CN115714654A - Threat information generation method, equipment, storage medium and device - Google Patents
Threat information generation method, equipment, storage medium and device Download PDFInfo
- Publication number
- CN115714654A CN115714654A CN202110945660.7A CN202110945660A CN115714654A CN 115714654 A CN115714654 A CN 115714654A CN 202110945660 A CN202110945660 A CN 202110945660A CN 115714654 A CN115714654 A CN 115714654A
- Authority
- CN
- China
- Prior art keywords
- information
- ioc
- processed
- malicious sample
- threat intelligence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 244000035744 Hura crepitans Species 0.000 claims abstract description 58
- 238000001514 detection method Methods 0.000 claims abstract description 32
- 230000006399 behavior Effects 0.000 claims description 107
- 238000012216 screening Methods 0.000 claims description 14
- 241000700605 Viruses Species 0.000 description 13
- 238000004891 communication Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of network security, and discloses a threat information generation method, equipment, a storage medium and a device, wherein the method comprises the following steps: performing network behavior detection on a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed, performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed, selecting suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information to obtain IOC information of the suspicious IOC, and generating threat information of the malicious sample to be processed according to the IOC information; because the suspicious IOC is determined based on network behavior detection and multidimensional engine query, and the threat information is generated according to the IOC information of the suspicious IOC, the threat information generation speed can be increased, and the accuracy and the reliability of the threat information are ensured.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a storage medium, and a device for generating threat information.
Background
At present, when threat situation reports are generated, the threat situation reports are generally analyzed manually, time and labor are wasted, and the processing efficiency is low.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a threat information generation method, equipment, a storage medium and a device, and aims to solve the technical problems of time and labor waste and low processing efficiency of artificially generating threat information in the prior art.
In order to achieve the above object, the present invention provides a threat information generation method, including the steps of:
performing network behavior detection on a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and obtaining IOC information of the suspicious IOC, and generating threat intelligence of the malicious sample to be processed according to the IOC information.
Optionally, the step of obtaining the IOC information of the suspicious IOC and generating threat intelligence of the malicious sample to be processed according to the IOC information includes:
obtaining IOC information and basic information of the suspicious IOC;
and generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
Optionally, the step of obtaining the IOC information and the basic information of the suspicious IOC includes:
acquiring open source information and basic information of the suspicious IOC;
judging whether the suspicious IOC is a threat domain name or not, and obtaining a domain name judgment result;
and generating the IOC information of the suspicious IOC according to the open source information and the domain name judgment result.
Optionally, the step of generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information includes:
generating a threat score of the suspicious IOC according to the IOC information and the basic information;
and generating threat intelligence of the malicious sample to be processed according to the threat score.
Optionally, the step of performing network behavior detection on the malicious sample to be processed in the preset sandbox to obtain the network behavior information corresponding to the malicious sample to be processed includes:
running the malicious sample to be processed in a preset sandbox to obtain a sandbox log;
and extracting information of the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
Optionally, the step of performing a multidimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed includes:
performing multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result;
obtaining engine information of each query engine, and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
Optionally, the step of obtaining engine information of each query engine and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result includes:
obtaining engine information of each query engine, and screening the multi-engine query results according to the engine information to obtain target query results;
and determining family name information corresponding to the malicious sample to be processed according to the target query result.
Optionally, the step of selecting a suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information includes:
searching network behavior characteristics corresponding to the family name information;
and matching the network behavior information with the network behavior information, and selecting suspicious IOCs from the malicious samples to be processed according to behavior matching results.
Optionally, before the step of performing network behavior detection on the malicious sample to be processed in the preset sandbox to obtain the sandbox log, the method further includes:
acquiring a newly added malicious sample;
and screening the newly added malicious sample to obtain a to-be-processed malicious sample.
Optionally, the step of screening the newly added malicious sample to obtain a to-be-processed malicious sample includes:
obtaining a sample format of the newly added malicious sample;
and matching the sample format with a preset format, and screening the newly increased malicious sample according to a format matching result to obtain a to-be-processed malicious sample.
Optionally, the step of obtaining the sample format of the newly added malicious sample includes:
acquiring the file header name of the newly added malicious sample;
and determining the sample format of the newly added malicious sample according to the file header name.
In addition, in order to achieve the above object, the present invention also provides a threat intelligence generation apparatus including a memory, a processor, and a threat intelligence generation program stored on the memory and executable on the processor, the threat intelligence generation program being configured to implement the threat intelligence generation method as described above.
In addition, in order to achieve the above object, the present invention also provides a storage medium having stored thereon a threat intelligence generation program that realizes the threat intelligence generation method as described above when executed by a processor.
In order to achieve the above object, the present invention also provides a threat information generation apparatus including: the system comprises a network behavior detection module, a family name query module, a suspicious IOC selection module and a threat information generation module;
the network behavior detection module is used for detecting network behaviors of a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
the family name query module is used for carrying out multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
the suspicious IOC selection module is used for selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and the threat intelligence generation module is used for acquiring IOC information of the suspicious IOC and generating threat intelligence of the malicious sample to be processed according to the IOC information.
Optionally, the threat intelligence generation module is further configured to obtain IOC information and basic information of the suspicious IOC;
and the threat intelligence generation module is also used for generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
Optionally, the threat intelligence generation module is further configured to obtain open source information and basic information of the suspicious IOC;
the threat information generation module is also used for judging whether the suspicious IOC is a threat domain name or not and obtaining a domain name judgment result;
and the threat intelligence generation module is further used for generating IOC information of the suspicious IOC according to the open source information and the domain name judgment result.
Optionally, the threat intelligence generation module is further configured to generate a threat score of the suspicious IOC according to the IOC information and the basic information;
and the threat intelligence generation module is also used for generating threat intelligence of the malicious sample to be processed according to the threat score.
Optionally, the network behavior detection module is further configured to run the malicious sample to be processed in a preset sandbox to obtain a sandbox log;
the network behavior detection module is further configured to extract information from the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
Optionally, the family name query module is further configured to perform multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result;
the family name query module is further used for acquiring engine information of each query engine and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
Optionally, the family name query module is further configured to obtain engine information of each query engine, and filter the multi-engine query result according to the engine information to obtain a target query result;
and the family name query module is also used for determining the family name information corresponding to the malicious sample to be processed according to the target query result.
The invention discloses a method for detecting network behaviors of a malicious sample to be processed in a preset sandbox, obtaining network behavior information corresponding to the malicious sample to be processed, carrying out multi-dimensional engine query on the malicious sample to be processed, obtaining family name information corresponding to the malicious sample to be processed, selecting suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information, obtaining IOC information of the suspicious IOC, and generating threat information of the malicious sample to be processed according to the IOC information; because the suspicious IOC is determined based on network behavior detection and multidimensional engine query, and the threat information is generated according to the IOC information of the suspicious IOC, the threat information generation speed can be increased, and the accuracy and the reliability of the threat information are ensured.
Drawings
Fig. 1 is a schematic structural diagram of a threat intelligence generation apparatus of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a threat intelligence generation method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a threat intelligence generation method according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a threat intelligence generation method according to a third embodiment of the present invention;
fig. 5 is a block diagram showing a first embodiment of the threat intelligence generation apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a threat intelligence generation apparatus in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the threat intelligence generation apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or a Non-volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 is not intended to be limiting of threat intelligence generation apparatus and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, memory 1005, identified as one type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a threat intelligence generation program.
In the threat intelligence generation apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting user equipment; the threat intelligence generation apparatus calls the threat intelligence generation program stored in the memory 1005 through the processor 1001, and executes the threat intelligence generation method provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the threat intelligence generation method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of the threat intelligence generation method according to the present invention.
In a first embodiment, the threat intelligence generation method includes the steps of:
step S10: and performing network behavior detection on the malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed.
It should be understood that the executing body of the method of this embodiment may be a threat intelligence generating device with data processing, network communication and program running functions, such as a server or a computer, or other electronic devices capable of implementing the same or similar functions, which is not limited in this embodiment.
It should be noted that the configuration of the running environment of the preset sandbox is the same as that of the running environment of the user terminal. Therefore, the behavior of the malicious sample at the user terminal can be determined by simulating the running of the malicious sample at the user terminal in the preset sandbox.
It can be understood that after the malicious sample to be processed is delivered to the preset sandbox, the malicious sample to be processed can be operated in the preset sandbox to perform network behavior detection on the malicious sample to be processed, so as to obtain network behavior information corresponding to the malicious sample to be processed.
Step S20: and performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed.
It should be noted that the multidimensional engine query may be a query performed by a plurality of query engines.
Family name information may be the name of a family of computer viruses used to distinguish and identify the family of viruses.
It should be understood that, the multi-dimensional engine query is performed on the to-be-processed malicious sample, and the obtaining of the family name information corresponding to the to-be-processed malicious sample may be performed by querying the to-be-processed malicious sample through a plurality of search engines to obtain the family name information corresponding to the to-be-processed malicious sample.
Step S30: and selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information.
The loss Indicator (IOC) is a remote command and control server information used by an attacker to control a victim host. The IOC of the intelligence is often in the form of domain name, IP, URL (sometimes also including SSL certificate, HASH, etc.), and this IOC can be pushed to different security devices, such as NGFW, IPs, SIEM, etc., for detection discovery and even real-time interception. Such intelligence would essentially provide richer contextual information, such as hazard level, attack groups, malicious families, etc., to help determine event priority and guide subsequent security response activities. Using such intelligence is the simplest, timely, and effective way to discover in time that an organization has infiltrated APT parties, trojan worms.
It can be understood that the selecting of the suspicious IOC from the to-be-processed malicious sample according to the network behavior information and the family name information may be analyzing the to-be-processed malicious sample according to the network behavior information and the family name information, and selecting the suspicious IOC from the to-be-processed malicious sample according to an analysis result.
Step S40: and obtaining IOC information of the suspicious IOC, and generating threat intelligence of the malicious sample to be processed according to the IOC information.
It should be noted that the IOC information may be open source information of the IOC, whether a non-missing white list is hit, whether DGA data is hit, whether black gray product data is hit, and the like.
It should be appreciated that generating threat intelligence for the malicious sample to be processed from the IOC information may be taking the IOC information as threat intelligence for the malicious sample to be processed.
In the first embodiment, the method comprises the steps of performing network behavior detection on a malicious sample to be processed in a preset sandbox, obtaining network behavior information corresponding to the malicious sample to be processed, performing multi-dimensional engine query on the malicious sample to be processed, obtaining family name information corresponding to the malicious sample to be processed, selecting suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information, obtaining IOC information of the suspicious IOC, and generating threat information of the malicious sample to be processed according to the IOC information; because the suspicious IOC is determined based on network behavior detection and multidimensional engine query, and the threat intelligence is generated according to the IOC information of the suspicious IOC, the threat intelligence generation speed can be increased, and the accuracy and reliability of the threat intelligence are ensured.
Referring to fig. 3, fig. 3 is a flow chart of a second embodiment of the threat intelligence generation method according to the present invention, and the second embodiment of the threat intelligence generation method according to the present invention is proposed based on the first embodiment shown in fig. 2.
In a second embodiment, the step S10 includes:
step S101: and operating the malicious sample to be processed in a preset sandbox to obtain a sandbox log.
It should be noted that the configuration of the running environment of the preset sandbox is the same as that of the running environment of the user terminal. Therefore, the behavior of the malicious sample at the user terminal can be determined by simulating the running of the malicious sample at the user terminal in the preset sandbox.
It should be understood that after the malicious sample to be processed is delivered to the preset sandbox, the malicious sample to be processed may be run in the preset sandbox to obtain the sandbox log.
Step S102: and extracting information of the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
It can be understood that the sandbox log contains multiple types of information, and therefore, information extraction needs to be performed on the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
It should be appreciated that in extracting information from a sandbox log, the sandbox log may be extracted in a structured format.
In a second embodiment, the method comprises the steps of operating a malicious sample to be processed in a preset sandbox to obtain a sandbox log, extracting information of the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed; in the embodiment, the information of the sandbox log is extracted to obtain the network behavior information corresponding to the malicious sample to be processed, so that the interference of other information can be eliminated, and the reliability of the network behavior information is ensured.
In the second embodiment, the step S20 includes:
step S201: and carrying out multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result.
It should be noted that the multidimensional engine query may be a query performed by a plurality of query engines.
It should be understood that querying the to-be-processed malicious sample through a plurality of search engines can ensure the diversity of the multi-engine query results, and further ensure the reliability of the multi-engine query results.
Step S202: obtaining engine information of each query engine, and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
It should be noted that the engine information may be a virus name reporting rule and a confidence score of the query engine. The credibility score is used for representing the credibility of the query result output by the query engine, and the larger the credibility score is, the more credible the query result is.
It will be appreciated that the virus name reporting rules for different query engines are different in order to obtain uniform family name information. In the embodiment, the engine information of each query engine is obtained, and the family name information corresponding to the malicious sample to be processed is determined according to the engine information and the multi-engine query result.
It should be understood that the determining of the family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result may be extracting a virus name reporting rule of the query engine from the engine information, and converting the multi-engine query result according to the virus name reporting rule to obtain the family name information corresponding to the malicious sample to be processed.
It should be noted that the family name information may be names of computer virus families, and is used for distinguishing and identifying the virus families.
Further, query credibility of different query engines is different, and in order to obtain more accurate family name information, the step S202 includes:
obtaining engine information of each query engine, and screening the multi-engine query results according to the engine information to obtain target query results;
and determining family name information corresponding to the malicious sample to be processed according to the target query result.
It should be understood that, the multi-engine query results are screened according to the engine information, and the target query result may be obtained by extracting the credibility score of the query engine from the engine information, sorting the multi-engine query results according to the credibility score from large to small, and using a preset number of multi-engine query results sorted in front as the target query result. Wherein the preset number may be preset.
In a second embodiment, the method discloses that multi-dimensional engine query is performed on a malicious sample to be processed, multi-engine query results are obtained, engine information of each query engine is obtained, and family name information corresponding to the malicious sample to be processed is determined according to the engine information and the multi-engine query results; in the embodiment, the family name information corresponding to the malicious sample to be processed is determined through the engine information of each query engine and the multi-engine query result, so that misjudgment caused by the query engines is avoided, and the accuracy of the family name information is improved.
In the second embodiment, the step S30 includes:
step S301: and searching the network behavior characteristics corresponding to the family name information.
It should be noted that virus families of different families have different network behavior characteristics. Therefore, in this embodiment, the network behavior characteristics corresponding to the family name information need to be searched.
It should be understood that the step of searching the network behavior characteristic corresponding to the family name information may be to search the preset characteristic table for the network behavior characteristic corresponding to the family name information. Wherein, the preset feature table comprises the corresponding relation between family name information and network behavior features, the corresponding relation between family name information and network behavior features can be preset,
step S302: and matching the network behavior information with the network behavior information, and selecting suspicious IOCs from the malicious samples to be processed according to behavior matching results.
It can be understood that, if the network behavior information corresponding to the malicious sample to be processed is successfully matched with the network behavior feature corresponding to the family name information, it is indicated that the malicious sample to be processed belongs to the virus family corresponding to the family name information, and the malicious sample to be processed can be determined as a suspicious IOC.
It should be understood that the selection of the suspicious IOC from the malicious samples to be processed according to the behavior matching result may be to take the malicious sample to be processed whose behavior matching result is successful as the suspicious IOC.
In a second embodiment, the method discloses searching network behavior characteristics corresponding to family name information, matching the network behavior information with the network behavior information, and selecting suspicious IOCs from malicious samples to be processed according to a behavior matching result; in the embodiment, the suspicious IOC is selected by matching the network behavior characteristics of the virus family with the network behavior information corresponding to the malicious sample to be processed, so that the selection step of the suspicious IOC can be simplified, and the generation speed of threat information is increased.
In the second embodiment, the step S40 includes:
step S401: and obtaining IOC information and basic information of the suspicious IOC.
It should be noted that the IOC information may be open source information of the IOC, whether a non-missing white list is hit, whether DGA data is hit, whether black gray product data is hit, and the like.
The basic information may be information such as a file path, a file name, whether a file has an interface, and a development language.
It should be understood that the obtaining of the IOC information and the basic information of the suspicious IOC may be obtaining open source information and basic information of the suspicious IOC, determining whether the suspicious IOC is a threatening domain name, obtaining a domain name determination result, and generating the IOC information of the suspicious IOC according to the open source information and the domain name determination result.
It can be understood that the determining whether the suspicious IOC is a threatening domain name may be determining whether the suspicious IOC hits a non-missing white list, determining whether the suspicious IOC hits DGA data, determining whether the suspicious IOC hits a black gray product data, and determining that the suspicious IOC is a threatening domain name when the suspicious IOC does not hit the non-missing white list, and hits the DGA data, and does not hit the black gray product data.
Step S402: and generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
It should be appreciated that generating threat intelligence for the malicious sample to be processed from the IOC information and the base information may be taking the IOC information and the base information as threat intelligence for the malicious sample to be processed.
Further, in order to detect the threat level of the suspicious IOC in the threat intelligence, the step S402 includes:
generating a threat score of the suspicious IOC according to the IOC information and the basic information;
and generating threat intelligence of the malicious sample to be processed according to the threat score.
It should be understood that generating the threat score of the suspicious IOC according to the IOC information and the base information may be generating the threat score of the suspicious IOC according to the IOC information and the base information through a preset scoring rule. The preset scoring rules may be preset.
For ease of understanding, the description is made with reference to table 1, but this scheme is not limited thereto. Table 1 shows the preset scoring rules.
TABLE 1 Preset Scoring rules
In a specific implementation, for example, 6 scores are averaged, a score greater than 80 is determined as black, a score less than 60 is determined as white, and a score of 60 to 80 needs to be manually refined.
In a second embodiment, the IOC information and the basic information of the suspicious IOC are obtained, and threat intelligence of a malicious sample to be processed is generated according to the IOC information and the basic information; since the basic information is additionally added to generate the threat intelligence in the embodiment, the reliability of the threat intelligence can be improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the threat intelligence generation method according to the present invention, and the third embodiment of the threat intelligence generation method according to the present invention is proposed based on the second embodiment shown in fig. 3.
In the third embodiment, before the step S10, the method further includes:
step S01: and acquiring a newly added malicious sample.
It should be noted that the newly added malicious sample may be a daily newly added malicious sample Hash.
It should be understood that the newly added malicious sample may be uploaded in advance by a manager of the threat intelligence generation apparatus, or may be automatically obtained from the internet by the threat intelligence generation apparatus, which is not limited in this embodiment.
Step S02: and screening the newly added malicious sample to obtain a to-be-processed malicious sample.
It can be understood that the newly added malicious sample is screened, and the to-be-processed sample is obtained by screening the newly added malicious sample according to a preset rule. The preset rule may be preset, for example, the preset rule may be to delete duplicate samples, delete incomplete samples, and the like.
Further, in order to filter out a malicious sample suitable for generating IOC information, the step S02 includes:
obtaining a sample format of the newly added malicious sample;
and matching the sample format with a preset format, and screening the newly increased malicious sample according to a format matching result to obtain a to-be-processed malicious sample.
The sample format may be PE file format, OFFICE file format, PDF file, ELF file format, JS file format, and the like.
The pre-format may be a sample format suitable for yielding IOC information, and may be pre-configured.
It should be understood that, in order to filter out the malicious samples suitable for generating the IOC information, the newly added malicious samples are screened according to the format matching result, and the obtained to-be-processed malicious samples may be newly added malicious samples whose format matching result is successful in matching, and the newly added malicious samples are used as to-be-processed malicious samples.
Further, in order to accurately obtain a sample format of a newly added malicious sample, the obtaining of the sample format of the newly added malicious sample includes:
acquiring the file header name of the newly added malicious sample;
and determining the sample format of the newly added malicious sample according to the file header name.
It should be understood that obtaining the header name of the new malicious sample may be converting the new malicious sample into a binary file, and obtaining the header name of the binary file.
It can be understood that the determination of the sample format of the newly added malicious sample according to the file header name may be to search a sample format corresponding to the file header name in a preset format table, and use the sample format corresponding to the file header name as the sample format of the newly added malicious sample. The preset format table includes a corresponding relationship between the file header name and the sample format, and the corresponding relationship between the file header name and the sample format may be preset.
In the third embodiment, the method comprises the steps of obtaining a newly increased malicious sample, screening the newly increased malicious sample, and obtaining a malicious sample to be processed; because the malicious sample to be processed is selected from the newly added malicious samples, the timeliness and the representativeness of the malicious sample to be processed can be ensured.
In addition, an embodiment of the present invention further provides a storage medium, where a threat intelligence generation program is stored, and when the threat intelligence generation program is executed by a processor, the threat intelligence generation method as described above is implemented.
In addition, referring to fig. 5, an embodiment of the present invention further provides a threat intelligence generation apparatus, including: the system comprises a network behavior detection module 10, a family name query module 20, a suspicious IOC selection module 30 and a threat information generation module 40;
the network behavior detection module 10 is configured to perform network behavior detection on a malicious sample to be processed in a preset sandbox, and obtain network behavior information corresponding to the malicious sample to be processed.
It should be noted that the configuration of the running environment of the preset sandbox is the same as that of the running environment of the user terminal. Therefore, the behavior of the malicious sample at the user terminal can be determined by simulating the running of the malicious sample at the user terminal in the preset sandbox.
It can be understood that after the malicious sample to be processed is delivered to the preset sandbox, the malicious sample to be processed can be operated in the preset sandbox to perform network behavior detection on the malicious sample to be processed, so as to obtain network behavior information corresponding to the malicious sample to be processed.
The family name query module 20 is configured to perform multidimensional engine query on the malicious sample to be processed, so as to obtain family name information corresponding to the malicious sample to be processed.
It should be noted that the multidimensional engine query may be a query performed by a plurality of query engines.
Family name information may be the name of a family of computer viruses used to distinguish and identify the family of viruses.
It should be understood that, the multi-dimensional engine query is performed on the to-be-processed malicious sample, and the obtaining of the family name information corresponding to the to-be-processed malicious sample may be performed by querying the to-be-processed malicious sample through a plurality of search engines to obtain the family name information corresponding to the to-be-processed malicious sample.
The suspicious IOC selection module 30 is configured to select a suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information.
The loss Indicator (IOC) is a remote command and control server information used by an attacker to control a victim host. The IOC of the intelligence is often in the form of domain name, IP, URL (sometimes also including SSL certificate, HASH, etc.), and this IOC can be pushed to different security devices, such as NGFW, IPs, SIEM, etc., for detection and discovery and even real-time interception. Such intelligence would essentially provide richer contextual information, such as hazard level, attack groups, malicious families, etc., to help determine event priority and guide subsequent security response activities. Using such intelligence is the simplest, timely, and effective way to discover in time that an organization has infiltrated APT parties, trojan worms.
It can be understood that the selecting of the suspicious IOC from the to-be-processed malicious sample according to the network behavior information and the family name information may be analyzing the to-be-processed malicious sample according to the network behavior information and the family name information, and selecting the suspicious IOC from the to-be-processed malicious sample according to an analysis result.
And the threat intelligence generation module 40 is configured to obtain IOC information of the suspicious IOC, and generate threat intelligence of the malicious sample to be processed according to the IOC information.
It should be noted that the IOC information may be open source information of the IOC, whether a non-missing white list is hit, whether DGA data is hit, whether black gray product data is hit, and the like.
It should be appreciated that generating threat intelligence for the malicious sample to be processed from the IOC information may be taking the IOC information as threat intelligence for the malicious sample to be processed.
In the embodiment, the method includes the steps of performing network behavior detection on a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed, performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed, selecting suspicious IOC from the malicious sample to be processed according to the network behavior information and the family name information to obtain IOC information of the suspicious IOC, and generating threat information of the malicious sample to be processed according to the IOC information; because the suspicious IOC is determined based on network behavior detection and multidimensional engine query, and the threat intelligence is generated according to the IOC information of the suspicious IOC, the threat intelligence generation speed can be increased, and the accuracy and reliability of the threat intelligence are ensured.
Other embodiments or specific implementation manners of the threat information generation apparatus according to the present invention may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order, but rather the words first, second, third, etc. are to be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a Read Only Memory image (ROM)/Random Access Memory (RAM), a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
The invention discloses A1 and a threat intelligence generation method, wherein the threat intelligence generation method comprises the following steps:
performing network behavior detection on a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and obtaining IOC information of the suspicious IOC, and generating threat intelligence of the malicious sample to be processed according to the IOC information.
A2, the method for generating threat intelligence according to A1, wherein the step of obtaining IOC information of the suspicious IOC and generating threat intelligence of the malicious sample to be processed according to the IOC information includes:
obtaining IOC information and basic information of the suspicious IOC;
and generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
A3, the threat intelligence generation method according to A2, wherein the step of obtaining IOC information and basic information of the suspicious IOC includes:
acquiring open source information and basic information of the suspicious IOC;
judging whether the suspicious IOC is a threat domain name or not, and obtaining a domain name judgment result;
and generating the IOC information of the suspicious IOC according to the open source information and the domain name judgment result.
A4, the method for generating threat intelligence according to A3, wherein the step of generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information includes:
generating a threat score of the suspicious IOC according to the IOC information and the basic information;
and generating threat intelligence of the malicious sample to be processed according to the threat score.
The threat intelligence generation method as described in the above A1, wherein the step of performing network behavior detection on the malicious sample to be processed in the preset sandbox to obtain the network behavior information corresponding to the malicious sample to be processed includes:
running the malicious sample to be processed in a preset sandbox to obtain a sandbox log;
and extracting information of the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
The threat intelligence generation method as described in A1, wherein the step of performing multidimensional engine query on the malicious sample to be processed to obtain the family name information corresponding to the malicious sample to be processed includes:
performing multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result;
obtaining engine information of each query engine, and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
The threat intelligence generation method of A7, as described in A6, the step of obtaining engine information of each query engine and determining family name information corresponding to a malicious sample to be processed according to the engine information and the multi-engine query result includes:
obtaining engine information of each query engine, and screening the multi-engine query results according to the engine information to obtain target query results;
and determining family name information corresponding to the malicious sample to be processed according to the target query result.
A8, the method for generating threat intelligence according to any one of A1 to A7, wherein the step of selecting suspicious IOCs from the malicious sample to be processed according to the network behavior information and the family name information includes:
searching network behavior characteristics corresponding to the family name information;
and matching the network behavior information with the network behavior information, and selecting suspicious IOCs from the malicious samples to be processed according to behavior matching results.
A9, the method for generating threat intelligence according to any one of A1 to A7, wherein before the step of detecting network behavior of the malicious sample to be processed in the preset sandbox and obtaining the sandbox log, the method further comprises:
acquiring a newly added malicious sample;
and screening the newly added malicious sample to obtain a to-be-processed malicious sample.
The threat intelligence generation method of A10, as stated in A9, the step of screening the newly increased malicious sample to obtain the malicious sample to be processed includes:
obtaining a sample format of the newly added malicious sample;
and matching the sample format with a preset format, and screening the newly increased malicious sample according to a format matching result to obtain a to-be-processed malicious sample.
A11, the threat intelligence generation method according to a10, wherein the step of obtaining the sample format of the newly added malicious sample includes:
acquiring the file header name of the newly added malicious sample;
and determining the sample format of the newly added malicious sample according to the file header name.
The invention also discloses B12 and threat information generating equipment, wherein the threat information generating equipment comprises: a memory, a processor, and a threat intelligence generation program stored on the memory and executable on the processor, the threat intelligence generation program when executed by the processor implementing a threat intelligence generation method as described above.
The invention also discloses C13 and a storage medium, wherein the storage medium is stored with a threat intelligence generation program, and the threat intelligence generation program is executed by a processor to realize the threat intelligence generation method.
The invention also discloses D14 and a threat information generating device, wherein the threat information generating device comprises: the system comprises a network behavior detection module, a family name query module, a suspicious IOC selection module and a threat information generation module;
the network behavior detection module is used for detecting network behaviors of a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
the family name query module is used for carrying out multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
the suspicious IOC selection module is used for selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and the threat intelligence generation module is used for acquiring IOC information of the suspicious IOC and generating threat intelligence of the malicious sample to be processed according to the IOC information.
D15, the threat intelligence generation apparatus as described in D14, the threat intelligence generation module being further configured to obtain IOC information and basic information of the suspicious IOC;
and the threat intelligence generation module is also used for generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
D16, the threat intelligence generation apparatus as described in D15, the threat intelligence generation module being further configured to obtain open source information and basic information of the suspicious IOC;
the threat information generation module is further used for judging whether the suspicious IOC is a threat domain name or not and obtaining a domain name judgment result;
and the threat intelligence generation module is further used for generating IOC information of the suspicious IOC according to the open source information and the domain name judgment result.
D17, the threat intelligence generation apparatus according to D16, the threat intelligence generation module being further configured to generate a threat score of the suspicious IOC according to the IOC information and the basic information;
and the threat intelligence generation module is also used for generating threat intelligence of the malicious sample to be processed according to the threat score.
D18, the threat information generation device as D14, and the network behavior detection module are further used for operating the malicious sample to be processed in a preset sandbox to obtain a sandbox log;
the network behavior detection module is further configured to extract information from the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
D19, the threat intelligence generating device as D14, wherein the family name query module is further used for carrying out multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result;
the family name query module is further used for acquiring engine information of each query engine and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
D20, the threat intelligence generation apparatus as described in D19, the family name query module further configured to obtain engine information of each query engine, and screen the multi-engine query results according to the engine information to obtain target query results;
and the family name query module is also used for determining the family name information corresponding to the malicious sample to be processed according to the target query result.
Claims (10)
1. A threat intelligence generation method, characterized by comprising the steps of:
performing network behavior detection on a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
performing multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and obtaining IOC information of the suspicious IOC, and generating threat intelligence of the malicious sample to be processed according to the IOC information.
2. The method of threat intelligence generation of claim 1, wherein the step of obtaining IOC information for the suspect IOC and generating threat intelligence for the malicious sample to be processed based on the IOC information comprises:
obtaining IOC information and basic information of the suspicious IOC;
and generating threat intelligence of the malicious sample to be processed according to the IOC information and the basic information.
3. The threat intelligence generation method of claim 2, wherein the step of obtaining IOC information and base information for the suspect IOC comprises:
acquiring open source information and basic information of the suspicious IOC;
judging whether the suspicious IOC is a threat domain name or not, and obtaining a domain name judgment result;
and generating the IOC information of the suspicious IOC according to the open source information and the domain name judgment result.
4. The method of threat intelligence generation of claim 3, wherein the step of generating threat intelligence for the malicious sample to be processed from the IOC information and the base information comprises:
generating a threat score of the suspicious IOC according to the IOC information and the basic information;
and generating threat intelligence of the malicious sample to be processed according to the threat score.
5. The method for generating threat intelligence according to claim 1, wherein the step of performing network behavior detection on the malicious sample to be processed in a preset sandbox to obtain the network behavior information corresponding to the malicious sample to be processed comprises:
running the malicious sample to be processed in a preset sandbox to obtain a sandbox log;
and extracting information of the sandbox log to obtain network behavior information corresponding to the malicious sample to be processed.
6. The method for generating threat intelligence according to claim 1, wherein the step of performing multidimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed comprises:
performing multi-dimensional engine query on the malicious sample to be processed to obtain a multi-engine query result;
obtaining engine information of each query engine, and determining family name information corresponding to the malicious sample to be processed according to the engine information and the multi-engine query result.
7. The method of generating threat intelligence of claim 6, wherein the step of obtaining engine information for each query engine and determining family name information corresponding to a malicious sample to be processed according to the engine information and the multi-engine query result comprises:
obtaining engine information of each query engine, and screening the multi-engine query results according to the engine information to obtain target query results;
and determining family name information corresponding to the malicious sample to be processed according to the target query result.
8. A threat intelligence generation apparatus, characterized in that the threat intelligence generation apparatus comprises: a memory, a processor, and a threat intelligence generation program stored on the memory and executable on the processor, the threat intelligence generation program when executed by the processor implementing the threat intelligence generation method of any of claims 1-7.
9. A storage medium having stored thereon a threat intelligence generation program which, when executed by a processor, implements the threat intelligence generation method according to any one of claims 1 to 7.
10. A threat intelligence generation apparatus, characterized in that the threat intelligence generation apparatus comprises: the system comprises a network behavior detection module, a family name query module, a suspicious IOC selection module and a threat information generation module;
the network behavior detection module is used for detecting network behaviors of a malicious sample to be processed in a preset sandbox to obtain network behavior information corresponding to the malicious sample to be processed;
the family name query module is used for carrying out multi-dimensional engine query on the malicious sample to be processed to obtain family name information corresponding to the malicious sample to be processed;
the suspicious IOC selection module is used for selecting suspicious IOCs from the malicious samples to be processed according to the network behavior information and the family name information;
and the threat intelligence generation module is used for acquiring IOC information of the suspicious IOC and generating threat intelligence of the malicious sample to be processed according to the IOC information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110945660.7A CN115714654A (en) | 2021-08-17 | 2021-08-17 | Threat information generation method, equipment, storage medium and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110945660.7A CN115714654A (en) | 2021-08-17 | 2021-08-17 | Threat information generation method, equipment, storage medium and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115714654A true CN115714654A (en) | 2023-02-24 |
Family
ID=85229859
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110945660.7A Pending CN115714654A (en) | 2021-08-17 | 2021-08-17 | Threat information generation method, equipment, storage medium and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115714654A (en) |
-
2021
- 2021-08-17 CN CN202110945660.7A patent/CN115714654A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10218740B1 (en) | Fuzzy hash of behavioral results | |
| US8701192B1 (en) | Behavior based signatures | |
| EP2916256A1 (en) | Systems and methods for behavior-based automated malware analysis and classification | |
| CN107368856B (en) | Malicious software clustering method and device, computer device and readable storage medium | |
| EP3211558B1 (en) | Multi-threat analyzer array system and method of use | |
| CN107247902B (en) | Malicious software classification system and method | |
| CN110691080B (en) | Automatic tracing method, device, equipment and medium | |
| CN106992981B (en) | Website backdoor detection method and device and computing equipment | |
| CN107888606B (en) | Domain name credit assessment method and system | |
| US11270001B2 (en) | Classification apparatus, classification method, and classification program | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN112632529A (en) | Vulnerability identification method, device, storage medium and device | |
| CN111914257A (en) | Document detection method, device, equipment and computer storage medium | |
| CN108182360B (en) | Risk identification method and equipment, storage medium and electronic equipment thereof | |
| CN110704841A (en) | Convolutional neural network-based large-scale android malicious application detection system and method | |
| Thiyagarajan et al. | Improved real‐time permission based malware detection and clustering approach using model independent pruning | |
| Alshamrani | Design and analysis of machine learning based technique for malware identification and classification of portable document format files | |
| CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
| CN114697066A (en) | Network threat detection method and device | |
| US11556819B2 (en) | Collection apparatus, collection method, and collection program | |
| EP4202741A1 (en) | System and method of synthesizing potential malware for predicting a cyberattack | |
| CN115714654A (en) | Threat information generation method, equipment, storage medium and device | |
| CN113361597B (en) | Training method and device for URL detection model, electronic equipment and storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| EP3361405A1 (en) | Enhancement of intrusion detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |