CN115426198B - Information processing method, device, equipment and storage medium - Google Patents
Information processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115426198B CN115426198B CN202211353751.2A CN202211353751A CN115426198B CN 115426198 B CN115426198 B CN 115426198B CN 202211353751 A CN202211353751 A CN 202211353751A CN 115426198 B CN115426198 B CN 115426198B
- Authority
- CN
- China
- Prior art keywords
- information
- model
- intelligence
- data
- abnormal information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application discloses an information processing method, device, equipment and storage medium, relating to the technical field of computers and comprising the following steps: receiving current abnormal information data sent by a product side through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data; if not, generating a target model through an updated abnormal information library obtained based on the current abnormal information data; and pushing the target model to the product side so that the product side can update a local model by using the target model through an information model maintenance engine, and processing the information received by the product side by using the obtained updated model. According to the method and the system, the abnormal information data are transmitted between the threat information holder and the product side, the target model is generated and updated according to the received current abnormal information data, the updated model is used for processing the information, the timeliness and the accuracy are improved, and the continuity and the safety of the service are guaranteed.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an intelligence information processing method, apparatus, device, and storage medium.
Background
Threat intelligence refers to black IP (Internet Protocol Address) with threat capability, most products in the industry generally match with the capability of threat intelligence detection, so as to provide strong main force for safety of customer services, but the threat intelligence in the industry only provides a basic original intelligence model, and intelligence received by all customers is the same and lacks customization, and meanwhile, abnormal intelligence cannot be automatically discovered and managed. At present, the threat intelligence industry basically provides unified intelligence data, so that although the data aspect is unified, the real situation is that the client service and the deployment environment are basically different, a very serious problem can be caused, the blocking service is not blocked, the service which is not blocked is blocked, and in the industry at present, the intelligence is only detected or abnormal intelligence is found manually, and a product party periodically checks whether a new intelligence model exists or not by using a threat intelligence platform, so that the timeliness of the intelligence model cannot be ensured.
Disclosure of Invention
In view of the above, the present invention provides an information processing method, apparatus, device and storage medium, which can improve timeliness and accuracy and ensure continuity and security of service. The specific scheme is as follows:
in a first aspect, the present application discloses an information processing method applied to a threat information pan/tilt, including:
receiving current abnormal information data sent by a product party through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data;
if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data;
and pushing the target model to the product side so that the product side can update a local model by using an information model maintenance engine and the target model, and processing the information received by the product side by using the obtained updated model.
Optionally, before the information learning engine receives the current abnormal information data sent by the product side, the method further includes:
judging whether the basic information model changes in real time;
if the basic information model changes, actively executing the step of receiving the current abnormal information data sent by the product side through an information learning engine;
if the basic information model is not changed, monitoring the product party through the information learning engine so as to execute the step of receiving the current abnormal information data sent by the product party through the information learning engine when the current abnormal information data exists in the product party.
Optionally, the generating a target model through an updated abnormal intelligence library obtained based on the current abnormal intelligence data includes:
obtaining the updated abnormal information library based on the current abnormal information data;
generating the target model through the updated abnormal information library and the original information data in the abnormal information library;
and storing the target model into an emotion model library.
Optionally, after generating the target model through an updated abnormal intelligence library obtained based on the current abnormal intelligence data, the method further includes:
sending the target model to an intelligence detection engine, and obtaining model version downloading information in an intelligence downloading record through the intelligence detection engine;
judging whether the target version information of the target model is larger than the model version downloading information in the information downloading record or not;
correspondingly, the pushing the target model to the product side includes:
and if the target version information is larger than the model version downloading information, pushing the target model to the product side through a model pushing engine.
Optionally, before the information learning engine receives the current abnormal information data sent by the product side, the method further includes:
after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, executing preset intelligence information database collision operation based on the user service intelligence information and a local intelligence database to obtain blocking service intelligence information and releasing service intelligence information;
sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule;
if the blocking service information is the abnormal information data, determining the blocking service information as the current abnormal information data, and reporting the current abnormal information data to the information learning engine.
Optionally, after reporting the current abnormal intelligence data to the intelligence learning engine, the method further includes:
and adding the current abnormal intelligence data to a white list so as to modify a processing method corresponding to the current abnormal intelligence data.
Optionally, the pushing the target model to the producer side so that the producer side updates the local model by using the target model through an intelligence model maintenance engine, and processes the intelligence information received by the producer side by using the obtained updated model includes:
and pushing the target model to the product side so that the product side judges whether the target version information is larger than the local version information of the local model through an information model maintenance engine, if so, pulling the target model downloaded through an information download engine of the threat information holder, updating the local model by using the target model to obtain the updated model, processing the information received by the product side by using the updated model, updating the local information library to obtain a target local information library, and sending an emptying instruction to the white list after the update is finished.
The second aspect, the application discloses information processing apparatus is applied to threat information cloud platform, includes:
the data receiving module is used for receiving current abnormal information data sent by a product party through an information learning engine;
the data judgment module is used for judging whether the abnormal information library contains data corresponding to the current abnormal information data;
the model generation module is used for generating a target model through an updated abnormal information library obtained based on the current abnormal information data if the abnormal information library does not contain data corresponding to the current abnormal information data;
and the model updating module is used for pushing the target model to the product side so that the product side can update the local model by using the target model through an information model maintenance engine and process the information received by the product side by using the obtained updated model.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the informative information processing method as disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements an intelligence information processing method as disclosed above.
Therefore, the application provides an information processing method, which comprises the following steps: receiving current abnormal information data sent by a product party through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data; if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data; and pushing the target model to the product side so that the product side can update a local model by using an information model maintenance engine and the target model, and processing the information received by the product side by using the obtained updated model. Therefore, according to the method and the device, the abnormal information data are transmitted between the threat information holder and the product side, whether a new model needs to be generated or not is judged according to the received current abnormal information data, if yes, the target model is generated and sent to the product side for model updating, the product side processes the information by using the updated model, timeliness and accuracy are improved, and continuity and safety of business are guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method for processing information disclosed in the present application;
FIG. 2 is a flow chart of a specific method for processing information disclosed in the present application;
FIG. 3 is a flow chart of a specific method for processing information disclosed in the present application;
FIG. 4 is a flow chart of a specific information processing method disclosed in the present application;
FIG. 5 is a schematic diagram of an information processing apparatus according to the present application;
fig. 6 is a block diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, threat information refers to a black IP with threat capability, most products in the industry generally match with the capability of threat information detection, and a strong mastery is provided for the safety of customer services, but the threat information in the industry at present only provides a basic original information model, all information received by customers is identical and lacks customization, and abnormal information cannot be automatically discovered and automatically managed. Therefore, the application provides an information processing method which can improve timeliness and accuracy and ensure continuity and safety of services.
The embodiment of the invention discloses an information processing method, which is applied to a threat information holder and is shown in figure 1, and the method comprises the following steps:
step S11: and receiving the current abnormal information data sent by the product side through an information learning engine, and judging whether the abnormal information library contains data corresponding to the current abnormal information data.
In this embodiment, the information learning engine receives the current abnormal information data sent by the product side, and determines whether the abnormal information library includes data corresponding to the current abnormal information data. Specifically, whether the basic information model changes or not is judged in real time; if the basic information model changes, actively executing the step of receiving the current abnormal information data sent by the product side through an information learning engine; if the basic information model is not changed, monitoring the product party through the information learning engine so as to execute the step of receiving the current abnormal information data sent by the product party through the information learning engine when the current abnormal information data exists in the product party. In a specific embodiment, if the basic intelligence model is updated, the current abnormal intelligence data of the product side is actively obtained through an intelligence learning engine, then the intelligence data corresponding to the basic intelligence model is subjected to abnormal data elimination according to the current abnormal intelligence data, and finally the intelligence models of all clients in an intelligence model base (also called a threat intelligence base) are updated. In another specific implementation, under the condition that the basic information model is not changed, the information model learning engine monitors abnormal information data submitted by the product side in real time, meanwhile, the information learning engine actively acquires the current abnormal information data of the client in the abnormal information library, and if the received current abnormal information data already exists, the current information model is the model generated according to the current abnormal information data. If the received current abnormal information data does not exist, the abnormal information base needs to be updated, meanwhile, the information learning engine acquires the information model currently used by the user, eliminates the abnormal information data in the information data corresponding to the information model, generates a new information model (namely a target model) and updates the information model base. The abnormal information library is mainly used for storing information data defined by a client and current abnormal information data automatically found by an abnormal information finding engine, and mainly aims at providing a reference rejection index for new information modeling; the intelligence model repository (also referred to as threat intelligence repository) is used to store intelligence models for a particular customer (e.g., a customer name, customer token, or customer uuid is used as a unique identifier to index a particular intelligence model belonging to itself).
Step S12: and if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data.
In this embodiment, after determining whether the anomaly information base includes data corresponding to the current anomaly information data, if the anomaly information base does not include data corresponding to the current anomaly information data, the target model is generated by an updated anomaly information base obtained based on the current anomaly information data. It can be understood that, if the abnormal information base does not contain the data corresponding to the current abnormal information data, the surface threat information pan-tilt does not identify the current abnormal information data reported by the product side, so the current abnormal information data is used for updating the abnormal information base at the moment to obtain an updated abnormal information base, and then the updated abnormal information base is used for generating a corresponding target model.
Step S13: and pushing the target model to the product side so that the product side can update a local model by using the target model through an information model maintenance engine, and processing information received by the product side by using the obtained updated model.
In this embodiment, after a target model is generated by an updated abnormal information library obtained based on the current abnormal information data, the target model is pushed to the producer, so that the producer can update a local model by using the target model through an information model maintenance engine, and process information received by the producer by using the obtained updated model. It is understood that the client may perform active or passive update at the step of model update. The only difference between the active update and the passive update is that the active update is artificially and actively triggered to update the local intelligence database data, and the logic of the active update is the same as the logic of the passive update for processing abnormal intelligence.
The method mainly comprises four parts, wherein the first is that a threat information holder constructs a threat information model in real time through an information learning engine, and then determines the constructed latest threat information model as a target model and pushes the target model in real time, so that the timeliness and the accuracy of the model are accurately controlled. It should be noted that the establishment of the intelligence model is based on the original intelligence data, the current abnormal intelligence data is used as the drive, and the client is the model established as the object. The second is to provide the abnormal information automatic discovery service for the product side, namely automatically completing the discovery of the abnormal information, and being capable of timely sending the abnormal information to the information learning engine threatening the information holder, and then constructing a specific information model for a specific client. Thirdly, after the construction of a new information model (namely, a target model) is completed, the threat information tripod head pushes the target model to a client side through an information pushing engine. Fourth, the intelligence model maintenance engine on the production side updates the currently used model (i.e., the local model) with the received target model, along with other necessary configurations. The method comprises the steps of constructing an information model taking a client object as a core by taking original information data as a basis and abnormal information as a drive, wherein the definition of the information model breaks through the tradition; an information learning engine is constructed, abnormal information is used as drive, real-time information is used as basis for real-time dynamic modeling, and an information model has learning capacity and fills the traditional gap; abnormal information is automatically found and managed, and the traditional vacancy is filled; the traditional timeliness problem has been solved in real-time intelligence model propelling movement. The automatic discovery intelligence of unusual information discovers unusual information, promotes the model and updates, and the developments are managed and controlled to the business, and whole process need not artificial participation, guarantees the proper treatment of unusual information from cloud platform and product side two angles, and then ensures customer service's protectiveness and continuity.
Therefore, the application provides an information processing method, which comprises the following steps: receiving current abnormal information data sent by a product party through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data; if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data; and pushing the target model to the product side so that the product side can update a local model by using an information model maintenance engine and the target model, and processing the information received by the product side by using the obtained updated model. Therefore, according to the method and the device, the abnormal information data are transmitted between the threat information holder and the product side, whether a new model needs to be generated or not is judged according to the received current abnormal information data, if yes, the target model is generated and sent to the product side for model updating, the product side processes the information by using the updated model, timeliness and accuracy are improved, and continuity and safety of business are guaranteed.
Referring to fig. 2, the embodiment of the present invention discloses an intelligence information processing method, and compared with the previous embodiment, the present embodiment further describes and optimizes the technical solution.
Step S21: and receiving the current abnormal information data sent by the product side through an information learning engine, and judging whether the abnormal information library contains data corresponding to the current abnormal information data.
Step S22: and if the abnormal information library does not contain the data corresponding to the current abnormal information data, obtaining the updated abnormal information library based on the current abnormal information data.
In this embodiment, after determining whether the data corresponding to the current abnormal information data is contained in the abnormal information library, if the data corresponding to the current abnormal information data is not contained in the abnormal information library, the updated abnormal information library is obtained based on the current abnormal information data. If the abnormal information base contains data corresponding to the current abnormal information data, acquiring the corresponding abnormal information data in the abnormal information base, then further judging whether the corresponding abnormal information data is the same as the received current abnormal information data, if so, directly performing the step of obtaining the updated abnormal information base based on the current abnormal information data, if not, taking the data provided by the client as the main, and then performing the step of obtaining the updated abnormal information base based on the current abnormal information data according to the current abnormal information data provided by the client.
Step S23: and generating the target model through the updated abnormal information library and the original information data in the abnormal information library, and storing the target model into an abnormal information model library.
In this embodiment, after obtaining the updated abnormal information library based on the current abnormal information data, the target model is generated through the updated abnormal information library and the original information data in the abnormal information library, and the target model is stored in the abnormal information library. It is understood that the intelligence model library contains the intelligence model generated each time.
Step S24: and sending the target model to an intelligence detection engine, and obtaining model version downloading information in the intelligence downloading record through the intelligence detection engine.
In this embodiment, after the target model is stored in the intelligence model library, the target model is sent to the intelligence detection engine, and model version download information in the intelligence download record is obtained by the intelligence detection engine. It can be understood that after the target model is sent to the intelligence detection engine, the intelligence detection engine obtains the model version download information in the intelligence download record so as to determine whether the target model is the latest model. It should be noted that the model version download information includes version download information recorded each time the model is downloaded by the product side. The intelligence download record is mainly used for recording which intelligence model is actually used by the current client.
Step S25: and judging whether the target version information of the target model is larger than the model version downloading information in the information downloading record or not.
In this embodiment, after the model version download information in the information download record is obtained by the information detection engine, it is determined whether the target version information of the target model is greater than the model version download information in the information download record. It can be understood that, if the target version information of the target model is less than or equal to the model version download information in the intelligence download record, it indicates that the model currently used by the product side is the latest version model, and at this time, the local model of the product side does not need to be updated.
Step S26: and if the target version information is larger than the model version downloading information, pushing the target model to the product party through a model pushing engine so that the product party can conveniently maintain the engine through an information model and update a local model by using the target model, and processing the information received by the product party by using the obtained updated model.
In this embodiment, after determining whether the target version information of the target model is greater than the model version download information in the information download record, if the target version information is greater than the model version download information, the target model is pushed to the product side by a model push engine, so that the product side can update the local model by using the target model through an information model maintenance engine, and process the information received by the product side by using the obtained updated model. It can be understood that, if the target version information is greater than the model version download information, it indicates that the local model of the product side is not the latest model at this time, and the target model generated by the pan-tilt needs to be updated.
Specifically, the intelligence detection engine compares the threat intelligence base with the specific customer intelligence model version of the intelligence download record, if the intelligence model version in the threat intelligence base is larger than the version in the intelligence download record, the target model is pushed to the intelligence maintenance engine of the product side, and if the intelligence model version in the threat intelligence base is not larger than the version in the intelligence download record, no processing is performed.
It is to be appreciated that the intelligence learning engine is used for dynamic generation of intelligence models; the information detection engine is used for detecting whether the current information model is the latest model or not, and the timeliness of the information model is ensured; the information downloading engine is used for providing the latest information model for the client; the abnormal information discovery engine is used for automatically discovering and managing the abnormal information; the intelligence control engine is used for matching services and intelligence and controlling actions after matching; the intelligence model maintenance engine is used for guaranteeing downloading of the intelligence model and recovery of abnormal intelligence treatment. It should be noted that the anomaly information discovery engine also provides custom anomaly information inputs for artificially culling anomaly information data.
For the details of the step S21, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Therefore, the embodiment of the application receives the current abnormal information data sent by a product side through the information learning engine and judges whether the abnormal information library contains data corresponding to the current abnormal information data or not; if not, obtaining the updated abnormal information library based on the current abnormal information data; generating the target model through the updated abnormal information library and the original information data in the abnormal information library, and storing the target model in an information model library; sending the target model to an intelligence detection engine, and obtaining model version downloading information in an intelligence downloading record through the intelligence detection engine; judging whether the target version information of the target model is larger than the model version downloading information in the information downloading record or not; and if the target version information is larger than the model version downloading information, pushing the target model to the product side through a model pushing engine so that the product side can update a local model through an information model maintenance engine and by using the target model, and processing the information received by the product side by using the obtained updated model, thereby improving timeliness and accuracy and ensuring service continuity and safety.
Referring to fig. 3, the embodiment of the present invention discloses an intelligence information processing method, and compared with the previous embodiment, the present embodiment further describes and optimizes the technical solution.
Step S31: and after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, executing preset intelligence information database collision operation based on the user service intelligence information and a local intelligence database to obtain blocking service intelligence information and releasing service intelligence information.
In this embodiment, after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, a preset intelligence information database collision operation is executed based on the user service intelligence information and the local intelligence database to obtain blocking service intelligence information and releasing service intelligence information.
It can be understood that, as shown in fig. 4, the present solution mainly includes two large modules of a threat information cradle head and a threat information docking product, wherein the threat information cradle head mainly includes the following modules: abnormal information library, threat information library, information download record, information learning engine, information detection engine and information download engine. The threat information docking product mainly comprises the following modules: the system comprises an input module, an abnormal information discovery engine, an information control engine and an information model maintenance engine.
Specifically, firstly, the service flow of a user is received through an input module in a threat intelligence docking product, then the acquired service flow of the user is subjected to library collision processing (namely, is matched with data in a local intelligence library) through an intelligence control engine in the threat intelligence docking product, if the matching fails, the service flow is released, if the matching succeeds, the service flow is blocked, and then the blocked service flow is sent to an abnormal intelligence discovery engine in the threat intelligence docking product. In an abnormal information discovery engine, firstly, blocking traffic monitoring is carried out on blocked service traffic, and after the blocked service traffic is analyzed, if the blocked service traffic does not exceed a preset percentage, no processing is carried out; if the service flow (namely the information interception flow) after being blocked exceeds the preset percentage, the service flow after being blocked is judged to be abnormal information (namely the information flow which is not blocked but blocked), at the moment, the service flow after being blocked is added to a service layer white list and noted as abnormal information, and the abnormal information is reported to an information learning engine in the threat information holder, so that the abnormal information is subjected to inclusion check in the information learning engine (namely, the information learning engine obtains the current abnormal information from an abnormal information library, so as to judge whether the current abnormal information obtained from the abnormal information library contains the abnormal information which is uploaded by an abnormal information finding engine, if the current abnormal information obtained from the abnormal information library contains the abnormal information which is uploaded by the abnormal information finding engine, no processing is carried out, and if the current abnormal information obtained from the abnormal information library does not contain the abnormal information which is uploaded by the abnormal information finding engine, the abnormal information is uploaded to an abnormal information learning engine and an abnormal information module is further uploaded to the abnormal information learning engine. The abnormal information base updates the information contained in the current abnormal information base according to the received abnormal information uploaded by the information learning engine to obtain updated information. And then the updated information in the abnormal information base is sent to an original information data updating module in the information learning engine. In the original information data updating module, the updated model is obtained by using the original information data and the updated information in the abnormal information base, and the updated model is uploaded to a threat information base in a threat information holder, wherein the threat information base comprises the model updated each time. And then the latest updated model in the threat information base is sent to an information detection engine, the information detection engine simultaneously obtains the version of the information model recorded in the information downloading record, whether the version of the latest updated model in the threat information base is larger than the version of the information model recorded in the information downloading record is judged in the information detection engine, if not, no processing is carried out, and if yes, the latest updated model version in the threat information base is sent to an information model maintenance engine in a threat information docking product through an information pushing engine in the information detection engine. Judging whether the model version sent by the received information pushing engine is larger than the local information version of the threat information butt-joint product in the information model maintenance engine, if not, carrying out no treatment, if so, pulling the latest version of information (namely, the latest model version is downloaded from the information downloading engine in the threat information holder through the information model maintenance engine, at the moment, the information downloading engine acquires the latest model version from the threat information library for the information model maintenance engine to download), after the downloading is successful, the information downloading engine updates the information in the information downloading record according to the downloading record, and if the downloading is failed, the step of downloading the latest information model is repeatedly executed. Meanwhile, after the intelligence model maintenance engine finishes downloading the latest version information, the acquired latest version information is used for updating the local intelligence library, so that when the user service flow is received next time, the intelligence control engine can call the updated local intelligence library and the acquired user service flow for library collision processing. In addition, after the latest version information is pulled, a white list which is remarked as abnormal information is cleaned according to the latest version information.
The product side can obtain user service information (namely user service flow) through the input module, then the input module can send the user service information to the information control engine of the product side, then the information control engine can match with a local information base and carry out service data collision operation on the user service information, then the information which does not accord with preset rules in the collision base is determined as blocking service information, and the information which accords with the preset rules is determined as releasing service information.
It can be understood that some information in the user service information may be set as illegal information to be blocked, but in the operating environment of the current product side, the information is legal, at this time, the model used by the product side blocks the information according to a preset blocking rule, at this time, further judgment operation needs to be performed on the blocked information, so as to judge whether the blocked information is misjudged, if yes, the blocked information is determined as current abnormal information data and subsequent current abnormal information data reporting processing is performed, and if not, the current model is kept unchanged, that is, the blocked information is not required to be reported.
Step S32: and sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule.
In this embodiment, after obtaining blocking service information and release service information, the blocking service information is sent to an abnormal information discovery engine, so as to determine whether the blocking service information is abnormal information data according to a preset abnormal information determination rule. As shown in fig. 4, after the blocking service information is sent to an abnormal information discovery engine, whether the blocking service information is abnormal information data is determined by a preset abnormal information determination rule. Specifically, the abnormal information discovery engine can obtain the ratio of the request frequency and the service flow (newly built and concurrent) of the blocking service information of the blocked service in the whole flow from the information control engine in real time to judge whether the blocking service information is abnormal information data, namely, the request frequency and the service flow of two dimensions are obtained as numerators, then the whole flow is used as a denominator to calculate a ratio, and the ratio is compared with a preset threshold value, so that whether the blocking service information is abnormal information data is judged. For example, the intelligence control engine blocks one or more services within one minute, but the proportion of the service in the whole service accounts for more than 80%, the intelligence is most likely to be false intelligence, namely the blocked information is misjudged, abnormal intelligence management is needed at the moment, otherwise, more than 80% of the services of the client are blocked, and the method is unreasonable. It should be noted that the preset abnormal intelligence judgment rule may be other definition rules, and the definition of the abnormal intelligence must be from the actual environment of the client, for example, one of the public network IPs is a black IP, but is real intelligence for other clients, and if one of the services of the client is private to the public network IP, the intelligence is false for the client.
Step S33: if the blocking service information is the abnormal information data, determining the blocking service information as the current abnormal information data, and reporting the current abnormal information data to the information learning engine.
In this embodiment, after determining whether the blocking service information is abnormal information data by a preset abnormal information determination rule, if the blocking service information is the abnormal information data, the blocking service information is determined as the current abnormal information data, and the current abnormal information data is reported to the information learning engine. And if the blocking service information is not the abnormal information data, no processing is carried out.
Step S34: and adding the current abnormal intelligence data to a white list so as to modify a processing method corresponding to the current abnormal intelligence data.
In this embodiment, after the blocking service intelligence information is determined as the current abnormal intelligence data, the current abnormal intelligence data is added to a white list so as to modify a processing method corresponding to the current abnormal intelligence data. It can be understood that the total current abnormal information data in the white list is misjudged data, and when the information control engine receives the user service information sent by the input module again, the user service information sent by the input module can be released according to the information in the white list, that is, no blocking operation is performed. The abnormal information finding engine can add an abnormal information white list rule at the moment, simultaneously the abnormal information finding engine can report the current abnormal information data to an information learning engine threatening an information holder, and the information learning engine builds a new model according to an abnormal information base and the current information model so as to complete subsequent pushing and latest model downloading.
Step S35: and receiving the current abnormal information data sent by the product side through an information learning engine, and judging whether the abnormal information library contains data corresponding to the current abnormal information data.
Step S36: and if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data.
Step S37: and pushing the target model to the product side so that the product side can update a local model by using an information model maintenance engine and the target model, and processing the information received by the product side by using the obtained updated model.
In this embodiment, the target model is pushed to the product side, so that the product side judges whether the target version information is greater than the local version information of the local model through an information model maintenance engine, if so, the target model downloaded through an information download engine of the threat information cradle head is pulled, the local model is updated by using the target model to obtain the updated model, then the information received by the product side is processed by using the updated model, meanwhile, the local information library is updated to obtain a target local information library, and an emptying instruction is sent to the white list after the update is completed.
Specifically, after the target model is pushed to the product side, after the information model maintenance engine of the product side receives the target model pushed by the threat information pan-tilt, the target version information of the target model is compared with the local version information of the local model in the local information library, if the received pushed version is larger than the version in the local information library, the information maintenance engine threatens the information pan-tilt to download the target model, if the downloading is successful, the pan-tilt writes the latest download record into the information download record, and if the downloading is failed, the information maintenance engine retries the downloading until the completion. When the information maintenance engine of the product side finishes downloading the latest information model, the local information library is updated, and meanwhile, the white list rule added by abnormal information is cleaned.
This scheme has greatly improved the timeliness of information model, has improved the accuracy of information model (the theory that customer and information model bound can let the more and more accuracy of information model study, more and more press close to customer's true business), has guaranteed the continuity and the security of customer's business, has liberated corresponding manpower simultaneously, does not need the manpower to pay close to in real time and deals with, alleviates staff's work load, reduces the human cost of enterprise.
For the specific contents of the above steps S35 and S36, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
Therefore, in the embodiment of the application, after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, the preset intelligence information database collision operation is executed based on the user service intelligence information and the local intelligence database so as to obtain the blocking service intelligence information and the releasing service intelligence information; sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule; if the blocking service information is the abnormal information data, determining the blocking service information as the current abnormal information data, and reporting the current abnormal information data to the information learning engine; adding the current abnormal information data to a white list so as to modify a processing method corresponding to the current abnormal information data; receiving current abnormal information data sent by a product side through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data or not; if not, generating a target model through an updated abnormal information library obtained based on the current abnormal information data; and pushing the target model to the product side so that the product side can maintain an engine through an information model and update a local model by using the target model, and processing the information received by the product side by using the obtained updated model, thereby improving timeliness and accuracy and ensuring service continuity and safety.
Referring to fig. 5, the embodiment of the present application further discloses an information processing apparatus correspondingly, which is applied to a threat information pan/tilt, and includes:
the data receiving module 11 is used for receiving current abnormal information data sent by a product party through an information learning engine;
a data judgment module 12, configured to judge whether the abnormal information library includes data corresponding to the current abnormal information data;
a model generation module 13, configured to generate a target model through an updated abnormal information library obtained based on the current abnormal information data if the abnormal information library does not include data corresponding to the current abnormal information data;
and the model updating module 14 is used for pushing the target model to the product side so that the product side can update the local model by using the target model through an information model maintenance engine and process the information received by the product side by using the obtained updated model.
As can be seen, the present application includes: receiving current abnormal information data sent by a product party through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data; if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data; and pushing the target model to the product side so that the product side can update a local model by using an information model maintenance engine and the target model, and processing the information received by the product side by using the obtained updated model. Therefore, according to the method and the device, the abnormal information data are transmitted between the threat information holder and the product side, whether a new model needs to be generated or not is judged according to the received current abnormal information data, if yes, the target model is generated and sent to the product side for model updating, the product side processes the information by using the updated model, timeliness and accuracy are improved, and continuity and safety of business are guaranteed.
In some specific embodiments, the data receiving module 11 specifically includes:
a basic information model judging unit for judging whether the basic information model changes in real time;
a data receiving unit, which is used for actively executing the step of receiving the current abnormal information data sent by a product party through an information learning engine if the basic information model changes;
and the monitoring unit is used for monitoring the product party through the intelligence learning engine if the basic intelligence model is not changed so as to execute the step of receiving the current abnormal intelligence data sent by the product party through the intelligence learning engine when the current abnormal intelligence data exists in the product party.
In some specific embodiments, before the data receiving module 11, the method specifically includes:
the system comprises a service information classification unit, a service information management unit and a service information management unit, wherein the service information classification unit is used for executing preset information database collision operation based on user service information and a local information database after an information control engine of a product side receives the user service information sent by an input module so as to obtain blocking service information and releasing service information;
a blocking service information judgment unit for sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule;
a current abnormal information data reporting unit, configured to determine the blocking service information as the current abnormal information data if the blocking service information is the abnormal information data, and report the current abnormal information data to the information learning engine;
and the white list adding unit is used for adding the current abnormal information data to a white list so as to modify a processing method corresponding to the current abnormal information data.
In some specific embodiments, the data determining module 12 specifically includes:
and the data judgment unit is used for judging whether the abnormal information library contains data corresponding to the current abnormal information data.
In some specific embodiments, the model generating module 13 specifically includes:
an updated abnormal information base obtaining unit, configured to obtain the updated abnormal information base based on the current abnormal information data;
a target model generating unit for generating the target model according to the updated abnormal information library and the original information data in the abnormal information library;
the target model storage unit is used for storing the target model into a report model library;
the target model sending unit is used for sending the target model to an intelligence detection engine;
the model version downloading information acquisition unit is used for acquiring model version downloading information in the information downloading record through the information detection engine;
and the model version downloading information judging unit is used for judging whether the target version information of the target model is larger than the model version downloading information in the information downloading record or not.
In some embodiments, the model updating module 14 specifically includes:
and the model updating unit is used for pushing the target model to the product party through a model pushing engine if the target version information is larger than the model version downloading information so as to enable the product party to judge whether the target version information is larger than the local version information of the local model through an information model maintenance engine, pulling the target model downloaded through an information downloading engine of the threat information holder if the target version information is larger than the local version information of the local model, updating the local model by using the target model to obtain the updated model, processing the information received by the product party by using the updated model, updating the local information library to obtain a target local information library, and sending an emptying instruction to the white list after the update is finished.
Further, the embodiment of the application also provides electronic equipment. FIG. 6 is a block diagram illustrating an electronic device 20 according to an exemplary embodiment, and the contents of the diagram should not be construed as limiting the scope of use of the present application in any way.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the intelligence information processing method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol that can be applied to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to acquire external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device on the electronic device 20 and the computer program 222, and may be Windows Server, netware, unix, linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the intelligence information processing method disclosed in any of the foregoing embodiments and executed by the electronic device 20.
Further, an embodiment of the present application further discloses a storage medium, where a computer program is stored, and when the computer program is loaded and executed by a processor, the steps of the intelligence information processing method disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The information processing method, apparatus, device and storage medium provided by the present invention are described in detail above, and a specific example is applied in the present document to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understand the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (9)
1. An information processing method is characterized in that the method is applied to a threat information holder and comprises the following steps:
receiving current abnormal information data sent by a product party through an information learning engine, and judging whether an abnormal information library contains data corresponding to the current abnormal information data;
if the abnormal information base does not contain data corresponding to the current abnormal information data, generating a target model through an updated abnormal information base obtained based on the current abnormal information data;
pushing the target model to the product side so that the product side can update a local model through an information model maintenance engine and by using the target model, and processing information received by the product side by using the obtained updated model;
wherein, still include:
after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, executing preset intelligence information database collision operation based on the user service intelligence information and a local intelligence database to obtain blocking service intelligence information and releasing service intelligence information;
sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule;
if the blocking service information is the abnormal information data, determining the blocking service information as the current abnormal information data, and reporting the current abnormal information data to the information learning engine.
2. The intelligence information processing method of claim 1, wherein before receiving the current abnormal intelligence data sent by the product side through the intelligence learning engine, the method further comprises:
judging whether the basic information model changes in real time;
if the basic information model changes, actively executing the step of receiving the current abnormal information data sent by the product side through the information learning engine;
if the basic information model is not changed, monitoring the product party through the information learning engine so as to execute the step of receiving the current abnormal information data sent by the product party through the information learning engine when the current abnormal information data exists in the product party.
3. The intelligence information processing method of claim 1, wherein the generating a target model by an updated anomaly intelligence base derived based on the current anomaly intelligence data comprises:
obtaining the updated abnormal information library based on the current abnormal information data;
generating the target model through the updated abnormal information library and the original information data in the abnormal information library;
and storing the target model to a report model library.
4. The intelligence information processing method of any of claims 1 to 3, wherein after generating a target model by an updated anomaly intelligence library obtained based on the current anomaly intelligence data, further comprising:
sending the target model to an intelligence detection engine, and obtaining model version downloading information in an intelligence downloading record through the intelligence detection engine;
judging whether the target version information of the target model is larger than the model version downloading information in the information downloading record or not;
correspondingly, the pushing the target model to the product side includes:
and if the target version information is larger than the model version downloading information, pushing the target model to the product side through a model pushing engine.
5. The intelligence information processing method of claim 4, wherein after reporting the current abnormal intelligence data to the intelligence learning engine, further comprising:
and adding the current abnormal intelligence data to a white list so as to modify a processing method corresponding to the current abnormal intelligence data.
6. The intelligence information processing method of claim 5, wherein the pushing the goal model to the producer, so that the producer updates a local model by using the goal model through an intelligence model maintenance engine, and processes the intelligence information received by the producer by using the obtained updated model, comprises:
and pushing the target model to the product side so that the product side judges whether the target version information is larger than the local version information of the local model through an information model maintenance engine, if so, pulling the target model downloaded through an information download engine of the threat information holder, updating the local model by using the target model to obtain the updated model, processing the information received by the product side by using the updated model, updating the local information library to obtain a target local information library, and sending an emptying instruction to the white list after the update is finished.
7. The utility model provides an information processing apparatus which characterized in that is applied to threat information cloud platform, includes:
the data receiving module is used for receiving current abnormal information data sent by a product party through an information learning engine;
the data judgment module is used for judging whether the abnormal information library contains data corresponding to the current abnormal information data;
the model generation module is used for generating a target model through an updated abnormal information library obtained based on the current abnormal information data if the abnormal information library does not contain data corresponding to the current abnormal information data;
the model updating module is used for pushing the target model to the product side so that the product side can update a local model by using an intelligence model maintenance engine and the target model, and the obtained updated model is used for processing the intelligence information received by the product side;
wherein the apparatus is further configured to: after the intelligence control engine of the product side receives the user service intelligence information sent by the input module, executing preset intelligence information database collision operation based on the user service intelligence information and a local intelligence database to obtain blocking service intelligence information and releasing service intelligence information; sending the blocking service information to an abnormal information discovery engine so as to judge whether the blocking service information is abnormal information data or not through a preset abnormal information judgment rule; if the blocking service information is the abnormal information data, determining the blocking service information as the current abnormal information data, and reporting the current abnormal information data to the information learning engine.
8. An electronic device, comprising:
a memory for storing a computer program;
processor for executing said computer program for implementing the steps of the informative information processing method according to any one of claims 1 to 6.
9. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements an intelligence information processing method as claimed in any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211353751.2A CN115426198B (en) | 2022-11-01 | 2022-11-01 | Information processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211353751.2A CN115426198B (en) | 2022-11-01 | 2022-11-01 | Information processing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115426198A CN115426198A (en) | 2022-12-02 |
| CN115426198B true CN115426198B (en) | 2023-03-24 |
Family
ID=84207332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211353751.2A Active CN115426198B (en) | 2022-11-01 | 2022-11-01 | Information processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115426198B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112001443A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Network behavior data monitoring method and device, storage medium and electronic equipment |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8813228B2 (en) * | 2012-06-29 | 2014-08-19 | Deloitte Development Llc | Collective threat intelligence gathering system |
| US9258321B2 (en) * | 2012-08-23 | 2016-02-09 | Raytheon Foreground Security, Inc. | Automated internet threat detection and mitigation system and associated methods |
| US10469514B2 (en) * | 2014-06-23 | 2019-11-05 | Hewlett Packard Enterprise Development Lp | Collaborative and adaptive threat intelligence for computer security |
| CN106170772B (en) * | 2014-10-21 | 2018-04-17 | 铁网网络安全股份有限公司 | Network safety system |
| CN107786564B (en) * | 2017-11-02 | 2020-03-17 | 杭州安恒信息技术股份有限公司 | Attack detection method and system based on threat intelligence and electronic equipment |
| CN109871683B (en) * | 2019-01-24 | 2021-04-27 | 深圳昂楷科技有限公司 | Database protection system and method |
| CN110730175B (en) * | 2019-10-16 | 2022-12-06 | 杭州安恒信息技术股份有限公司 | Botnet detection method and detection system based on threat information |
| US11687805B2 (en) * | 2019-10-31 | 2023-06-27 | Shoreline Iot, Inc. | Systems and methods for self-learning artificial intelligence of things (AIOT) devices and services |
| CN111209564B (en) * | 2020-01-03 | 2022-11-22 | 深信服科技股份有限公司 | Cloud platform security state prediction method, device, equipment and storage medium |
-
2022
- 2022-11-01 CN CN202211353751.2A patent/CN115426198B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112001443A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Network behavior data monitoring method and device, storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 智能情报分析系统的架构设计与关键技术研究;化柏林等;《图书与情报》;20171225(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115426198A (en) | 2022-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735345B2 (en) | Orchestrating computing resources between different computing environments | |
| CN106648903B (en) | The method and apparatus for calling distributed file system | |
| CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
| US20150278750A1 (en) | Virtual personal assistant in messenger | |
| US20230283598A1 (en) | Message Authenticated Communication Sessions | |
| CN116089097A (en) | Cloud platform deployment method, equipment and medium based on multiple components and environments | |
| CN115426198B (en) | Information processing method, device, equipment and storage medium | |
| CN107315672B (en) | Method and device for monitoring server | |
| CN114422467B (en) | Customer service message management system and method | |
| CN116629599A (en) | Cloud management evaluation method and device, electronic equipment and storage medium | |
| CN116226855A (en) | Cluster vulnerability scanning, configuration auditing and monitoring alarm method and device | |
| CN113220480B (en) | Distributed data task cross-cloud scheduling system and method | |
| CN115225645A (en) | Service updating method, device, system and storage medium | |
| CN113626002A (en) | Service execution method and device | |
| CN113256360A (en) | Invoice processing control method, device, equipment and storage medium based on Ukey cabinet | |
| CN112948804A (en) | Program control method, device and computer readable storage medium | |
| CN116506496B (en) | Locking method, device, equipment and computer readable storage medium for equipment | |
| CN111176959A (en) | Early warning method, system and storage medium for cross-domain application server | |
| CN116405598B (en) | Telephone deployment method and device and electronic equipment | |
| CN113297158B (en) | Cloud security product management method, device, equipment and storage medium | |
| CN113542103B (en) | Method and device for monitoring invitations of accounts in social communication group and mobile terminal | |
| US11340913B2 (en) | Systems and methods for implementing model-based application control frameworks | |
| CN116260885A (en) | Cloud edge collaborative reasoning method and device | |
| CN116644065A (en) | Database table management method and device and electronic equipment | |
| CN116384364A (en) | Automatic generation method, device, equipment and medium for data report |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |