30 | 2019-08-27 | 北京易华录信息技术股份有限公司 | A kind of video information dissemination method and system based on case scheduling |
| CN110516038A (en) * | 2019-07-30 | 2019-11-29 | 北京易华录信息技术股份有限公司 | A kind of alert data query method and device |
| CN114358726A (en) * | 2021-12-28 | 2022-04-15 | 南威软件股份有限公司 | Drug inhibition early warning research and judgment method and system based on combination of reporting clues and multiple data sources |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100332554A1 (en) * | 2009-06-30 | 2010-12-30 | Blair Mark C | Method of Analyzing Ephedrine Purchase Logs |
-
2022
- 2022-10-28 CN CN202211330734.7A patent/CN115396239B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177255A (en) * | 2019-05-30 | 2019-08-27 | 北京易华录信息技术股份有限公司 | A kind of video information dissemination method and system based on case scheduling |
| CN110516038A (en) * | 2019-07-30 | 2019-11-29 | 北京易华录信息技术股份有限公司 | A kind of alert data query method and device |
| CN114358726A (en) * | 2021-12-28 | 2022-04-15 | 南威软件股份有限公司 | Drug inhibition early warning research and judgment method and system based on combination of reporting clues and multiple data sources |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115396239A (en) | 2022-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tian et al. | Real-time lateral movement detection based on evidence reasoning network for edge computing environment | |
| Islam et al. | A multi-vocal review of security orchestration | |
| Uzunov et al. | An extensible pattern-based library and taxonomy of security threats for distributed systems | |
| Jajodia et al. | Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response | |
| JP2018521430A (en) | Method and apparatus for managing security in a computer network | |
| Lutta et al. | The complexity of internet of things forensics: A state-of-the-art review | |
| Li et al. | Security attack analysis using attack patterns | |
| CN107733863A (en) | Daily record adjustment method and device under a kind of distributed hadoop environment | |
| US10728275B2 (en) | Method and apparatus for determining a threat using distributed trust across a network | |
| Dodia et al. | Exposing the rat in the tunnel: Using traffic analysis for tor-based malware detection | |
| CN115296936B (en) | Automatic method and system for assisting detection of anti-network crime | |
| Murphy | Comparing the performance of intrusion detection systems: Snort and Suricata | |
| Miloslavskaya | Information security management in SOCs and SICs | |
| Yermalovich et al. | Formalization of attack prediction problem | |
| CN116962057A (en) | Multi-user collaborative network security emergency response and exercise platform and operation method thereof | |
| CN115396239B (en) | Intelligent platform and application method and system thereof in auxiliary criminal investigation | |
| Bryant | Hacking SIEMs to Catch Hackers: Decreasing the Mean Time to Respond to Network Security Events with a Novel Threat Ontology in SIEM Software | |
| Medenou et al. | CYSAS-S3: a novel dataset for validating cyber situational awareness related tools for supporting military operations | |
| Zardari et al. | IoT–Assets Taxonomy, Threats Assessment and Potential Solutions | |
| Rawal et al. | Cybersecurity and Identity Access Management | |
| Johansson | Countermeasures Against Coordinated Cyber-Attacks Towards Power Grid Systems: A systematic literature study | |
| Shah et al. | Security measurement in industrial IoT with cloud computing perspective: taxonomy, issues, and future directions | |
| Ahmad et al. | Proposed network forensic framework for analyzing IaaS cloud computing environment | |
| Grant et al. | Identifying tools and technologies for professional offensive cyber operations | |
| Romero et al. | Simon's intelligence phase for security risk assessment in web applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |