CN116155519A - Threat alert information processing method, threat alert information processing device, computer equipment and storage medium - Google Patents
Threat alert information processing method, threat alert information processing device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116155519A CN116155519A CN202111394895.8A CN202111394895A CN116155519A CN 116155519 A CN116155519 A CN 116155519A CN 202111394895 A CN202111394895 A CN 202111394895A CN 116155519 A CN116155519 A CN 116155519A
- Authority
- CN
- China
- Prior art keywords
- threat
- information
- attack
- family
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/064—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The application relates to a threat alert information processing method, apparatus, computer device, storage medium, and program product. The method comprises the following steps: acquiring threat alarm information associated with a network threat; according to threat warning information, carrying out clue line extension to obtain an attack behavior portrait; determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes; performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path; and summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report. The threat warning information processing efficiency can be improved by adopting the method.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a threat alert information processing method, apparatus, computer device, and storage medium.
Background
With the development of computer technology, security products are developed, and the security products are various software products and related software and hardware combined products for ensuring the security of the system and information of a user network and a host computer, so that the system operates normally. The security product can send threat alarm information in the security process of the daemon user, wherein the threat alarm information refers to the alarm information sent by the recording behavior information and touching the terminal when the security product finds the behavior possibly harmful to the user system in the security process of the daemon user.
In the conventional technology, after threat alarm information arrives at a terminal, a user of the terminal needs to acquire an intrusion clue by checking a log and the like, and analyze an attack type so as to analyze the threat alarm information.
However, in the conventional method, when a large amount of threat alarm information exists, the threat alarm information intrusion analysis work is repeated in a large amount, and the problem of low threat alarm information processing efficiency exists.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a threat alert information processing method, apparatus, computer device, storage medium, and program product that can improve the processing efficiency of threat alert information.
A threat alert information processing method, the method comprising:
acquiring threat alarm information associated with a network threat;
according to threat warning information, carrying out clue line extension to obtain an attack behavior portrait;
determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes;
performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
A threat alert information processing apparatus, the apparatus comprising:
the information acquisition module is used for acquiring threat alarm information associated with the network threat;
the portrait construction module is used for carrying out clue wire extension according to threat alarm information to obtain an attack portrait;
the family tracing module is used for determining threat family information and threat solutions according to the attack behavior portraits and acquiring threat occurrence time nodes;
the suspicious behavior tracing module is used for carrying out suspicious behavior tracing analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and the processing module is used for summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
A computer device comprising a memory storing a computer program and a processor which when executing the computer program performs the steps of:
acquiring threat alarm information associated with a network threat;
according to threat warning information, carrying out clue line extension to obtain an attack behavior portrait;
determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes;
Performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring threat alarm information associated with a network threat;
according to threat warning information, carrying out clue line extension to obtain an attack behavior portrait;
determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes;
performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
A computer program product comprising a computer program which when executed by a processor performs the steps of:
acquiring threat alarm information associated with a network threat;
according to threat warning information, carrying out clue line extension to obtain an attack behavior portrait;
Determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes;
performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
According to the threat alarm information processing method, the threat alarm information processing device, the computer equipment, the storage medium and the program product, threat alarm information associated with the network threat is obtained, according to the threat alarm information, a clue line is used to obtain an attack behavior portrait, threat family information and a threat solution can be determined by using the attack behavior portrait, suspicious behavior traceability analysis can be performed by using the threat occurrence time node by obtaining the threat occurrence time node, and a suspicious behavior attack path is obtained, so that a network threat alarm analysis report can be obtained by summarizing the threat family information, the threat solution and the suspicious behavior attack path.
Drawings
FIG. 1 is an application environment diagram of a threat alert information processing method in one embodiment;
FIG. 2 is a flow diagram of a threat alert information processing method in one embodiment;
FIG. 3 is a schematic diagram of threat alert analysis reporting in one embodiment;
FIG. 4 is a schematic diagram of locating SSH (Secure Shell) blasting-type attack portals in one embodiment;
FIG. 5 is a schematic diagram of locating an attack entry that exploits a system vulnerability in one embodiment;
FIG. 6 is a diagram of the results of family analysis when threat alert information is assigned to a known family in one embodiment;
FIG. 7 is a schematic diagram of threat alert information analysis results in one embodiment;
FIG. 8 is a diagram of family analysis results when threat alert information is assigned to an unknown family in one embodiment;
FIG. 9 is a flow chart of a threat alert information processing method in another embodiment;
FIG. 10 is a block diagram of a threat alert information processing apparatus in one embodiment;
FIG. 11 is an internal block diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The threat alert information processing method provided by the application can be applied to an application environment shown in fig. 1. Wherein the to-be-monitored end 102 with the security product installed communicates with a server 104 for threat alert information processing through a network. The method comprises the steps that log information is uploaded to a server 104 in real time by a to-be-monitored end 102, after the log information is received, threat alarm information associated with network threats is obtained from the log information by the server 104, clue routing is carried out according to the threat alarm information to obtain an attack behavior portrait, threat family information and a threat solution are determined according to the attack behavior portrait, threat occurrence time nodes are obtained, suspicious behavior traceability analysis is carried out according to the threat occurrence time nodes to obtain suspicious behavior attack paths, and the threat family information, the threat solution and the suspicious behavior attack paths are summarized to obtain a network threat alarm analysis report. The to-be-monitored end 102 may be, but not limited to, a cloud computing platform, a terminal, etc., and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers, or may be a node on a blockchain. The cloud computing platform deploys various types of virtual resources, so that various application systems can acquire computing power, storage space and information service according to requirements, and if the cloud computing platform is attacked by a network, huge losses can be caused. Therefore, how to ensure the security of the cloud computing platform is a problem to be solved in the prior art. The terminal may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices.
In one embodiment, as shown in fig. 2, a threat alert information processing method is provided, which is illustrated by using the method applied to the server 104 in fig. 1 as an example, and includes the following steps:
The threat alarm information refers to the alarm information sent by the terminal when the security product finds the behavior possibly harmful to the user system in the security process of the daemon user, and records the behavior information. For example, threat alert information may specifically refer to alert information sent by a security product when a network threat is found. The threat alert information may specifically include threat clue information and a threat occurrence time node, where the threat clue information refers to clues for analyzing the threat alert information. For example, threat clue information may specifically refer to a path along which a threat was generated.
Specifically, the server may collect log information of the to-be-monitored end in advance, and obtain threat alert information associated with the network threat, which is generated by the security product, from the log information by using the network threat sensing probe, where the threat alert information includes threat sensing probe information, threat clue information sensed by the probe, and a threat occurrence time node, and the threat sensing probe information is used to locate a location where the threat alert information is detected. For example, threat awareness probe information may refer specifically to downloading execution remote scripts. The probe is a network traffic processing tool capable of collecting, analyzing and extracting information of a data packet in a network, and in this embodiment, the detected object of the threat sensing probe may be traffic, logs, file samples and the like.
The clue line extension refers to information expansion and reasoning according to threat alarm information, namely, limited information is expanded by utilizing the existing big data knowledge platform. For example, an existing big data knowledge platform may specifically refer to a threat knowledge base, where the threat knowledge base includes attacker information of discovered attackers (such as viruses, trojans, etc.), where the attacker information includes basic information of the attacker itself and information associated with the attacker. The basic information comprises a domain name corresponding to the attacker, an IP address where the attacker is located, a domain name resolution result, a sub domain name of the domain name corresponding to the attacker and the like, and the information associated with the attacker comprises an object of historical attack of the attacker, an attack path and the like. The attack behavior portraits are visual descriptions of attack behaviors, different attack behaviors can be distinguished by using the attack behavior portraits, and corresponding attackers can be positioned in an assisted manner. For example, the attack behavior portrayal may specifically refer to a knowledge graph corresponding to an attack behavior, where the knowledge graph includes association information corresponding to the attack behavior.
Specifically, the server extracts threat alarm feature information from the threat alarm information, and then utilizes the threat alarm feature information and a pre-constructed threat knowledge base to perform clue line extension so as to obtain associated feature information associated with the threat alarm feature information, and utilizes the associated feature information and the threat alarm feature information to perform knowledge graph construction so as to obtain attack behavior portraits. The threat alert feature information refers to information associated with the network threat and capable of characterizing the network threat feature. For example, threat alert feature information may refer to IOC (Indicator of Compromise, attack index) data, which may be at least one of IP (internet protocol ) data, network link data, domain name data, and the like.
And 206, determining threat family information and threat solutions according to the attack behavior portraits, and acquiring threat occurrence time nodes.
The threat family information refers to family analysis information associated with threat alert information, and is used for describing a family to which a threat alert corresponding to the threat alert information belongs. The threat solution is a way of handling the threat alert information provided by the pointer.
Specifically, the server performs tracing according to the attack behavior portraits, takes the attack behavior portraits as portraits to be identified, acquires known attacker information in a preset threat knowledge base, performs portrait matching according to the attack behavior portraits and the known attacker information, obtains family analysis results corresponding to the attack behavior portraits, determines whether threat alarms corresponding to threat alarm information belong to known families according to the family analysis results, and determines threat family information and threat solutions according to the attribution conditions.
And step 208, performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path.
The suspicious behavior refers to suspicious behavior predefined according to suspicious behavior rules. For example, the suspicious activity may be specifically at least one of a file modification activity, a sensitive file reading activity, a network activity, and the like. In this embodiment, suspicious behavior rules may be set by themselves as needed. The suspicious behavior attack path refers to an attack chain for the suspicious behavior to attack, and is used for describing the whole attack process of the suspicious behavior.
Specifically, the server expands a time window according to the threat occurrence time node, acquires historical log information in a specified time period, obtains host suspicious behavior data by performing suspicious behavior rule matching on the historical log information, performs traceability analysis based on the host suspicious behavior data, locates an attack entry, determines the occurrence sequence of the host suspicious behaviors, and obtains a suspicious behavior attack path. The specified time period may be set as required, for example, the specified time period may specifically refer to near two days corresponding to the threat occurrence time node.
And step 210, summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
Specifically, the server gathers suspicious behavior attack paths, threat family information and threat solutions, obtains threat alert analysis reports, and pushes the threat alert analysis reports to users, so that the users can know threat alert information associated information and perform corresponding processing according to the threat alert analysis reports. The user here may specifically refer to a client who uses the security product, or may refer to a responsible user who is responsible for the management of the security product. Further, the threat alarm analysis report includes an event summary module, a tracing analysis module and a solution module, and when summarizing, the server displays summarized data for different modules. For example, threat family information may be presented at the event summary module, suspicious behavior attack paths may be presented at the traceability analysis module, and threat solutions may be presented at the solution module.
For example, the threat alert analysis report may be as shown in fig. 3. It should be noted that the sensitive information in the figure is replaced by XXX. According to the threat alarm information processing method, threat alarm information associated with the network threat is obtained, clue line extension is carried out according to the threat alarm information, an attack behavior portrait is obtained, threat family information and a threat solution can be determined by utilizing the attack behavior portrait, suspicious behavior traceability analysis can be carried out by utilizing the threat occurrence time node, and a suspicious behavior attack path can be obtained, so that a network threat alarm analysis report can be obtained by summarizing the threat family information, the threat solution and the suspicious behavior attack path.
In one embodiment, performing suspicious behavior traceability analysis according to a threat occurrence time node, and obtaining a suspicious behavior attack path includes:
acquiring historical log information from the cache according to the threat occurrence time node;
performing suspicious behavior rule matching on the history log information to obtain suspicious behavior data of the host;
and obtaining suspicious behavior attack paths corresponding to the threat alarm information according to the suspicious behavior data of the host.
The historical log information refers to log information generated in the running process of uploading to the side of the monitoring end.
Specifically, the server expands a time window according to the threat occurrence time node, determines a data acquisition time window, acquires historical log information in a specified time period from the cache according to the data acquisition time window, performs suspicious behavior rule matching on the historical log information through a preset suspicious behavior rule to obtain suspicious behavior data of the host, performs attack tracing according to the suspicious behavior data of the host, and locates an attack entrance to obtain a suspicious behavior attack path corresponding to threat alarm information.
The data acquisition time window is a time node for data acquisition. The time window may be set by itself as needed when the time window is extended, for example, the time window may be in the near two days corresponding to the threat occurrence time node. The suspicious behaviors are predefined in preset suspicious behavior rules, and the suspicious behavior data of the host can be extracted from the history log information by performing suspicious behavior rule matching on the history log information by using the suspicious behavior rules. For example, the host suspicious behavior data may specifically be at least one of file modification behavior, sensitive file reading behavior, network behavior, and the like.
It should be noted that, in this embodiment, after the history log information is obtained, the server only matches through suspicious behavior rules, extracts the host suspicious behavior data from the suspicious behavior rules, and does not record the normal privacy operation of the user. In addition, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
In this embodiment, by acquiring the history log information from the cache according to the threat occurrence time node, the acquisition of the host suspicious behavior data may be achieved by performing suspicious behavior rule matching on the history log information, so that the suspicious behavior attack path corresponding to the threat alert information may be obtained by using the host suspicious behavior data.
In one embodiment, obtaining the suspicious behavior attack path corresponding to the threat alert information according to the host suspicious behavior data includes:
performing attack entry rule matching on the suspicious behavior data of the host, positioning an attack entry, and determining suspicious behavior occurrence time nodes corresponding to the suspicious behavior data of the host;
Sequencing the suspicious behaviors of the host according to the suspicious behavior occurrence time node, and determining the occurrence sequence of the suspicious behaviors of the host;
and obtaining a suspicious behavior attack path according to the occurrence sequence of the suspicious behaviors of the attack entrance and the host.
The attack entry rule matching refers to matching the suspicious behavior data of the host by using a preset attack entry rule to judge whether the suspicious behavior data of the host is an attack entry, wherein the preset attack entry rule can be set by itself according to the requirement, and a mode for judging whether the suspicious behavior is the attack entry is predefined in the attack entry rule. For example, attack portals can be specifically classified into two types, namely, SSH blasting type portals, and attack portals that exploit component vulnerabilities of systems or applications. For example, locating SSH blasting attack entry may be as shown in fig. 4, locating attack entry using system vulnerability may be as shown in fig. 5, and it should be noted that the sensitive information in the illustration is replaced by XXX. The suspicious behavior attack path refers to an attack chain for the suspicious behavior to attack, and is used for describing the whole attack process of the suspicious behavior.
Specifically, the server matches the host suspicious behavior data by using a preset attack entry rule to locate an attack entry, determines suspicious behavior occurrence time nodes corresponding to the host suspicious behavior data, sorts the host suspicious behaviors according to the suspicious behavior occurrence time nodes, determines the occurrence sequence of the host suspicious behaviors, and generates an attack chain according to the attack entry and the occurrence sequence of the host suspicious behaviors to obtain a suspicious behavior attack path corresponding to threat alarm information.
In this embodiment, by performing attack entry rule matching on the suspicious behavior data of the host, positioning of the attack entry can be achieved, and by determining the suspicious behavior occurrence time node corresponding to the suspicious behavior data of the host, the attack entry and the suspicious behavior occurrence time node can be utilized to automatically determine a suspicious behavior attack path corresponding to threat alarm information, so as to achieve tracing of the attack behavior.
In one embodiment, performing thread routing based on threat alert information, obtaining an attack profile includes:
extracting threat alarm characteristic information according to threat alarm information;
according to the threat warning characteristic information, carrying out clue line extension to obtain associated characteristic information associated with the threat warning characteristic information;
constructing a knowledge graph based on threat warning characteristic information and associated characteristic information;
and obtaining the attack behavior portraits according to the knowledge graph.
Specifically, after the threat alert information is obtained, the server obtains associated suspicious information from the log information according to threat clue information in the threat alert information, and extracts threat alert feature information from the associated suspicious information by using regular matching. The associated suspicious information is suspicious information associated with threat alarm information, which can be directly acquired from a side of a to-be-monitored end, and comprises system information, component information, a host history execution command and the like, wherein the system information comprises host suspicious process information, host suspicious file information and the like, the component information comprises a third party component, a component version and the like installed on a host, and the host history execution command comprises a host history suspicious command, a history suspicious login behavior and the like. For example, the associated suspicious information may specifically be at least one of a command line started by a child process of the suspicious process, a command line started by a parent process of the suspicious process, a command line started and used by the suspicious process itself, a user name to which the suspicious process belongs, a host unique identifier, a company name, a company unique identifier, a company level, occurrence time of the suspicious activity, and the like. Regular matching refers to matching associated suspicious information by setting a regular expression to extract threat alert feature information therefrom.
Specifically, after the threat alert feature information is extracted, the server queries in a pre-constructed threat knowledge base by using the threat alert feature information to obtain associated feature information associated with the threat alert feature information, so that the associated feature information and the threat alert feature information can be taken as entities, a knowledge graph is constructed by taking a first relationship between the associated feature information and a second relationship between the associated feature information and the threat alert feature information as an associated relationship, and the constructed knowledge graph is taken as an attack behavior portrait so as to trace the source by using the attack behavior portrait. The associated characteristic information refers to information which is obtained through clue line extension and is associated with threat alarm characteristic information. For example, when the threat alert feature information is an IP address where an attacker is located, the associated feature information may specifically refer to a domain name corresponding to the attacker, an object of historical attack of the attacker, an attack path, and the like.
In this embodiment, threat alert feature information is extracted from threat alert information, and clue extension is performed by using the threat alert feature information, so that associated feature information associated with the threat alert feature information can be obtained, and a knowledge graph can be constructed based on the threat alert feature information and the associated feature information, and an attack behavior portrait can be obtained according to the knowledge graph.
In one embodiment, determining threat family information and threat solutions from the offensive profile includes:
acquiring known attacker information in a preset threat knowledge base;
carrying out portrait matching according to the attack behavior portraits and the known attacker information to obtain family analysis results corresponding to the attack behavior portraits;
based on the family analysis results, threat family information and threat solutions are determined.
Specifically, the server acquires known attacker information in a preset threat knowledge base, performs portrait matching on the attack behavior portraits and the known attacker information, and realizes tracing of the attack behavior portraits to obtain family analysis results corresponding to the attack behavior portraits. Wherein, performing portrait matching refers to calculating the similarity between the attack behavior portrait and the known attacker information, and obtaining a family analysis result according to the similarity. Further, the manner of calculating the similarity between the attack behavior portraits and the known attacker information may be: the feature extraction network trained in advance is used for respectively carrying out feature extraction on the attack behavior portraits and the known attacker information, the extracted features are used for calculating the similarity, and other ways of calculating the similarity can be adopted, and the way of calculating the similarity between the attack behavior portraits and the known attacker information is not particularly limited here in the embodiment.
Specifically, when the family analysis result is obtained according to the similarity, the server can screen the calculated similarity by setting a similarity threshold, when the target similarity reaching the similarity threshold exists, the server indicates that the target attacker information corresponding to the attack behavior image exists, the server can judge that the threat alarm corresponding to the threat alarm information belongs to a known family, determine the corresponding target attacker information according to the target similarity, and obtain the family analysis result classified as belonging to the known family according to the belonging family of the target attacker, wherein the target attacker comprises the target attacker. When the target similarity reaching the similarity threshold value does not exist, the target attacker information corresponding to the attack behavior image does not exist, the server can judge that the threat alarm corresponding to the threat alarm information belongs to an undetermined new threat, and a family analysis result including the classification of the result as belonging to the undetermined new threat is obtained. The similarity threshold can be set according to the requirement.
Further, if there are multiple target similarities reaching the similarity threshold, the server further sorts the target similarities to screen out the best matching target similarities, and determines the target attacker portraits corresponding to the portraits to be identified.
In this embodiment, by acquiring known attacker information in a preset threat knowledge base, performing portrait matching according to the attack behavior portraits and the known attacker information, a family analysis result corresponding to the attack behavior portraits can be obtained, so that the threat family information and the threat solution can be determined according to the family analysis result.
In one embodiment, determining threat family information and threat solutions based on the family analysis results includes:
determining whether threat alarms corresponding to threat alarm information belong to a known family according to a family analysis result;
when the threat alert belongs to a known family, determining threat family information according to the known family, and acquiring a threat solution;
when the threat alarm does not belong to the known family, pushing the network threat alarm analysis prompt, determining threat family information according to the feedback threat alarm information analysis result, and acquiring a threat solution.
Specifically, the server determines whether the threat alert corresponding to the threat alert information belongs to a known family according to the result classification in the family analysis result, when the result classification is that the threat alert belongs to the known family, the server takes the known family as the threat family to obtain threat family information, and obtains a threat solution corresponding to the threat family information from a preset scheme library according to the threat family information. The preset scheme library refers to a database in which known families and corresponding processing schemes are stored in advance.
For example, when threat alert information belongs to a known family, the family analysis result may be as shown in fig. 6, and for each threat alert information, the family analysis result includes qualitative results, qualitative scores, and result classifications, where the qualitative results are the threat families, the qualitative scores are calculated target similarities, the result classifications are used to describe classification results of threat alerts, and meanwhile, the server may synchronously display security levels, probe information, thread information, and the like associated with the threat alert information. It should be noted that the sensitive information in the drawing is replaced with XXX, YYY or ZZZ.
Specifically, when the result is classified as belonging to an undetermined new threat, the threat alarm is not belonging to a known family, the server pushes the network threat alarm analysis prompt to the responsible user so as to prompt the responsible user to perform manual analysis, the responsible user feeds back the threat alarm information analysis result to the server after the analysis is completed, the threat alarm information analysis result comprises a family analysis result and a processing scheme, and the server can determine threat family information according to the fed back threat alarm information analysis result and acquire a threat solution. Further, after the threat family information and the threat alert information processing scheme are obtained, the server synchronously records the threat family information and the threat alert information processing scheme to the threat knowledge base because the threat alert information belongs to an unknown family, so that the next time can be directly judged. For example, the analysis result of threat alert information fed back by the responsible user may be shown in fig. 7, including family names, family descriptions, solutions, and product solutions.
For example, when threat alert information does not belong to a known family, the family analysis results may include, for each threat alert information, a result classification that classifies as an unqualified new threat, as shown in fig. 8, while the server may simultaneously display security levels, probe information, thread information, etc. associated with the threat alert information. It should be noted that the sensitive information in the drawing is replaced with XXX, YYY or ZZZ.
In this embodiment, by determining, according to the family analysis result, whether the threat alert corresponding to the threat alert information belongs to a known family, it is possible to determine threat family information and a threat solution in different manners according to the attribution situation of the threat alert.
In one embodiment, as shown in fig. 9, the present application further provides a flowchart illustrating a threat alert information processing method of the present application, where the threat alert information processing method specifically includes the following steps:
at step 902, threat alert information associated with a network threat is obtained.
Specifically, the server may collect log information of the end side to be monitored in advance, and detect threat alarm information associated with the network threat, which is generated by the security product, from the log information by using the network threat sensing probe. The to-be-monitored end side may specifically refer to a cloud computing platform.
And 904, extracting threat alarm characteristic information according to the threat alarm information.
Specifically, after the threat alert information is obtained, the server determines a path generated by the threat according to threat clue information in the threat alert information, obtains associated suspicious information from log information according to a path of a threat product, including system information, component information, a host history execution command and the like associated with the path generated by the threat, and then matches the associated suspicious information through a preset regular expression to extract threat alert feature information from the associated suspicious information.
Specifically, after threat alert feature information is obtained, the server queries in a pre-constructed threat knowledge base by using the threat alert feature information to obtain associated feature information associated with the threat alert feature information, where the associated feature information may specifically refer to a domain name, a historical attack object, a historical attack path, and the like corresponding to the threat alert feature information. Step 908, constructing a knowledge graph based on threat alert feature information and associated feature information.
Specifically, after the association characteristic information is obtained, the server may construct a knowledge graph by using the association characteristic information and the threat alert characteristic information as entities and using a first relationship between the association characteristic information and a second relationship between the association characteristic information and the threat alert characteristic information as association relationships.
And step 910, obtaining the attack behavior portraits according to the knowledge graph.
Specifically, the server directly uses the knowledge graph as the attack behavior portrayal so as to trace the source by using the attack behavior portrayal. Step 912, obtaining known attacker information in a preset threat knowledge base.
The method comprises the steps that known attacker information is stored in a preset threat knowledge base, and the attacker information comprises basic information of an attacker and information associated with the attacker. The basic information comprises a domain name corresponding to the attacker, an IP address where the attacker is located, a domain name resolution result, a sub domain name of the domain name corresponding to the attacker and the like, and the information associated with the attacker comprises an object of historical attack of the attacker, an attack path and the like. An attacker may specifically refer to a virus, trojan horse, etc.
Specifically, the server takes the attack behavior portraits as the portraits to be identified, calculates the similarity between the attack behavior portraits and the known attacker information, and obtains a family analysis result according to the similarity. When the target similarity reaching the similarity threshold value exists, the server indicates that target attacker information corresponding to the attack behavior image exists, the server determines that threat alarms corresponding to threat alarm information belong to known families, determines corresponding target attacker information according to the target similarity, and obtains family analysis results with the included results classified as belonging to the known families according to the belonging families of the target attacker. When the target similarity reaching the similarity threshold value does not exist, the target attacker information corresponding to the attack behavior image does not exist, the server can judge that the threat alarm corresponding to the threat alarm information belongs to an undetermined new threat, and a family analysis result including the classification of the result as belonging to the undetermined new threat is obtained. The similarity threshold can be set according to the requirement. Step 916, determining whether the threat alert corresponding to the threat alert information belongs to a known family according to the family analysis result, jumping to step 918 when the threat alert belongs to the known family, and jumping to step 920 when the threat alert does not belong to the known family. Specifically, the home analysis result includes the attribution result of the threat alarm, and the server can directly judge whether the threat alarm corresponding to the threat alarm information belongs to a known family according to the attribution result, and perform the next processing in different modes according to the attribution result.
Specifically, when the threat alert belongs to a known family, the server takes the known family as the threat family, determines threat family information, and obtains a threat solution corresponding to the threat family information from a preset solution library according to the threat family information. The preset scheme library refers to a database in which known families and corresponding processing schemes are stored in advance.
Specifically, when the threat alarm does not belong to the known family, the server pushes the network threat alarm analysis prompt to the responsible user so as to prompt the responsible user to perform manual analysis, the responsible user feeds back the threat alarm information analysis result to the server after the analysis is completed, the threat alarm information analysis result comprises the family analysis result and a processing scheme, and the server can determine threat family information according to the fed back threat alarm information analysis result and acquire a threat solution.
The threat occurrence time node is a time point when the threat occurs, and when the threat occurs, the side of the terminal to be monitored records and writes the record information into the log information.
Specifically, the server expands a time window according to the threat occurrence time node to obtain history log information in a specified time period from the cache. Wherein, the time window can be set up by oneself as required.
Specifically, the server performs suspicious behavior rule matching on the history log information according to a preset suspicious behavior rule, so as to extract host suspicious behavior data from the history log information. The suspicious behavior data of the host can be specifically at least one of file modification behavior, sensitive file reading behavior, network behavior and the like.
And step 928, performing attack entry rule matching on the suspicious behavior data of the host, positioning an attack entry, and determining suspicious behavior occurrence time nodes corresponding to the suspicious behavior data of the host.
Specifically, the server uses a preset attack entry rule to match the suspicious behavior data of the host, so as to determine whether the suspicious behavior data of the host is an attack entry, locate the attack entry, and determine a suspicious behavior occurrence time node corresponding to the suspicious behavior data of the host according to log information. The method for judging whether the suspicious behavior is an attack entry is predefined in a preset attack entry rule, and the attack entries related in the embodiment are mainly divided into two types, namely an SSH blasting type entry and an attack entry utilizing component vulnerabilities of a system or an application.
Specifically, by sorting the suspicious behaviors of the host according to the occurrence time nodes of the suspicious behaviors, the occurrence sequence of the suspicious behaviors of the host can be determined.
Specifically, according to the occurrence sequence of the suspicious behaviors of the attack entrance and the host, the server can generate a corresponding attack chain to obtain a suspicious behavior attack path.
And step 934, summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
Specifically, the server can obtain threat alarm information by summarizing threat family information, threat solutions and suspicious behavior attack paths, and push a threat alarm information analysis report to the user, so that the user can know threat alarm information associated information and perform corresponding processing according to the threat alarm information analysis report. The user here may specifically refer to a client who uses the security product, or may refer to a responsible user who is responsible for the management of the security product. Further, the threat warning information analysis report comprises an event summary module, a tracing analysis module and a solution module, and when summarizing, the server displays summarized data aiming at different modules.
According to the threat alarm information processing method, aiming at the dilemma that massive threat alarm information is difficult to analyze in detail, the threat classifying and intrusion analysis capability is innovatively utilized to complete automatic analysis and evaluation of massive threat alarm information events, threat alarm analysis reports are output, based on threat alarm information detected by security products, a threat information related component, a process and file data are collected, the threat information is analyzed from a plurality of degrees by means of a knowledge graph based on the collected data, a threat knowledge base and an automatic intrusion analysis flow are added to judge whether the threat is known or not, if the threat is known, the threat alarm analysis reports are automatically generated and are touched to subscribed users, if the threat is not known, whether the threat alarm information is misreported or new threat types is manually judged, compared with the traditional mode of directly sending the threat alarm information to the users, abundant threat family information, the intrusion analysis process and threat cleaning scheme are provided, the client is helped to locate threat intrusion reasons, and repeated intrusion analysis and investigation flow and threat qualitative work are avoided. The user here may specifically refer to a client who uses the security product, or may refer to a responsible user who is responsible for the management of the security product.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages performed is not necessarily sequential, but may be performed alternately or alternately with at least a part of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 10, there is provided a threat alert information processing apparatus, which may employ software modules or hardware modules, or a combination of both, as part of a computer device, the apparatus specifically comprising: information acquisition module 1002, portrait construction module 1004, family traceability module 1006, suspicious behavior traceability module 1008 and processing module 1010 module, wherein:
An information acquisition module 1002, configured to acquire threat alert information associated with a network threat;
the portrait construction module 1004 is used for carrying out clue wire extension according to threat alarm information to obtain an attack portrait;
a family tracing module 1006, configured to determine threat family information and a threat solution according to the attack behavior portraits, and obtain a threat occurrence time node;
the suspicious behavior tracing module 1008 is configured to perform suspicious behavior tracing analysis according to the threat occurrence time node, so as to obtain a suspicious behavior attack path;
and the processing module 1010 is used for summarizing threat family information, threat solutions and suspicious behavior attack paths to obtain a network threat alarm analysis report.
According to the threat alarm information processing device, threat alarm information associated with the network threat is obtained, clue line extension is carried out according to the threat alarm information, an attack behavior portrait is obtained, threat family information and a threat solution can be determined by utilizing the attack behavior portrait, by acquiring threat occurrence time nodes, suspicious behavior traceability analysis can be carried out by utilizing the threat occurrence time nodes, and a suspicious behavior attack path is obtained, so that a network threat alarm analysis report can be obtained by summarizing the threat family information, the threat solution and the suspicious behavior attack path.
In one embodiment, the suspicious behavior tracing module is further configured to obtain, according to the threat occurrence time node, historical log information from the cache, perform suspicious behavior rule matching on the historical log information to obtain suspicious behavior data of the host, and obtain, according to the suspicious behavior data of the host, a suspicious behavior attack path corresponding to the threat alert information.
In one embodiment, the suspicious behavior tracing module is further configured to perform attack entry rule matching on suspicious behavior data of the host, locate an attack entry, determine suspicious behavior occurrence time nodes corresponding to the suspicious behavior data of the host, sort suspicious behaviors of the host according to the suspicious behavior occurrence time nodes, determine occurrence sequence of suspicious behaviors of the host, and obtain an attack path of the suspicious behaviors according to the attack entry and the occurrence sequence of the suspicious behaviors of the host.
In one embodiment, the portrait construction module is further used for extracting threat alarm feature information according to the threat alarm feature information, performing clue topology according to the threat alarm feature information to obtain associated feature information associated with the threat alarm feature information, constructing a knowledge graph based on the threat alarm feature information and the associated feature information, and obtaining the portrait of the attack behavior according to the knowledge graph.
In one embodiment, the family tracing module is further configured to obtain known attacker information in a preset threat knowledge base, perform portrait matching according to the attack behavior portraits and the known attacker information, obtain a family analysis result corresponding to the attack behavior portraits, and determine threat family information and a threat solution according to the family analysis result.
In one embodiment, the family tracing module is further configured to determine, according to a family analysis result, whether a threat alert corresponding to the threat alert information belongs to a known family, determine threat family information according to the known family and obtain a threat solution when the threat alert belongs to the known family, push a network threat alert analysis prompt when the threat alert does not belong to the known family, determine threat family information according to a feedback threat alert information analysis result, and obtain the threat solution.
The specific limitation of the threat alert information processing apparatus may be referred to the limitation of the threat alert information processing method hereinabove, and will not be described herein. The above-described threat alert information processing apparatus may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 11. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing threat knowledge base, log information and other data. The network interface of the computer device is used for communicating with an external end to be monitored through network connection. The computer program when executed by a processor implements a threat alert information processing method.
It will be appreciated by those skilled in the art that the structure shown in fig. 11 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the steps in the above-described method embodiments.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. A threat alert information processing method, the method comprising:
acquiring threat alarm information associated with a network threat;
according to the threat warning information, carrying out clue line extension to obtain an attack behavior portrait;
determining threat family information and threat solution according to the attack behavior portraits, and acquiring threat occurrence time nodes;
Performing suspicious behavior traceability analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and summarizing the threat family information, the threat solution and the suspicious behavior attack path to obtain a network threat alarm analysis report.
2. The method of claim 1, wherein the performing suspicious behavior trace-source analysis according to the threat occurrence time node, to obtain a suspicious behavior attack path comprises:
acquiring historical log information from a cache according to the threat occurrence time node;
performing suspicious behavior rule matching on the history log information to obtain suspicious behavior data of a host;
and obtaining suspicious behavior attack paths corresponding to the threat warning information according to the suspicious behavior data of the host.
3. The method of claim 2, wherein obtaining a suspicious behavior attack path corresponding to the threat alert information from the host suspicious behavior data comprises:
performing attack entry rule matching on the suspicious behavior data of the host, positioning an attack entry, and determining suspicious behavior occurrence time nodes corresponding to the suspicious behavior data of the host;
Sequencing the suspicious behaviors of the host according to the suspicious behavior occurrence time node, and determining the occurrence sequence of the suspicious behaviors of the host;
and obtaining a suspicious behavior attack path according to the occurrence sequence of the suspicious behaviors of the attack entrance and the host.
4. The method of claim 1, wherein said performing thread routing based on the threat alert information to obtain an attack profile comprises:
extracting threat alarm characteristic information according to the threat alarm information;
according to the threat warning characteristic information, carrying out clue extension to obtain associated characteristic information associated with the threat warning characteristic information;
constructing a knowledge graph based on the threat alert feature information and the associated feature information;
and obtaining the attack behavior portraits according to the knowledge graph.
5. The method of claim 1, wherein said determining threat family information and threat solutions from said attack behavioral profile comprises:
acquiring known attacker information in a preset threat knowledge base;
performing portrait matching according to the attack behavior portraits and the known attacker information to obtain family analysis results corresponding to the attack behavior portraits;
Threat family information and threat solutions are determined from the family analysis results.
6. The method of claim 5, wherein determining threat family information and threat solutions from the family analysis results comprises:
determining whether threat alarms corresponding to the threat alarm information belong to a known family according to the family analysis result;
when the threat alert belongs to a known family, determining threat family information according to the known family, and acquiring a threat solution;
and when the threat alarm is not in the known family, pushing a network threat alarm analysis prompt, determining threat family information according to the feedback threat alarm information analysis result, and acquiring a threat solution.
7. A threat alert information processing apparatus, the apparatus comprising:
the information acquisition module is used for acquiring threat alarm information associated with the network threat;
the portrait construction module is used for carrying out clue wire extension according to the threat warning information to obtain an attack behavioral portrait;
the family tracing module is used for determining threat family information and threat solution according to the attack behavior portrait and acquiring threat occurrence time nodes;
The suspicious behavior tracing module is used for carrying out suspicious behavior tracing analysis according to the threat occurrence time node to obtain a suspicious behavior attack path;
and the processing module is used for summarizing the threat family information, the threat solution and the suspicious behavior attack path to obtain a network threat alarm analysis report.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394895.8A CN116155519A (en) | 2021-11-23 | 2021-11-23 | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394895.8A CN116155519A (en) | 2021-11-23 | 2021-11-23 | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116155519A true CN116155519A (en) | 2023-05-23 |
Family
ID=86353024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111394895.8A Pending CN116155519A (en) | 2021-11-23 | 2021-11-23 | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116155519A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760636A (en) * | 2023-08-16 | 2023-09-15 | 国网江苏省电力有限公司信息通信分公司 | Active defense system and method for unknown threat |
-
2021
- 2021-11-23 CN CN202111394895.8A patent/CN116155519A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760636A (en) * | 2023-08-16 | 2023-09-15 | 国网江苏省电力有限公司信息通信分公司 | Active defense system and method for unknown threat |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| NL2002694C2 (en) | Method and system for alert classification in a computer network. | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN112184091B (en) | Industrial control system security threat assessment method, device and system | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| KR20110088042A (en) | Apparatus and method for automatically discriminating malicious code | |
| CN113660115B (en) | Alarm-based network security data processing method, device and system | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| US20230252145A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| US20230252136A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| CN110224975B (en) | APT information determination method and device, storage medium and electronic device | |
| US20230048076A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| US20230254340A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| KR102362516B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN113572781A (en) | Method for collecting network security threat information | |
| CN107341396A (en) | Intrusion detection method, device and server | |
| CN113660223B (en) | Network security data processing method, device and system based on alarm information | |
| Mahmoud et al. | A hybrid snort-negative selection network intrusion detection technique | |
| US20230275908A1 (en) | Thumbprinting security incidents via graph embeddings | |
| KR102396238B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102437376B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |