CN116566729A - Network security operation analysis method and device based on security cloud, electronic equipment and storage medium - Google Patents

Network security operation analysis method and device based on security cloud, electronic equipment and storage medium Download PDF

Info

Publication number
CN116566729A
CN116566729A CN202310712710.6A CN202310712710A CN116566729A CN 116566729 A CN116566729 A CN 116566729A CN 202310712710 A CN202310712710 A CN 202310712710A CN 116566729 A CN116566729 A CN 116566729A
Authority
CN
China
Prior art keywords
network security
treatment
security event
attack
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310712710.6A
Other languages
Chinese (zh)
Other versions
CN116566729B (en
Inventor
王茂奎
张家庆
陈振华
朱金村
林绵鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Qianyi Technology Co ltd
Original Assignee
Guangzhou Qianyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Qianyi Technology Co ltd filed Critical Guangzhou Qianyi Technology Co ltd
Priority to CN202310712710.6A priority Critical patent/CN116566729B/en
Publication of CN116566729A publication Critical patent/CN116566729A/en
Application granted granted Critical
Publication of CN116566729B publication Critical patent/CN116566729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a network security operation analysis method based on a security cloud, which comprises the following steps: receiving network security event reporting information sent by a security monitoring system; determining the type of the network security event according to the log information of the network security event, and extracting first key feature information and second key feature information of the network security event; matching the first key feature information with a feature library under a corresponding type prestored in a security cloud platform, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event; inputting the second key characteristic information into a network security situation quantitative evaluation model under a pre-constructed corresponding type in the security cloud platform to obtain a risk level label corresponding to the network security event; generating a disposal work order according to the risk level label corresponding to the network security event and the recommended disposal means, and sending the disposal work order to the recommended disposal subject.

Description

Network security operation analysis method and device based on security cloud, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network security operation analysis method and apparatus based on a security cloud, an electronic device, and a storage medium.
Background
With the popularization and development of the internet worldwide, more and more computer users can enjoy rich information resources through the network without going home, and conveniently and rapidly send and receive information. Computer networks have been closely tied to people's study and work, becoming an important part of many people's lives that are not available. However, security of computer networks is also increasingly of concern as people enjoy the great convenience that networks bring. Detection of computer network security is a major concern for computer security.
In the current scheme of network security operation, when the existing security monitoring system detects a network security event, the existing security monitoring system generally reports to a server, and security monitoring personnel inquires information such as areas, units, responsible persons and the like of the network security event and notifies the units or responsible persons of the network security event to process. However, the manual mode is slower in processing speed, is easy to have query errors, cannot effectively monitor and guide the discovery, study and judgment treatment progress of the network security event, and has the problems of unaware, difficult supervision and difficult command on the solution progress of the network security event, so that the treatment efficiency and effect of the network security event are affected.
Disclosure of Invention
The invention aims to provide a network security operation analysis method and device based on a security cloud, electronic equipment and a storage medium, which can effectively solve the technical problems existing in the prior art.
In order to achieve the above object, an embodiment of the present invention provides a network security operation analysis method based on a security cloud, including the steps of:
s1, receiving network security event report information sent by a security monitoring system, wherein the report information comprises log information of the network security event;
s2, determining the type of the network security event according to the log information of the network security event, and extracting first key feature information and second key feature information of the network security event;
s3, matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event;
s4, inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the type in the security cloud platform, and obtaining a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model;
S5, generating a disposal work order matched with the network security event according to a risk level label and a recommended disposal means corresponding to the network security event, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means;
s6, setting the treatment state of the network security event by the treatment worksheet as 'treated' when a network security event treatment completion report sent by the recommended treatment main body is received, and when the actual treatment means in the network security event treatment completion report is judged to be different from the recommended treatment means, comparing and evaluating the actual treatment means and the recommended treatment means according to treatment results, and when the actual treatment means is evaluated to be better than the recommended treatment means, updating a feature library pre-stored in the security cloud platform according to the actual treatment means.
Preferably, between said steps S5 and S6, the steps are further included:
And monitoring the treatment state of the treatment worksheet on the network security event in real time, and sending network security event treatment reminding information to the recommended treatment main body when the treatment state of the treatment worksheet on the network security event is that the treatment time of the treatment worksheet on the network security event is 1/2 of the treatment time threshold of the risk level label corresponding to the preset network security event.
Preferably, in the step S3, when the first key feature information is matched with the feature library under the type corresponding to the type pre-stored in the security cloud platform, a backup recommended treatment subject corresponding to the network security event is also determined; the steps S5 and S6 further include:
monitoring the treatment state of the treatment worksheet on the network security event in real time, when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, is not treated, and the treatment worksheet is forwarded to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
Preferably, the types of the network security events include network attack events and vulnerability events;
when the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the step S3 further includes: according to the attack source information, matching with a pre-generated attack record, and determining the attack times corresponding to the attack source information; if the attack times are greater than a preset threshold, the recommended treatment means are fixed to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, updating the attack record according to the attack source information of the network attack event, and adding one to the count of the attack times corresponding to the attack source information; the second key characteristic information comprises network attack information which the network security situation quantitative evaluation model needs to participate in; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects;
When the type of the network security event comprises a vulnerability event, the first key feature information comprises url and a vulnerability type; the second key feature information comprises vulnerability information which is required to participate in the network security situation quantitative evaluation model, wherein the vulnerability information comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, a type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
A further embodiment of the present invention correspondingly provides a network security operation analysis device based on a security cloud, including:
the receiving module is used for receiving network security event report information sent by the security monitoring system, wherein the report information comprises log information of the network security event;
the information extraction module is used for determining the type of the network security event according to the log information of the network security event and extracting first key feature information and second key feature information of the network security event;
the matching module is used for matching the first key feature information with the feature library which is prestored in the security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event;
The evaluation module is used for inputting the second key characteristic information into a pre-constructed quantitative evaluation model corresponding to the network security situation under the type in the security cloud platform to obtain a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model;
a disposal work order generation module, configured to generate a disposal work order matched with the network security event according to a risk level tag and a recommended disposal means corresponding to the network security event, set a disposal status of the disposal work order on the network security event to be "to be disposed", and send the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes of the network security event according to a priority processing order of the risk level tag and the recommended disposal means;
an updating module, configured to set a treatment status of the network security event by the treatment worksheet to "treated" when a network security event treatment completion report sent by the recommended treatment subject is received, and when it is determined that an actual treatment means in the network security event treatment completion report is different from the recommended treatment means, perform a comparison evaluation on the actual treatment means and the recommended treatment means according to a treatment result, and when the evaluation results in that the actual treatment means is better than the recommended treatment means, update a feature library pre-stored in the security cloud platform according to the actual treatment means.
Preferably, the network security operation analysis device based on the security cloud further comprises:
the state monitoring module is used for monitoring the treatment state of the network security event by the treatment worksheet in real time, and sending network security event treatment reminding information to the recommended treatment main body when the treatment state of the network security event by the treatment worksheet is that the treatment time of the network security event is equal to or more than 1/2 of the preset treatment time threshold of the risk level label corresponding to the network security event.
Preferably, the matching module is configured to further determine a backup recommended treatment subject corresponding to the network security event when matching the first key feature information with the feature library corresponding to the type pre-stored in the security cloud platform; the status monitoring module is further configured to:
monitoring the treatment state of the treatment worksheet on the network security event in real time, when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, is not treated, and the treatment worksheet is forwarded to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
Preferably, the types of the network security events include network attack events and vulnerability events;
when the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the matching module is further configured to: according to the attack source information, matching with a pre-generated attack record, and determining the attack times corresponding to the attack source information; if the attack times are greater than a preset threshold, the recommended treatment means are fixed to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, updating the attack record according to the attack source information of the network attack event, and adding one to the count of the attack times corresponding to the attack source information; the second key characteristic information comprises network attack information which the network security situation quantitative evaluation model needs to participate in; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects;
When the type of the network security event comprises a vulnerability event, the first key feature information comprises url and a vulnerability type; the second key feature information comprises vulnerability information which is required to participate in the network security situation quantitative evaluation model, wherein the vulnerability information comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, a type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
Another embodiment of the present invention provides an electronic device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the security cloud-based network security operation analysis method according to any of the embodiments above when the computer program is executed.
Another embodiment of the invention is a computer storage medium comprising one or more computer instructions that, when executed, implement the security cloud-based network security operation analysis method of any of the embodiments above.
Compared with the prior art, the network security operation analysis method and device based on the security cloud, the electronic equipment and the storage medium have the following technical effects: determining the type of a network security event and extracting first key feature information and second key feature information of the network security event according to log information of the network security event in the network security event report information by receiving the network security event report information sent by the security monitoring system; matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event; inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the corresponding type in a security cloud platform to obtain a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model; generating a disposal work order matched with the network security event according to a risk level label corresponding to the network security event and a recommended disposal means, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means; setting a treatment status of the network security event by the treatment worksheet to be "treated" when a network security event treatment completion report transmitted by the recommended treatment subject is received, and comparing and evaluating the actual treatment means and the recommended treatment means according to a treatment result when it is judged that the actual treatment means is different from the recommended treatment means in the network security event treatment completion report, and updating a feature library prestored in the security cloud platform according to the actual treatment means when it is evaluated that the actual treatment means is better than the recommended treatment means. Therefore, the method and the device can effectively monitor and guide the discovery, study and judge treatment progress of the network security event, effectively solve the problems of unknown solution progress, difficult supervision and difficult command of the network security event, and assist the supervision part to effectively monitor and guide the network security event, thereby improving the treatment efficiency and effect of the network security event.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network security operation analysis method based on a security cloud according to an embodiment of the present invention.
Fig. 2 is a flowchart of a network security operation analysis method based on a security cloud according to a preferred embodiment of the present invention.
Fig. 3 is a flowchart of still another network security operation analysis method based on security cloud according to the preferred embodiment of the present invention.
Fig. 4 is a structural block diagram of a network security operation analysis device based on a security cloud according to an embodiment of the present invention.
Fig. 5 is a block diagram of a network security operation analysis device based on a security cloud according to a preferred embodiment of the present invention.
Fig. 6 is a schematic diagram of an electronic device according to a network security operation analysis method based on a security cloud according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that the terms "first," "second," "target," and the like in the description and claims of the present invention and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, an embodiment of the present invention provides a flowchart of a network security operation analysis method based on a security cloud. The method can be executed by a security cloud-based network security operation analysis device, which can be implemented in the form of hardware and/or software and can be configured in an electronic device with data processing capability. As shown in fig. 1, the method includes steps S101 to S106:
s101, receiving network security event report information sent by a security monitoring system, wherein the report information comprises log information of the network security event.
The security monitoring system can monitor network security events and ensure network security, and can report the network security events when the security monitoring system monitors the network security events, and the security monitoring system can comprise a firewall system, a virus monitoring system, a vulnerability scanning system and the like. Network security events may be various conditions that affect network security, such as virus intrusion, information theft, network intrusion, etc. The log information may be information related to the network security event, and may reflect an occurrence time, an occurrence place, an event type, etc. of the network security event.
Specifically, if the report information of the network security event sent by the security monitoring system is received, it is indicated that there may be a network intrusion, and the log information of the network security event needs to be obtained to perform corresponding processing.
In this embodiment, optionally, the log information of the network security event includes at least one of the following: a source internet protocol address, a destination internet protocol address, a region where the network security event is located, and a network security event type.
Wherein the IP address (Internet Protocol Address ) may reflect the network address of a device, the source IP refers to the network address of the initiator of the network security event, and the destination IP refers to the network address of the attacked party of the network security event. The region where the network security event is located may reflect the location of occurrence of the network security event. The network security event type may reflect the urgency, scope of impact, etc. of the network event, and the corresponding processing manners of different network security event types may also be different, where the network security event types include, but are not limited to: virus intrusion, trojan latency, network attacks, etc.
It is obvious that the content of the log information of the network security event may include one or more of the above, and the embodiment of the present application does not limit the specific content of the log information of the network security event.
S102, determining the type of the network security event according to the log information of the network security event, and extracting first key feature information and second key feature information of the network security event.
The types of the network security events comprise network attack events and vulnerability events.
When the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the second key characteristic information comprises network attack information which is required to participate in a network security situation quantitative evaluation model and is described below; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects.
When the type of network security event includes a vulnerability event, the first key feature information is included in a URL (uniform resource locator, uniform resource location system) and a vulnerability type. The second key feature information comprises vulnerability information which is required to participate in a network security situation quantitative evaluation model and comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, the type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
And S103, matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event.
The types of the network security events comprise network attack events and vulnerability events. Feature libraries corresponding to the network attack event and the vulnerability event are respectively prestored in the security cloud platform. It can be understood that, for different types of network security events, by presetting a feature library, the feature library stores feature information of the network security events, and treatment means information and treatment subject information corresponding to the feature information of each network security event, according to which respective means can be executed to treat the network security event, according to which the treatment can be executed by respective subjects.
In addition, for each network security event, the similarity between the network security event and the network security event stored in the security cloud platform in advance can be calculated based on a pattern matching algorithm (the method of semantic similarity calculation is adopted in the embodiment), if the maximum similarity meets the preset threshold requirement, the treatment means and the treatment subject corresponding to the security event with the maximum similarity value in the prestored network security event are used as the recommended treatment means and the recommended treatment subject to be associated with the current network security event, so that the current network security event is subjected to subsequent processing.
Further, as a preferred embodiment, as shown in fig. 2, when the type of the network security event is a network attack event, the step S103 further includes:
s1031, matching the attack source information with a pre-generated attack record, and determining the attack times corresponding to the attack source information.
In the embodiment of the disclosure, attack source information and attack times corresponding to the attack source information are recorded in an attack record. The attack times corresponding to the attack source information can be determined by matching the attack source information of the network attack event with the attack record.
S1032, if the attack frequency is greater than or equal to a preset threshold value, fixing the recommended treatment means to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, the attack record is updated according to the attack source information of the network attack event, and the count of the attack times corresponding to the attack source information is increased by one.
In the embodiment of the disclosure, when the attack frequency is greater than a preset threshold value, it is determined that the attack frequency meets a trigger condition. Furthermore, under the condition that the triggering condition is met, the network attack event can be directly linked and treated.
S1033, if the attack times are smaller than a preset threshold (trigger conditions are not met), reserving the recommended treatment means.
For example, taking IP scanning as an example, if a certain IP is detected for scanning a plurality of times, the IP is marked as abnormal scanning, and is determined as a network attack event. Further, it is determined that the trigger condition is not satisfied, feature information is extracted to determine recommended treatment for the IP scan event, including short-term grouping of the IP, such as disabling access for 24 hours, and updating an attack record. Further, if the IP scan event is detected again after 24 hours, the IP is automatically grouped by matching the attack record and determining that the trigger condition is satisfied.
S104, inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the type in the security cloud platform, and obtaining a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training the constructed neural network model.
It can be appreciated that the network security situation quantitative evaluation model may adopt a neural network model (for example, BP neural network model, APDE-RBF neural network model, etc.) familiar to those skilled in the art, so as to evaluate and predict the dynamic development trend of the network security event, thereby obtaining a risk level capable of reflecting the processing importance/urgency/threat level (priority) of the network security event, where the higher the risk level, the higher the priority processing is required. For example, the status of a network security event may be classified into 4 levels from low to high risk levels, and then the level 4 network security status levels may be quantitatively described using a threshold range of values, where the level 1 security index value is 0.0-0.2, the level 2 security index value is 0.2-0.5, the level 3 security index value is 0.5-0.8, and the level 4 security index value is 0.8-1; and then, inputting second key characteristic information of the network security event into a network security situation quantitative evaluation model to output to obtain security index values between 0 and 1, wherein different index values correspond to different network security levels, so that risk levels reflecting the processing importance/emergency/threat degree (priority) of the network security event are obtained.
S105, generating a disposal work order matched with the network security event according to the risk level label and the recommended disposal means corresponding to the network security event, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means.
As described above, the higher the risk level, the more priority is required. Therefore, when a disposal worksheet matching the cyber-security event is generated according to the risk level tag corresponding to the cyber-security event and the recommended disposal means and transmitted to the recommended disposal subject, in the recommended disposal subject, priority processing ranking is required according to the risk level tag in the received disposal worksheet, and then the corresponding cyber-security event is sequentially disposed according to the ranking. It can be appreciated that, after the recommended treatment subject receives the treatment worksheet, the network security event may be automatically treated according to the recommended treatment means. The network security event may be handled manually by other handling means according to experience after the network security event is automatically handled according to the recommended handling means, and the network security event may be handled manually by other handling means instead of the recommended handling means after the handling work order is received, so that the desired handling result is finally obtained and a network security event handling completion report is generated.
As a preferred scheme, by monitoring the treatment state of the network security event by the treatment worksheet in real time, when the treatment state of the network security event by the treatment worksheet is that the treatment state is that the treatment time of the network security event is equal to or more than 1/2 of the preset treatment time threshold of the risk level label corresponding to the network security event, the network security event treatment reminding information is sent to the recommended treatment subject, so that the treatment progress of the network security event can be continuously tracked, and the recommended treatment subject can treat the network security event as soon as possible.
And S106, setting the treatment state of the network security event by the treatment worksheet as 'treated' when the network security event treatment completion report sent by the recommended treatment main body is received, and when the actual treatment means in the network security event treatment completion report is judged to be different from the recommended treatment means, comparing and evaluating the actual treatment means and the recommended treatment means according to treatment results, and when the actual treatment means is evaluated to be better than the recommended treatment means, updating a feature library pre-stored in the security cloud platform according to the actual treatment means.
In the present embodiment, when a network security event handling completion report sent by the recommended handling subject is received, the handling status of the network security event by the handling work order is first set to "handled". Meanwhile, the actual treatment means adopted in the network security event treatment completion report is judged, and when the actual treatment means is judged to be different from the recommended treatment means, the recommended treatment subject is stated to adopt other treatment means instead of the recommended treatment means to treat the network security event. At this time, it is necessary to determine whether the actual treatment means adopted by the recommended treatment subject is more suitable than the recommended treatment means, specifically, evaluate the treatment result of the network security event by adopting the actual treatment means according to the recommended treatment subject, so as to compare and evaluate the actual treatment means with the recommended treatment means, and when the evaluation results in that the actual treatment means is better than the recommended treatment means, update the feature library pre-stored in the security cloud platform according to the actual treatment means, that is, replace the recommended treatment means with respect to the network security event.
It may be appreciated that the treatment means adopted in this embodiment may include repairing vulnerabilities, patch upgrades, changing configurations, clearing security event effects, or opening access control of the network, which is not limited herein.
Referring to fig. 3, an embodiment of the present invention provides a flowchart of a network security operation analysis method based on a security cloud. The method can be executed by a security cloud-based network security operation analysis device, which can be implemented in the form of hardware and/or software and can be configured in an electronic device with data processing capability. As shown in fig. 3, the method includes steps S201 to S206:
s201, receiving network security event report information sent by a security monitoring system, wherein the report information comprises log information of the network security event.
S202, determining the type of the network security event according to the log information of the network security event, and extracting first key feature information and second key feature information of the network security event.
And S203, matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means, recommended treatment subjects and backup recommended treatment subjects corresponding to the network security event.
S204, inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the type in a security cloud platform, and obtaining a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training the constructed neural network model.
S205, generating a disposal work order matched with the network security event according to the risk level label corresponding to the network security event and a recommended disposal means, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means.
S206, monitoring the treatment state of the treatment worksheet on the network security event in real time, and when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the preset risk level label corresponding to the network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the preset risk level label or more, forwarding the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
S207, setting the treatment state of the network security event by the treatment worksheet as 'treated' when a network security event treatment completion report sent by the backup recommended treatment main body is received, and comparing and evaluating the actual treatment means and the recommended treatment means according to treatment results when the actual treatment means is judged to be different from the recommended treatment means in the network security event treatment completion report, and updating a feature library pre-stored in the security cloud platform according to the actual treatment means when the actual treatment means is evaluated to be better than the recommended treatment means.
As can be seen, in this embodiment, by introducing a backup recommended treatment main body and monitoring the treatment status of the treatment worksheet on the cyber-security event in real time, when the treatment status of the treatment worksheet on the cyber-security event is that the treatment status is "to be treated" and is equal to or greater than a preset treatment time threshold of a risk level label corresponding to the cyber-security event, forwarding the treatment worksheet to the backup recommended treatment main body, so that the backup recommended treatment main body treats the cyber-security event according to the priority treatment sequence of the risk level label and the recommended treatment means, thereby continuously tracking the treatment progress of the cyber-security event, so as to ensure that the cyber-security event can be timely and thoroughly treated.
Referring to fig. 4, an embodiment of the present invention provides a network security operation analysis device based on a security cloud, where the device may execute the network security operation analysis method based on the security cloud provided by any embodiment of the present invention, and the network security operation analysis device includes a functional module and beneficial effects corresponding to the execution method. As shown in fig. 4, the apparatus includes:
the receiving module 41 is configured to receive network security event report information sent by a security monitoring system, where the report information includes log information of the network security event;
An information extraction module 42, configured to determine a type of the network security event according to the log information of the network security event, and extract first key feature information and second key feature information of the network security event;
the matching module 43 is configured to match the first key feature information with a feature library corresponding to the type pre-stored in a security cloud platform, and determine a recommended treatment means and a recommended treatment subject corresponding to the network security event;
the evaluation module 44 is configured to input the second key feature information into a pre-constructed quantitative evaluation model corresponding to the network security situation under the type in the security cloud platform, so as to obtain a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model;
a disposal worksheet generation module 45, configured to generate a disposal worksheet matching the network security event according to a risk level tag and a recommended disposal means corresponding to the network security event, set a disposal status of the network security event by the disposal worksheet to "to be disposed," and send the disposal worksheet to the recommended disposal subject, so that the recommended disposal subject disposes of the network security event according to a priority processing order of the risk level tag and the recommended disposal means;
An updating module 46, configured to, when a network security event treatment completion report sent by the recommended treatment subject is received, set a treatment status of the network security event by the treatment worksheet to "treated", and when it is determined that an actual treatment means in the network security event treatment completion report is different from the recommended treatment means, perform a comparison evaluation on the actual treatment means and the recommended treatment means according to a treatment result, and when the evaluation results in that the actual treatment means is better than the recommended treatment means, update a feature library pre-stored in the security cloud platform according to the actual treatment means.
Preferably, as shown in fig. 5, the network security operation analysis device based on the security cloud further includes:
the state monitoring module 47 is configured to monitor, in real time, a treatment state of the network security event by the treatment worksheet, and send network security event treatment reminding information to the recommended treatment subject when a treatment state of the network security event by the treatment worksheet is "to be treated" for a time equal to or longer than 1/2 of a preset treatment time threshold of a risk level tag corresponding to the network security event.
Preferably, the matching module 43 is configured to further determine a backup recommended treatment subject corresponding to the network security event when matching the first key feature information with the feature library corresponding to the type pre-stored in the security cloud platform; the status monitoring module 47 is further configured to:
monitoring the treatment state of the treatment worksheet on the network security event in real time, when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, is not treated, and the treatment worksheet is forwarded to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
Preferably, the types of the network security events include network attack events and vulnerability events;
when the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the matching module 43 is further configured to: according to the attack source information, matching with a pre-generated attack record, and determining the attack times corresponding to the attack source information; if the attack times are greater than a preset threshold, the recommended treatment means are fixed to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, updating the attack record according to the attack source information of the network attack event, and adding one to the count of the attack times corresponding to the attack source information; the second key characteristic information comprises network attack information which the network security situation quantitative evaluation model needs to participate in; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects;
When the type of the network security event comprises a vulnerability event, the first key feature information comprises url and a vulnerability type; the second key feature information comprises vulnerability information which is required to participate in the network security situation quantitative evaluation model, wherein the vulnerability information comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, a type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
The specific implementation manner of the security cloud-based network security operation analysis device in this embodiment may refer to the description of the security cloud-based network security operation analysis method in the foregoing embodiment, which is not described herein again.
In addition, the embodiment of the invention also provides a computer storage medium, which comprises one or more computer instructions, wherein the one or more computer instructions realize the network security operation analysis method based on the security cloud in any embodiment when being executed.
That is, the computer storage medium stores a computer program that, when executed by a processor, causes the processor to perform the security cloud-based network security operation analysis method described in any one of the above embodiments.
As shown in fig. 6, an embodiment of the present invention provides an electronic device 300, including a memory 310 and a processor 320, where the memory 310 is configured to store one or more computer instructions, and the processor 320 is configured to invoke and execute the one or more computer instructions, so as to implement any of the above-mentioned security cloud-based network security operation analysis methods.
That is, the electronic device 300 includes: a processor 320 and a memory 310, wherein computer program instructions are stored in the memory 310, wherein the computer program instructions, when executed by the processor, cause the processor 320 to perform any of the above-described security cloud-based network security operation analysis methods.
Further, as shown in fig. 6, the electronic device 300 further includes a network interface 330, an input device 340, a hard disk 350, and a display device 360.
The interfaces and devices described above may be interconnected by a bus architecture. The bus architecture may be a bus and bridge that may include any number of interconnects. One or more Central Processing Units (CPUs), represented in particular by processor 320, and various circuits of one or more memories, represented by memory 310, are connected together. The bus architecture may also connect various other circuits together, such as peripheral devices, voltage regulators, and power management circuits. It is understood that a bus architecture is used to enable connected communications between these components. The bus architecture includes, in addition to a data bus, a power bus, a control bus, and a status signal bus, all of which are well known in the art and therefore will not be described in detail herein.
The network interface 330 may be connected to a network (e.g., the internet, a local area network, etc.), and may obtain relevant data from the network and store the relevant data in the hard disk 350.
The input device 340 may receive various instructions from an operator and transmit the instructions to the processor 320 for execution. The input device 340 may include a keyboard or pointing device (e.g., a mouse, a trackball, a touch pad, or a touch screen, among others).
The display device 360 may display results obtained by the processor 320 executing instructions.
The memory 310 is used for storing programs and data necessary for the operation of the operating system, and data such as intermediate results in the calculation process of the processor 320.
It will be appreciated that memory 310 in embodiments of the invention may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM), erasable Programmable Read Only Memory (EPROM), electrically Erasable Programmable Read Only Memory (EEPROM), or flash memory, among others. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. The memory 310 of the apparatus and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
In some implementations, the memory 310 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof: an operating system 311 and applications 312.
The operating system 311 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application programs 312 include various application programs such as a Browser (Browser) and the like for implementing various application services. A program implementing the method of the embodiment of the present invention may be included in the application program 312.
The processor 320 receives the network security event report information sent by the security monitoring system when calling and executing the application program and the data stored in the memory 310, specifically, the program or the instruction stored in the application program 312, determines the type of the network security event according to the log information of the network security event in the network security event report information, and extracts the first key feature information and the second key feature information of the network security event; matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event; inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the corresponding type in a security cloud platform to obtain a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model; generating a disposal work order matched with the network security event according to a risk level label corresponding to the network security event and a recommended disposal means, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means; setting a treatment status of the network security event by the treatment worksheet to be "treated" when a network security event treatment completion report transmitted by the recommended treatment subject is received, and comparing and evaluating the actual treatment means and the recommended treatment means according to a treatment result when it is judged that the actual treatment means is different from the recommended treatment means in the network security event treatment completion report, and updating a feature library prestored in the security cloud platform according to the actual treatment means when it is evaluated that the actual treatment means is better than the recommended treatment means.
The network security operation analysis method based on the security cloud disclosed in the above embodiment of the present invention may be applied to the processor 320 or implemented by the processor 320. Processor 320 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 320. The processor 320 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components, which may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 310 and the processor 320 reads the information in the memory 310 and in combination with its hardware performs the steps of the method described above.
It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof. For a hardware implementation, the processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
Specifically, the processor 320 is further configured to read the computer program and execute any one of the above-described network security operation analysis methods based on the security cloud.
In the several embodiments provided in this application, it should be understood that the disclosed methods and apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may be physically included separately, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing disclosure is only illustrative of the preferred embodiments of the present invention and is not to be construed as limiting the scope of the invention, as it is understood by those skilled in the art that all or part of the above-described embodiments may be practiced without resorting to the equivalent thereof, which is intended to fall within the scope of the invention as defined by the appended claims.

Claims (10)

1. The network security operation analysis method based on the security cloud is characterized by comprising the following steps:
s1, receiving network security event report information sent by a security monitoring system, wherein the report information comprises log information of the network security event;
s2, determining the type of the network security event according to the log information of the network security event, and extracting first key feature information and second key feature information of the network security event;
s3, matching the first key feature information with a feature library which is pre-stored in a security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event;
s4, inputting the second key characteristic information into a pre-constructed quantitative evaluation model of the network security situation under the type in the security cloud platform, and obtaining a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model;
s5, generating a disposal work order matched with the network security event according to a risk level label and a recommended disposal means corresponding to the network security event, setting the disposal state of the disposal work order on the network security event as to be disposed, and sending the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes the network security event according to the priority processing sequence of the risk level label and the recommended disposal means;
S6, setting the treatment state of the network security event by the treatment worksheet as 'treated' when a network security event treatment completion report sent by the recommended treatment main body is received, and comparing and evaluating the actual treatment means and the recommended treatment means according to treatment results when the actual treatment means is judged to be different from the recommended treatment means, and updating a feature library pre-stored in the security cloud platform according to the actual treatment means when the actual treatment means is evaluated to be better than the recommended treatment means.
2. The security cloud-based network security operation analysis method according to claim 1, further comprising the step of, between the steps S5 and S6:
and monitoring the treatment state of the treatment worksheet on the network security event in real time, and sending network security event treatment reminding information to the recommended treatment main body when the treatment state of the treatment worksheet on the network security event is that the treatment time of the treatment worksheet on the network security event is 1/2 of the treatment time threshold of the risk level label corresponding to the preset network security event.
3. The security cloud-based network security operation analysis method according to claim 2, wherein in the step S3, when the first key feature information is matched with the feature library corresponding to the type pre-stored in a security cloud platform, a backup recommended treatment subject corresponding to the network security event is further determined; the steps S5 and S6 further include:
monitoring the treatment state of the treatment worksheet on the network security event in real time, when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, is not treated, and the treatment worksheet is forwarded to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
4. The security cloud-based network security operation analysis method of claim 1, wherein the types of network security events include network attack events and vulnerability events;
When the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the step S3 further includes: according to the attack source information, matching with a pre-generated attack record, and determining the attack times corresponding to the attack source information; if the attack times are greater than a preset threshold, the recommended treatment means are fixed to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, updating the attack record according to the attack source information of the network attack event, and adding one to the count of the attack times corresponding to the attack source information; the second key characteristic information comprises network attack information which the network security situation quantitative evaluation model needs to participate in; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects;
when the type of the network security event comprises a vulnerability event, the first key feature information comprises a URL and a vulnerability type; the second key feature information comprises vulnerability information which is required to participate in the network security situation quantitative evaluation model, wherein the vulnerability information comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, a type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
5. A security cloud-based network security operation analysis device, comprising:
the receiving module is used for receiving network security event report information sent by the security monitoring system, wherein the report information comprises log information of the network security event;
the information extraction module is used for determining the type of the network security event according to the log information of the network security event and extracting first key feature information and second key feature information of the network security event;
the matching module is used for matching the first key feature information with the feature library which is prestored in the security cloud platform and corresponds to the type, and determining recommended treatment means and recommended treatment subjects corresponding to the network security event;
the evaluation module is used for inputting the second key characteristic information into a pre-constructed quantitative evaluation model corresponding to the network security situation under the type in the security cloud platform to obtain a risk level label corresponding to the network security event; the network security situation quantitative evaluation model is obtained by acquiring different types of historical network security event data and preset risk levels and training a constructed neural network model;
A disposal work order generation module, configured to generate a disposal work order matched with the network security event according to a risk level tag and a recommended disposal means corresponding to the network security event, set a disposal status of the disposal work order on the network security event to be "to be disposed", and send the disposal work order to the recommended disposal subject, so that the recommended disposal subject disposes of the network security event according to a priority processing order of the risk level tag and the recommended disposal means;
an updating module, configured to set a treatment status of the network security event by the treatment worksheet to "treated" when a network security event treatment completion report sent by the recommended treatment subject is received, and when it is determined that an actual treatment means in the network security event treatment completion report is different from the recommended treatment means, perform a comparison evaluation on the actual treatment means and the recommended treatment means according to a treatment result, and when the evaluation results in that the actual treatment means is better than the recommended treatment means, update a feature library pre-stored in the security cloud platform according to the actual treatment means.
6. The security cloud-based network security operation analysis apparatus of claim 5, further comprising:
the state monitoring module is used for monitoring the treatment state of the network security event by the treatment worksheet in real time, and sending network security event treatment reminding information to the recommended treatment main body when the treatment state of the network security event by the treatment worksheet is that the treatment time of the network security event is equal to or more than 1/2 of the preset treatment time threshold of the risk level label corresponding to the network security event.
7. The security cloud-based network security operation analysis apparatus according to claim 6, wherein the matching module is configured to further determine a backup recommended treatment subject corresponding to the network security event when matching the first key feature information with the feature library corresponding to the type pre-stored in a security cloud platform; the status monitoring module is further configured to:
monitoring the treatment state of the treatment worksheet on the network security event in real time, when the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, if the treatment state of the treatment worksheet on the network security event is the treatment time threshold of the risk level label corresponding to the preset network security event, the treatment state of the treatment worksheet on the network security event, which is sent to the recommended treatment principal, is not treated, and the treatment worksheet is forwarded to the backup recommended treatment principal, so that the backup recommended treatment principal treats the network security event according to the priority treatment sequence of the risk level label and the recommended treatment means.
8. The security cloud-based network security operation analysis device of claim 5, wherein the types of network security events include network attack events and vulnerability events;
when the type of the network security event is a network attack event, the first key characteristic information comprises attack source information, attack object information and attack means information; the matching module is further configured to: according to the attack source information, matching with a pre-generated attack record, and determining the attack times corresponding to the attack source information; if the attack times are greater than a preset threshold, the recommended treatment means are fixed to carry out linkage treatment on the network attack event; wherein the attack record is generated by: after the first characteristic information of the network attack event is extracted, updating the attack record according to the attack source information of the network attack event, and adding one to the count of the attack times corresponding to the attack source information; the second key characteristic information comprises network attack information which the network security situation quantitative evaluation model needs to participate in; the network attack information comprises attack source information, attack object information, attack means information, protocols, attack object access rights, network attack types or system vulnerability of attack objects;
When the type of the network security event comprises a vulnerability event, the first key feature information comprises a URL and a vulnerability type; the second key feature information comprises vulnerability information which is required to participate in the network security situation quantitative evaluation model, wherein the vulnerability information comprises a vulnerability name, vulnerability discovery time, a host computer where the vulnerability is located, a type of the vulnerability, severity of the vulnerability and a port corresponding to the vulnerability.
9. An electronic device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the security cloud-based network security operation analysis method of any of claims 1-4 when the computer program is executed.
10. A computer storage medium comprising one or more computer instructions that, when executed, implement the security cloud-based network security operation analysis method of any of claims 1-4.
CN202310712710.6A 2023-06-15 2023-06-15 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium Active CN116566729B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310712710.6A CN116566729B (en) 2023-06-15 2023-06-15 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310712710.6A CN116566729B (en) 2023-06-15 2023-06-15 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116566729A true CN116566729A (en) 2023-08-08
CN116566729B CN116566729B (en) 2024-02-13

Family

ID=87493114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310712710.6A Active CN116566729B (en) 2023-06-15 2023-06-15 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116566729B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118174962A (en) * 2024-05-11 2024-06-11 四川九洲视讯科技有限责任公司 Network safety feedback analysis method and system based on artificial intelligence

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483472A (en) * 2017-09-05 2017-12-15 中国科学院计算机网络信息中心 A kind of method, apparatus of network security monitoring, storage medium and server
US20190312890A1 (en) * 2018-04-10 2019-10-10 Red Hat, Inc. Mitigating cyber-attacks by automatically coordinating responses from cyber-security tools
US20200356678A1 (en) * 2019-05-08 2020-11-12 Battelle Memorial Institute Cybersecurity vulnerability mitigation framework
CN112491805A (en) * 2020-11-04 2021-03-12 深圳供电局有限公司 Network security equipment management system applied to cloud platform
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN113709147A (en) * 2021-08-26 2021-11-26 北京天融信网络安全技术有限公司 Network security event response method, device and equipment
CN115622738A (en) * 2022-09-20 2023-01-17 内蒙古成迈信息科技有限公司 RBF neural network-based safety emergency disposal system and method
CN115811421A (en) * 2022-11-17 2023-03-17 国家计算机网络与信息安全管理中心 Network security event monitoring method and device, electronic equipment and storage medium
WO2023077617A1 (en) * 2021-11-02 2023-05-11 公安部第三研究所 Network security situation adaptive active defense system and method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483472A (en) * 2017-09-05 2017-12-15 中国科学院计算机网络信息中心 A kind of method, apparatus of network security monitoring, storage medium and server
US20190312890A1 (en) * 2018-04-10 2019-10-10 Red Hat, Inc. Mitigating cyber-attacks by automatically coordinating responses from cyber-security tools
US20200356678A1 (en) * 2019-05-08 2020-11-12 Battelle Memorial Institute Cybersecurity vulnerability mitigation framework
CN112491805A (en) * 2020-11-04 2021-03-12 深圳供电局有限公司 Network security equipment management system applied to cloud platform
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN113709147A (en) * 2021-08-26 2021-11-26 北京天融信网络安全技术有限公司 Network security event response method, device and equipment
WO2023077617A1 (en) * 2021-11-02 2023-05-11 公安部第三研究所 Network security situation adaptive active defense system and method
CN115622738A (en) * 2022-09-20 2023-01-17 内蒙古成迈信息科技有限公司 RBF neural network-based safety emergency disposal system and method
CN115811421A (en) * 2022-11-17 2023-03-17 国家计算机网络与信息安全管理中心 Network security event monitoring method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118174962A (en) * 2024-05-11 2024-06-11 四川九洲视讯科技有限责任公司 Network safety feedback analysis method and system based on artificial intelligence

Also Published As

Publication number Publication date
CN116566729B (en) 2024-02-13

Similar Documents

Publication Publication Date Title
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10956477B1 (en) System and method for detecting malicious scripts through natural language processing modeling
US10893068B1 (en) Ransomware file modification prevention technique
US10581879B1 (en) Enhanced malware detection for generated objects
CN110855676B (en) Network attack processing method and device and storage medium
CN109586282B (en) Power grid unknown threat detection system and method
CN108664793B (en) Method and device for detecting vulnerability
CN111651757A (en) Attack behavior monitoring method, device, equipment and storage medium
EP2417551B1 (en) Providing information to a security application
CN116566729B (en) Network security operation analysis method and device based on security cloud, electronic equipment and storage medium
CN113079151B (en) Abnormality processing method and device, electronic equipment and readable storage medium
CN107103237A (en) A kind of detection method and device of malicious file
CN116938590B (en) Cloud security management method and system based on virtualization technology
US20230252136A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
CN105378745A (en) Disabling and initiating nodes based on security issue
US11916875B2 (en) System and method for multi-layered rule learning in URL filtering
CN113190838A (en) Web attack behavior detection method and system based on expression
US11765199B2 (en) Computer-based system for analyzing and quantifying cyber threat patterns and methods of use thereof
US20220201016A1 (en) Detecting malicious threats via autostart execution point analysis
CN114050937B (en) Mailbox service unavailability processing method and device, electronic equipment and storage medium
US20190327263A1 (en) Distributed client protection
US20230252144A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20230048076A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
CN111131166A (en) User behavior prejudging method and related equipment
CN115086081A (en) Escape prevention method and system for honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant