CN116032602A - Method, device, equipment and storage medium for automatically identifying threat data - Google Patents
Method, device, equipment and storage medium for automatically identifying threat data Download PDFInfo
- Publication number
- CN116032602A CN116032602A CN202211693891.4A CN202211693891A CN116032602A CN 116032602 A CN116032602 A CN 116032602A CN 202211693891 A CN202211693891 A CN 202211693891A CN 116032602 A CN116032602 A CN 116032602A
- Authority
- CN
- China
- Prior art keywords
- threat
- data
- identified
- access request
- visitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a method, a device, equipment and a storage medium for automatically identifying threat data, wherein the method comprises the following steps: acquiring an access request to be identified; the access request to be identified comprises a visitor identification and request data; identifying the request data through an online model to obtain an online identification result; and processing the online identification result through an offline model, and determining whether the access request to be identified comprises threat data. The method and the system determine whether the access request to be identified has threat data or not by establishing an offline model and an online model, and the offline model generates a training model based on a Bayesian network by collecting historical threat information of the visitor, so as to probability the attack correlation between the real-time threat information and the visitor. The online model delivers the observed network behavior data of the visitor to the offline model, and the offline model analyzes the visitor, so that the high-probability threat data in the attack process can be automatically and rapidly identified.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, apparatus, device, and storage medium for automatically identifying threat data.
Background
In the field of network security, as defenders use new defense detection means, network visitors can quickly modify attack technologies and methods according to the new defense means to evade detection and implement attacks. Defenders are faced with a rapid and novel attack means and can sink into defending and passive. The traditional threat index mode (such as detection of known virus file feature codes, beacon matching of threat information IP and the like) is difficult to find the latest attack behavior of a visitor, and the traditional defense means are more and more difficult to work.
Disclosure of Invention
In view of this, the invention provides a method, a device, equipment and a medium for judging a network attack target range, which at least partially solve the technical problem that the defense means adopted in the existing network security is difficult to adapt to the attack means, and the invention adopts the following technical scheme:
according to one aspect of the present application, there is provided a method of automatically identifying threat data, comprising:
acquiring an access request to be identified; the access request to be identified comprises a visitor identification and request data;
identifying the request data through an online model to obtain an online identification result;
processing an online identification result through an offline model, and determining whether threat data is included in an access request to be identified; the offline model is obtained according to the historical threat security event and the Bayesian network of the visitor corresponding to the visitor identification.
In an exemplary embodiment of the present application, the identifying, by the online model, the request data, to obtain an online identification result, includes:
real-time threat information in the request data is collected in real time through an online model;
and summarizing all the real-time threat information, and determining the real-time threat information as an online identification result.
In an exemplary embodiment of the present application, the processing, by an offline model, the online identification result to determine whether the access request to be identified includes threat data includes:
analyzing the real-time threat information through an offline model to obtain threat probability values of visitors corresponding to visitor identifications;
and determining whether threat data is included in the access request to be identified through the threat probability value.
In an exemplary embodiment of the present application, determining whether threat data is included in the access request to be identified by the threat probability value includes:
if the threat probability value is larger than a preset probability threshold value, determining that the access request to be identified comprises threat data, and sending an alarm notification; otherwise, determining that the threat data is not included in the access request to be identified.
In one exemplary embodiment of the present application, the offline model is determined by the following method:
according to the access request to be identified, acquiring a historical threat security event corresponding to the visitor identifier;
extracting historical threat information of a visitor corresponding to the visitor identifier through a historical threat security event;
and carrying out Bayesian network probability graph training on the historical threat information to obtain an offline model.
In one exemplary embodiment of the present application, the online model is determined by the following method:
acquiring each real-time security event stream in the request data;
and obtaining an online model according to each real-time security event stream.
In an exemplary embodiment of the present application, if the threat probability value is greater than a preset probability threshold, determining that the access request to be identified includes threat data, and sending an alarm notification; otherwise, after the step of determining that the access request to be identified does not include threat data, the method for automatically identifying threat data further includes:
and if the access request to be identified comprises threat data, adding the corresponding real-time threat information into the historical threat information.
According to one aspect of the present application, there is provided an apparatus for automatically identifying threat data, comprising:
the request response module is used for acquiring an access request to be identified; the access request to be identified comprises a visitor identification and request data;
the online identification module is used for identifying the request data through an online model to obtain an online identification result;
and the threat analysis module is used for processing the online identification result through the offline model and determining whether the access request to be identified comprises threat data.
According to one aspect of the present application, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the method of automatically identifying threat data.
According to one aspect of the present application, there is provided an electronic device comprising a processor and the non-transitory computer readable storage medium.
The invention has at least the following beneficial effects:
according to the invention, an offline model and an online model are established, an access request to be identified is analyzed, whether threat data is contained in the access request to be identified is determined, and the offline model is used for generating a training model based on a Bayesian network by collecting historical threat information of a visitor so as to probability attack correlation between the real-time threat information and the visitor. The online model delivers the observed network behavior data of the visitor to the offline model, and the offline model analyzes the visitor, so that the high-probability threat data in the attack process can be automatically and rapidly identified.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for automatically identifying threat data provided in an embodiment of the invention;
FIG. 2 is a block diagram of an apparatus for automatically identifying threat data provided in accordance with an embodiment of the invention;
FIG. 3 is a schematic diagram of offline model construction in a method for automatically identifying threat data according to an embodiment of the invention;
fig. 4 is a schematic diagram of online model construction in a method for automatically identifying threat data according to an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
In the field of network security, attack and defense countermeasures are a durable battle of the fight and defense, and as defenders use new defense detection means, network visitors can quickly modify attack technologies and methods according to the new defense means to evade detection and implement attack. Defenders are faced with a rapid novel attack means, have a 'weak feel', and sink into defending and passive. In the face of the ever-increasing complex network attack means, the traditional threat index mode (such as the detection of the feature codes of known virus files, the matching of beacons such as threat information IP and the like) is difficult to find the latest attack behaviors of the attacker, and the defense means are more difficult to work.
The ATT & CK (AdversarialTactics, techniquesandCommonKnowledge), i.e. the combat tactics, techniques and common sense in network security, is a model that stands at the point of view of the visitor to describe the techniques used in each stage of attack, and the ATT & CK can obtain threat intelligence reports of the visitor through detailed analytical disclosure, forming the combat tactics and technical knowledge base of the visitor's attack lifecycle and the objectives of each attack stage. However, the security company detects the attack technology by directly observing the data collected from the real environment, and although the intuitiveness is stronger, a great deal of effort is often consumed by network security personnel, the readiness and the effectiveness are also lacking, and the producibility cannot be formed, so that a method capable of automatically and rapidly identifying and predicting threat data is required.
A method of automatically identifying threat data, as shown in fig. 1, comprising:
step S100, obtaining an access request to be identified; the access request to be identified comprises a visitor identification and request data;
the access request to be identified is an access request sent by a visitor, wherein the access request comprises visitor identifications corresponding to the visitor and request data for requesting access, each visitor is corresponding to one visitor identification and used for identifying all the visitors, and when the access request to be identified has threat data, the corresponding visitor can be conveniently found according to the visitor identifications.
Step S200, identifying the request data through an online model to obtain an online identification result;
wherein, the online model is determined by the following method:
step S011, each real-time security event stream in the request data is acquired;
step S012, according to each real-time security event stream, an online model is obtained.
As shown in fig. 4, the method for constructing the online model is as follows:
and acquiring a real-time security event stream of a visitor, enriching related information such as IP reputation, attack weapon equipment library, access file reputation and the like through a related threat information database, and calibrating TTPs information by combining a TTPs knowledge base in ATT & CK to obtain an online model.
The request data contains information data corresponding to a plurality of security events sent by a visitor, the information data corresponding to all the security events are identified and collected through an online model to obtain corresponding online identification results, and then subsequent threat data verification work is carried out.
Further, in step S200, the request data is identified by the online model, so as to obtain an online identification result, which includes:
step S210, real-time threat information in the request data is collected in real time through an online model;
and step 220, summarizing all the real-time threat information, and determining the real-time threat information as an online identification result.
Step S300, processing an online identification result through an offline model, and determining whether the access request to be identified comprises threat data or not; the offline model is obtained according to the historical threat security event and the Bayesian network of the visitor corresponding to the visitor identifier;
and carrying out probability verification processing on the information data corresponding to the security event acquired by the online model in real time, namely the real-time threat information, through the offline model to determine whether the access request to be identified comprises threat data.
Wherein the offline model is determined by the following method:
step S021, according to the access request to be identified, acquiring a historical threat security event corresponding to the visitor identifier;
step S022, extracting historical threat information of a visitor corresponding to the visitor identifier through a historical threat security event;
and step S023, performing Bayesian network probability graph training on the historical threat information to obtain an offline model.
According to the access request to be identified of the visitor, the historical threat information of the visitor is obtained, namely, the threat security event which occurs in the past of the visitor is obtained, and the threat security event which is calibrated according to the existing experience of the threat expert of the information is obtained, wherein the historical threat security event of the visitor, namely, the threat security event which occurs in the past of the visitor, is extracted from the threat security event according to the TTPs (technologies, and procedures) of the ATT & CK, and the historical threat information corresponding to the visitor, namely, the historical TTPs information is extracted from the threat security event.
The bayesian network, also called belief network or directed acyclic graph model, is a probability pattern model, and as shown in fig. 3, the method for constructing an offline model by using the bayesian network is as follows:
according to historical threat security event data of visitors or threat security event data calibrated by information threat specialists, carrying out data enrichment processing on the threat security event data, enriching data into related information through an associated threat information database, enriching the related information such as IP reputation, attack weapon equipment library, access file reputation and the like, carrying out TTPs information calibration step, calibrating TTPs information into TTPs used for each threat security event through a TTPs knowledge base in ATT & CK, such as using a transverse action tool (ATT & CKTTPST 1570) for a certain threat security event, creating/modifying a system process (ATT & CKTTPST 1432), damage defense (ATT & CKTTPST 1562.001) and the like, and converging a large number of acquired threat security events according to attack event types, such as converging data of all the threat security events into a set, ensuring that the attack security event types of the threat security events in the same set are the same, marking the attack event types of the set as using probability variables of the TTPs, such as using the probability variables of transverse movement in the threat security event (in the threat security event, such as using the total number of the threat security event (Basil P (T & Basil L7)/(L7) and N (Basil L7)/N (K1570); and finally, putting the probability variable into a Bayesian network for training to obtain a probability model of threat security events and TTPs, namely an offline model.
Further, in step S300, the online recognition result is processed through the offline model, and determining whether the access request to be recognized includes threat data includes:
step S310, analyzing the real-time threat information through an offline model to obtain threat probability values of visitors corresponding to visitor identifications;
step S320, determining whether the access request to be identified comprises threat data or not according to the threat probability value.
The online model acquires real-time threat information of a visitor in real time, acquires all calibrated TTPs information within a preset time period, if threat security events are calibrated to be T1570, T1432 and the like within 10 minutes, and sends threat security events corresponding to the TTPs information within the preset time period to the offline model. The offline model predicts the occurrence probability of the threat security event, namely the threat probability value corresponding to the visitor, and determines whether the visitor has threat data or not according to the obtained threat probability value and comparison with a preset probability threshold.
Specifically, in step S320, determining whether the access request to be identified includes threat data according to the threat probability value includes:
step S321, if the threat probability value is larger than a preset probability threshold value, determining that the access request to be identified comprises threat data, and sending an alarm notification; otherwise, determining that the threat data is not included in the access request to be identified.
Step S322, if the access request to be identified includes threat data, adding the corresponding real-time threat information to the historical threat information.
And comparing the obtained threat probability value with a preset probability threshold, and generating an alarm notification if the obtained threat probability value exceeds the preset probability threshold. If the threat security event corresponding to the TTPs of T1570 and T1432 is a lux event, the confidence of the lux event is predicted to be 83%, and the preset probability threshold is 80%, so that the visitor corresponding to the threat security event is considered to have threat data, and the threat data is warned to be the lux event.
In the implementation, if a visitor is connected to the visitor through a remote desktop, the action is captured by a probe of the visitor, the attack mode is checked by an offline model, the offline model is enabled to check the data of a great amount of historical threat security events, known that remote desktop access (ATT & CKTTPsT1021, remote service) is a common technical means for the visitor to initially access, the visitor executes a halyard sample on the equipment of the visitor, the visitor is perceived by the probe of the visitor due to accessing a bait file, the offline model checks the attack mode, a lateral action tool (ATT & CKTTPsT1570, a lateral movement tool), a creating/modifying system process (ATT & CKTTPsT 1432) and related branch confidence of damage defense (ATT & CKTTPsT 1562.001) in the offline model are enhanced, the online model acquires real-time threat information of the visitor in real time, and sets the acquired time period to 3 minutes, when the attack activity of the visitor is performed for 3 minutes, a time window corresponding to the time period has a threshold value indicating suspicious activity, the relevant threat activity is most likely to be detected as the threat information in the intranet, and the offline model is enabled to act as the damage risk (ATT & ttpst 1562), the relevant branch confidence of the damage protection system process (attpst & lt 1562) is enhanced by the offline model, and the relevant branch confidence of the damage protection (attppt & gtpst) is most likely to be detected by the remote threat security event (ATT).
According to the invention, an offline model and an online model are established by combining TTPs technology of ATT & CK and a Bayesian network, an access request to be identified, which is sent by a visitor, is analyzed, whether threat data is carried in the access request to be identified is determined, and the offline model is used for generating a training model based on the Bayesian network by collecting historical threat information of the visitor and converting the historical threat information into a group of well-defined ATT & CKTTPs data, so that the correlation of attacks between the real-time threat information and the visitor is probabilistically achieved. The online model delivers the observed network behavior data of the visitor to the offline model, and the offline model analyzes the visitor, so that the dependence and the missing or uncertain data among the high-level data and the TTPs are solved, and the high-probability threat data in the attack process is automatically and rapidly identified.
An apparatus 100 for automatically identifying threat data, as shown in fig. 2, includes:
a request response module 110, configured to obtain an access request to be identified; the access request to be identified comprises a visitor identification and request data;
the online identification module 120 is configured to identify the request data through an online model, so as to obtain an online identification result;
the threat analysis module 130 is configured to process the online identification result through an offline model, and determine whether the access request to be identified includes threat data.
Wherein, the online identification module 120 is further configured to:
real-time threat information in the request data is collected in real time through an online model;
and summarizing all the real-time threat information, and determining the real-time threat information as an online identification result.
Wherein threat analysis module 130 is further to:
analyzing the real-time threat information through an offline model to obtain a threat probability 5 value of a visitor corresponding to the visitor identifier;
if the threat probability value is larger than a preset probability threshold value, determining that the access request to be identified comprises threat data, and sending an alarm notification; otherwise, determining that the access request to be identified does not contain threat data;
and if the access request to be identified comprises threat data, adding the corresponding real-time threat information into the historical threat information.
0 embodiments of the invention also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to various exemplary embodiments of the invention as described in the specification, when said program product is run on the electronic device.
Furthermore, although the various steps of the methods in this disclosure are depicted in a particular order in the figures, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable 5 results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, according to embodiments of the present disclosure
The aspects of the formula may be embodied in the form of a software product that may be stored on a non-volatile storage medium 0 (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, comprising instructions to cause a computing device (which may be
To be a personal computer, a server, a mobile terminal, a network device, or the like) performs a method according to an embodiment of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that aspects of the invention may be implemented as a system, method, or program product
The product is obtained. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely 5 software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the invention described in the "exemplary methods" section of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A method of automatically identifying threat data, comprising:
acquiring an access request to be identified; the access request to be identified comprises a visitor identification and request data;
identifying the request data through an online model to obtain an online identification result;
processing the online identification result through an offline model, and determining whether the access request to be identified comprises threat data or not; and the offline model is obtained according to the historical threat security event of the visitor corresponding to the visitor identifier and the Bayesian network.
2. The method of claim 1, wherein identifying the request data by an online model results in an online identification result, comprising:
acquiring real-time threat information in the request data in real time through an online model;
and summarizing all the real-time threat information, and determining the real-time threat information as an online identification result.
3. The method of claim 2, wherein processing the online identification result through an offline model to determine whether threat data is included in the request for access to be identified comprises:
analyzing the real-time threat information through an offline model to obtain threat probability values of visitors corresponding to the visitor identifications;
and determining whether threat data is included in the access request to be identified according to the threat probability value.
4. A method according to claim 3, wherein determining whether threat data is included in the access request to be identified by the threat probability value comprises:
if the threat probability value is larger than a preset probability threshold value, determining that the access request to be identified comprises threat data, and sending an alarm notification; otherwise, determining that threat data is not included in the access request to be identified.
5. The method of claim 1, wherein the offline model is determined by:
acquiring a historical threat security event corresponding to the visitor identifier according to the access request to be identified;
extracting historical threat information of a visitor corresponding to the visitor identifier through the historical threat security event;
and carrying out Bayesian network probability graph training on the historical threat information to obtain an offline model.
6. The method of claim 1, wherein the online model is determined by:
acquiring each real-time security event stream in the request data;
and obtaining an online model according to each real-time security event stream.
7. The method of claim 4, wherein if the threat probability value is greater than a preset probability threshold, determining that the access request to be identified includes threat data, and sending an alarm notification; otherwise, after the step of determining that the to-be-identified access request does not include threat data, the method further includes:
and if the access request to be identified comprises threat data, adding corresponding real-time threat information into the historical threat information.
8. An apparatus for automatically identifying threat data, comprising:
the request response module is used for acquiring an access request to be identified; the access request to be identified comprises a visitor identification and request data;
the online identification module is used for identifying the request data through an online model to obtain an online identification result;
and the threat analysis module is used for processing the online identification result through the offline model and determining whether the access request to be identified comprises threat data.
9. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, wherein the at least one instruction or the at least one program is loaded and executed by a processor to implement the method of any one of claims 1-7.
10. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211693891.4A CN116032602A (en) | 2022-12-28 | 2022-12-28 | Method, device, equipment and storage medium for automatically identifying threat data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211693891.4A CN116032602A (en) | 2022-12-28 | 2022-12-28 | Method, device, equipment and storage medium for automatically identifying threat data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032602A true CN116032602A (en) | 2023-04-28 |
Family
ID=86090567
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211693891.4A Pending CN116032602A (en) | 2022-12-28 | 2022-12-28 | Method, device, equipment and storage medium for automatically identifying threat data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032602A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116383771A (en) * | 2023-06-06 | 2023-07-04 | 云南电网有限责任公司信息中心 | Network anomaly intrusion detection method and system based on variation self-coding model |
| CN117494185A (en) * | 2023-10-07 | 2024-02-02 | 联通(广东)产业互联网有限公司 | Database access control method, device, system, equipment and storage medium |
-
2022
- 2022-12-28 CN CN202211693891.4A patent/CN116032602A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116383771A (en) * | 2023-06-06 | 2023-07-04 | 云南电网有限责任公司信息中心 | Network anomaly intrusion detection method and system based on variation self-coding model |
| CN116383771B (en) * | 2023-06-06 | 2023-10-27 | 云南电网有限责任公司信息中心 | Network anomaly intrusion detection method and system based on variation self-coding model |
| CN117494185A (en) * | 2023-10-07 | 2024-02-02 | 联通(广东)产业互联网有限公司 | Database access control method, device, system, equipment and storage medium |
| CN117494185B (en) * | 2023-10-07 | 2024-05-14 | 联通(广东)产业互联网有限公司 | Database access control method, device, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106657057B (en) | Anti-crawler system and method | |
| CN109271782B (en) | Method, medium, system and computing device for detecting attack behavior | |
| CN116032602A (en) | Method, device, equipment and storage medium for automatically identifying threat data | |
| Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
| CN110249331A (en) | For the successive learning of intrusion detection | |
| CN113221104A (en) | User abnormal behavior detection method and user behavior reconstruction model training method | |
| CN118337539B (en) | Internet of things-based network security communication control method and system | |
| CN115102705A (en) | Automatic network security detection method based on deep reinforcement learning | |
| CN110474899B (en) | Service data processing method, device, equipment and medium | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN115174205A (en) | Network space safety real-time monitoring method, system and computer storage medium | |
| CN118157961A (en) | Active simulation intrusion evaluation and full-link visual protection system, method and equipment | |
| CN114448718A (en) | Network security guarantee method for parallel detection and repair | |
| KR20240051094A (en) | Device for analyzing large amounts of log data based on ruleset, its control method and program | |
| CN114398465A (en) | Exception handling method and device of Internet service platform and computer equipment | |
| CN114491513A (en) | Knowledge graph-based block chain intelligent contract reentry attack detection system and method | |
| CN117691733A (en) | Assessment method and device for information security protection of power distribution automation system | |
| CN117633779A (en) | Rapid deployment method and system for element learning detection model of network threat in power network | |
| CN115964701A (en) | Application security detection method and device, storage medium and electronic equipment | |
| CN116015861A (en) | Data detection method and device, electronic equipment and storage medium | |
| KR20220116410A (en) | Security compliance automation method | |
| CN114416417A (en) | System abnormity monitoring method, device, equipment and storage medium | |
| CN113238971A (en) | Automatic penetration testing system and method based on state machine | |
| CN118631589B (en) | Network traffic supervision abnormality identification early warning method and system | |
| KR102677230B1 (en) | Apparatus and method for security automation response for soar platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |