CN116668106B - Threat information processing system and method - Google Patents

Threat information processing system and method Download PDF

Info

Publication number
CN116668106B
CN116668106B CN202310577636.1A CN202310577636A CN116668106B CN 116668106 B CN116668106 B CN 116668106B CN 202310577636 A CN202310577636 A CN 202310577636A CN 116668106 B CN116668106 B CN 116668106B
Authority
CN
China
Prior art keywords
threat
data
data item
application platform
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310577636.1A
Other languages
Chinese (zh)
Other versions
CN116668106A (en
Inventor
张永印
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Dingxia Intelligent Technology Co ltd
Original Assignee
Shandong Dingxia Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Dingxia Intelligent Technology Co ltd filed Critical Shandong Dingxia Intelligent Technology Co ltd
Priority to CN202310577636.1A priority Critical patent/CN116668106B/en
Publication of CN116668106A publication Critical patent/CN116668106A/en
Application granted granted Critical
Publication of CN116668106B publication Critical patent/CN116668106B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The invention is applicable to the field of computers, and provides a threat information processing system and a threat information processing method, wherein the method comprises the following steps: identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms; the feature data access item is used for representing possible threat data which does not accord with at least one application platform but accords with other application platforms, the possible threat data is not monitored by the other application platforms and marked in a threat information list, and based on the application data of one application platform, the technical scheme of the embodiment of the application can prevent threat data attacks of at least two application platforms in advance, and communication traffic overflow of the risk data is not caused.

Description

Threat information processing system and method
Technical Field
The invention belongs to the field of computers, and particularly relates to a threat information processing system and method.
Background
Threat information is evidence-based knowledge about potential threats faced by or existing in IT information or information assets, including situations, mechanisms, indexes, inference and feasible suggestions, and the knowledge can provide decision basis for threat response, the threat information is equivalent to providing an early warning mechanism for threat data, a threat information library is a set of threat information, and the threat information library comprises a local threat information library and a cloud threat information library.
The prior art discloses a method for processing threat data, specifically, by monitoring and capturing behaviors in a process, identifying a first behavior with a malicious behavior and a small threat value of the behavior, combining other behaviors related to the first behavior in the process with the behaviors, and comparing the combination in a malicious behavior combination library; in response to the comparison in the malicious behavior portfolio indicating that the portfolio is a malicious behavior portfolio, computing a portfolio threat value of the malicious behavior portfolio and comparing the portfolio threat value to a portfolio threat threshold; in response to the combined threat value exceeding the combined threat threshold, dividing the process into malicious processes or high-risk processes according to the first threshold for processing, wherein the number of malicious behaviors to be matched can be greatly reduced, and the matching efficiency is improved.
However, note that in the above prior art, after combining the behavior with little threat in the same process with the related behavior in the process, the obtained malicious behavior combination is often prevented and processed for one or a class of processes, when facing possible threat data from multiple platforms or multiple types, even if a threat information library including the malicious behavior combination is often deployed at the cloud, the firewall uploads the traffic to be analyzed to the cloud for verification; but the process from cloud identification return to firewall blocking takes a long time, resulting in risky traffic already overflowing.
Disclosure of Invention
The embodiment of the invention aims to provide a threat information processing system and a threat information processing method, which aim to solve the problems in the background art.
The embodiment of the invention is realized in such a way that, on one hand, the threat intelligence processing method comprises the following steps:
identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms;
determining a first suspicious threat data item which accords with service characteristic data sets of a plurality of associated application platforms in the characteristic access data items;
correspondingly synchronizing the first suspicious threat data item to a public cloud threat information library to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library;
when the judging result represents that the first suspicious threat data item is a theoretical business threat data item, identifying a first association application platform consistent with the theoretical business threat data item, wherein the first association application platform is at least two of a plurality of association application platforms;
and correspondingly synchronizing the theoretical business threat data item to a local threat information library of the first associated application platform.
As a further aspect of the present invention, the identifying, according to the application data of at least one application platform and the local threat information library corresponding to a plurality of associated application platforms, the feature access data item of at least one application platform specifically includes:
identifying first type data conforming to the local threat information library in application data of at least one application platform;
judging the association degree between the first type data and the first standard data in the local threat information library;
and when the association degree reaches a first threshold value but is smaller than a second threshold value, judging that the first type of data corresponding to the first threshold value but smaller than the second threshold value is the characteristic access data.
As still further aspects of the present invention, the association degree includes a similarity degree.
As a still further aspect of the present invention, the method further includes:
when the association degree is not smaller than a second threshold value, identifying second type data corresponding to the association degree not smaller than the second threshold value;
the second type data is used as the sub data of the first standard data or the second type data is used as the composition data of the sub data parallel data set of the first standard data.
As a further aspect of the present invention, the method further includes:
when the association degree is smaller than a first threshold value, monitoring whether the corresponding third type of data accords with the data characteristics of the threat flow or not;
if yes, extracting the use characteristics of the third type of data, and limiting the use of the application data containing the use characteristics.
As a further aspect of the present invention, the determining the first suspicious threat data item of the service feature data set conforming to the plurality of associated application platforms in the feature access data item specifically includes:
dividing the feature access data items according to classification standards of service feature data subsets of a plurality of associated application platforms, and determining suspicious threat data items conforming to the service feature data subsets;
traversing each suspicious threat data item, and identifying data conforming to the aggregate characteristics between at least two service characteristic data subsets to obtain a second suspicious threat data item;
and associating the second suspicious threat data item with the application platform corresponding to the service characteristic data subset to generate a first suspicious threat data item, wherein the first suspicious threat data item is associated with the corresponding application platform identifier.
As a further aspect of the present invention, the method further includes:
and when the first suspicious threat data item accords with any one of the theoretical business threat data items, judging the first suspicious threat data item as the theoretical business threat data item, wherein the theoretical business threat data item is generated according to the possible threat data items of the two application platforms.
As a further aspect of the present invention, the first association application platform according to the identification of the theoretical business threat data item specifically includes:
tracing a first suspicious threat data item corresponding to the theoretical business threat data item;
identifying an application platform identifier corresponding to the first suspected threat data item;
and taking the application platform corresponding to the corresponding application platform identifier as a first corresponding associated application platform.
As a further aspect of the present invention, in another aspect, a threat intelligence processing system, the system includes:
the characteristic access data item identification module is used for identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms;
the suspicious threat data item determining module is used for determining a first suspicious threat data item which accords with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data items;
the cloud synchronization and judgment module is used for correspondingly synchronizing the first suspicious threat data item to the public cloud threat information library so as to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library;
the application platform identification module is used for identifying a first associated application platform consistent with the theoretical business threat data item when the judgment result represents that the first suspicious threat data item is the theoretical business threat data item, wherein the first associated application platform is at least two of a plurality of associated application platforms;
and the local synchronization module is used for correspondingly synchronizing the theoretical business threat data item to a local threat information library of the first associated application platform.
As a further aspect of the present invention, the feature access data item identification module specifically includes:
the first identification unit is used for identifying first type data which accords with the local threat information library in the application data of at least one application platform;
the association degree judging unit is used for judging the association degree between the first type data and the first standard data in the local threat information library;
and the condition judging unit is used for judging that the first type data corresponding to the first threshold value but less than the second threshold value is the characteristic access data when the association degree reaches the first threshold value but less than the second threshold value.
According to the threat information processing system and method provided by the embodiment of the invention, based on the associated application platform, the local threat database and the public cloud threat information database are combined, the theoretical business threat data items which accord with the possible threat data item combination of at least two application platforms are identified based on the characteristic access data item of one application platform, threat data among a plurality of associated platforms are jointly identified, the local threat information database of the public cloud threat information database and the associated platforms is enriched, the threat data attack of at least two application platforms can be prevented in advance based on the characteristic access data item of one application platform, and the communication flow of risk data is not overflowed.
Drawings
FIG. 1 is a main flow chart of a threat intelligence processing method.
FIG. 2 is a flow chart of a threat intelligence processing method identifying characteristic access data items for at least one application platform.
FIG. 3 is a flow chart defining the use of application data containing the usage characteristics in a threat intelligence processing method.
FIG. 4 is a flow chart of a method of threat intelligence processing for determining a first suspected threat data item.
FIG. 5 is a flow chart of a first associated application platform consistent with the theoretical business threat data item identification in a threat intelligence processing method.
Fig. 6 is a flow chart of an alternative real-time refresh rate value setting for a current display device in a threat intelligence processing method.
Fig. 7 is a block diagram of a feature access data item identification module in a threat intelligence processing system.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Specific implementations of the invention are described in detail below in connection with specific embodiments.
The threat information processing system and method provided by the invention solve the technical problems in the background technology.
The application platform in the embodiment generally comprises a data platform, a video platform, a game platform, an online shopping platform and the like; several associated application platforms represent platforms with some associations, such as game platforms and video platforms, both based on persona and user operations, both of which may be in several associated application platforms; as another example, both the logistics platform and the payment platform involve target verification, such as payment verification, etc.;
as shown in fig. 1, a main flow chart of a threat intelligence processing method according to an embodiment of the invention is provided, where the threat intelligence processing method includes:
step S10: identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms; the feature access data item is used for representing possible threat data which does not accord with the original platform but accords with other application platforms, and the possible threat data is not monitored by the other application platforms and marked in a threat information list;
step S11: determining a first suspicious threat data item which accords with service characteristic data sets of a plurality of associated application platforms in the characteristic access data items; because the feature access data item may or may not conform to the service feature data of other application platforms, the step is equivalent to screening the service feature data conforming to other application platforms;
step S12: correspondingly synchronizing the first suspicious threat data item to a public cloud threat information library to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library; the public cloud threat information library is equivalent to a cloud server, threat data information of a plurality of associated application platforms is stored in the cloud server, and the public cloud threat information library can identify and judge a first suspicious threat data item;
step S13: when the judging result represents that the first suspicious threat data item is a theoretical business threat data item, identifying a first association application platform consistent with the theoretical business threat data item, wherein the first association application platform is at least two of a plurality of association application platforms; the theoretical business threat data is used to characterize a combination between possible threat data items of at least two application platforms.
Step S14: and correspondingly synchronizing the theoretical business threat data item to a local threat information library of the first associated application platform. The theoretical business threat data item may conform to the combined business data characteristics of one application platform or may conform to the business data characteristics between at least two associated application platforms, so that the theoretical business threat data item may correspond to at least one application platform, and after the theoretical business threat data item is correspondingly synchronized to the local threat information library of the first associated application platform, the local threat information library based on the first associated application platform may be used for protecting the subsequent data including the theoretical business threat data item and the threat data such as attack, thereby protecting the data security of the first associated application platform.
When the method is applied, the first suspicious threat data items which accord with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data items are determined through identifying the characteristic access data items of at least one application platform; correspondingly synchronizing the first suspicious threat data item to a public cloud threat information library to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library; when the judging result represents that the first suspicious threat data item is a theoretical business threat data item, according to the first association application platform consistent with the theoretical business threat data item identification, the first association application platform is at least two of a plurality of association application platforms, and finally the theoretical business threat data item is correspondingly synchronized to a local threat information base of the first association application platform, so that the threat data attack of at least two application platforms can be prevented in advance based on the association application platform, the local threat database and the public cloud threat information base are combined, the theoretical business threat data item which accords with the possible threat data item combination of at least two application platforms is identified based on the characteristic access data item of one application platform, threat data among a plurality of association platforms is identified in a combined mode, the local threat information base of the public cloud threat information base and the association platform is enriched, and the threat data item can be accessed based on the characteristic of one application platform, so that the communication traffic of the risk data cannot be overflowed.
As shown in fig. 2, as a preferred embodiment of the present invention, the identifying, according to the application data of at least one application platform and the local threat intelligence database corresponding to a plurality of associated application platforms, the feature access data item of at least one application platform specifically includes:
step S101: identifying first type data conforming to the local threat information library in application data of at least one application platform;
step S102: judging the association degree between the first type data and the first standard data in the local threat information library; specifically, the method comprises the following steps: identifying threat data classification features of the first standard data; decomposing (the generalized words of) the first type data according to parts of speech to obtain threat keywords; identifying a first association degree between threat keywords and threat data classification features, assigning a score to the first association degree according to corresponding assigning weights to obtain a score of each threat keyword, adding the scores, and judging a first scoring section and a second scoring section where the added scores are located;
the identification of the association degree can be carried out through a trained neural network model, and the identification basis is the characteristic of a pre-trained keyword combination;
for example, part-of-speech expression of keyword combination, converting part-of-speech expression into vector form to be used as input of neural network model, initializing network weight by using the rands function of matlab, calculating hidden layer and output layer output according to formula, error and updating network weight;
it should be noted that after training the neural network, the network may be predicted by using the extracted second keyword combination, the feature vector is input, the hidden layer and the output layer are calculated, and finally the first association degree between the threat keywords and the threat data classification features is obtained.
Step S103: and when the association degree reaches a first threshold value but is smaller than a second threshold value, judging that the first type of data corresponding to the first threshold value but smaller than the second threshold value is the characteristic access data, wherein the association degree comprises the similarity. If the first scoring section is reached, judging that the association degree reaches a first threshold value, if the second scoring section is reached, judging that the association degree reaches the first threshold value, and the like; the degree of association reaches a first threshold but is less than a second threshold, i.e., the added scores reach a first score segment but not a second score segment. Illustratively, the first scoring section is a 50-75 scoring section (relative percentile); the second scoring section is a 75-100 scoring section, wherein keywords obtained by decomposing the first type of data are respectively: magnetic disk area, game interface, payment interface, screen-swiping verification, crash and interface jump link, and the weighting of each is respectively divided into: 0. 10, 18, 16; wherein, since the disk area is an irrelevant keyword, the score is 0, the first type data of the verification interface for representing the service condition of the platform, which is linked to a certain payment verification interface, is finally and relatively scored as 72, and the first type data is in a first scoring section, which indicates that the first type data is characteristic access data.
It can be understood that the application data of the application platform accords with the first type data of the local threat information base, which indicates that the first type data approximately accords with the type or a data characteristic of the list data in the local threat information base, and the list data in the local threat information base comprises first standard data; the first type of data and the first standard data are of the same type or have at least one data characteristic, but the degree of association between the two is specifically what, if not, may or may not reach the first threshold value, and only the first threshold value, but less than the second threshold value, is reached to identify the characteristic access data, which is set for the purpose of determining that there is some association with the first standard data, and that such association may be in accordance with the standard data of other application platforms, resulting in that the other application platforms may be subject to data threat, and thus determining the characteristic access data accordingly.
As a preferred embodiment of the present invention, the method further comprises:
step S20: when the association degree is not smaller than a second threshold value, identifying second type data corresponding to the association degree not smaller than the second threshold value;
step S21: the second type data is used as the sub data of the first standard data or the second type data is used as the composition data of the sub data parallel data set of the first standard data.
It should be understood that this embodiment provides a method for supplementing or enriching the first standard data, where the second type of data completely conforms to the threat features of the first standard data, and the degree of agreement between the first type of data and the second type of data is relatively high, for example, attack data of the same attack type from the same attack address, certain worm viruses before and after mutation, and the locations of files in the worm attack computer are the same, but the objects and the scope of attack are all changed.
As shown in fig. 3, as a preferred embodiment of the present invention, the method further includes:
step S30: when the association degree is smaller than a first threshold value, monitoring whether the corresponding third type of data accords with the data characteristics of the threat flow or not;
step S31: if yes, extracting the use characteristics of the third type of data, and limiting the use of the application data containing the use characteristics.
In the application, further, when the association degree is smaller than the first threshold value, it indicates that the third type of data is not enough to form threat data, but there may be indirect influence on data traffic, so for such data, it is required to limit the use of such application data, for example, limit the use time, limit the number of times of use of the same client, and limit the domain name conversion number of application data under the same domain name.
As shown in fig. 4, as a preferred embodiment of the present invention, the determining the first suspicious threat data item of the service feature data set conforming to the associated application platforms in the feature access data item specifically includes:
step S111: dividing the feature access data items according to classification standards of service feature data subsets of a plurality of associated application platforms, and determining suspicious threat data items conforming to the service feature data subsets;
step S112: traversing each suspicious threat data item, and identifying data conforming to the aggregate characteristics between at least two service characteristic data subsets to obtain a second suspicious threat data item;
step S113: and associating the second suspicious threat data item with the application platform corresponding to the service characteristic data subset to generate a first suspicious threat data item, wherein the first suspicious threat data item is associated with the corresponding application platform identifier.
It can be understood that the classification standard of the service feature data subset represents the standard for dividing the service feature data into the service feature data subset, and meets the suspicious threat data item of the service feature data subset, namely, also needs to meet the corresponding classification standard; for each application platform, corresponding to service feature data, as a service feature data subset of a service feature data set, the service feature data subset is represented in multiple forms, so that the first suspected threat data item is a set of multiple expression form data; the first suspected threat data item corresponds to the aggregate characteristics between at least two service characteristic data subsets, indicating that the second suspected threat data item has at least the aggregate characteristics of the service characteristic data subsets of two application platforms, i.e. the aggregate characteristics between the two service characteristic data subsets are typically from two or even more application platforms.
As a preferred embodiment of the present invention, the method further comprises:
step S40: and when the first suspicious threat data item accords with any one of the theoretical business threat data items, judging the first suspicious threat data item as the theoretical business threat data item, wherein the theoretical business threat data item is generated according to the possible threat data items of the two application platforms. I.e. two or even more application platforms for theoretical business threat data items.
It should be understood that the conditions for determining that a certain first threat data item is a characteristic data item are: the first suspicious threat data item accords with the theoretical business threat data item, and the theoretical business threat data item is generated according to possible threat data items of two application platforms, namely, the possible threat data item is generated by extracting application data characteristics of the theoretical business threat data item of the application platform, wherein the application data characteristics are data characteristics of the application platform in application; for example, a possible threat data item, such as a sales platform and/or a user of a logistics platform, is linked to a payment verification interface at the verification interface where the logistics mode is selected (which may rarely occur, the logistics mode verification interface and the payment verification interface are in fact separately present, but there is a possibility that they are theoretically combined to form a threat); and then, for example, a cartoon or real character interface of the video playing platform and/or the game platform suddenly appears a malicious screen refreshing prompt (generally, the character interface should normally play a video or game picture scene), and the like, at least 2 possible threat data items of the application platforms are reasonably combined, so that theoretical business threat data items can be obtained, and the theoretical business threat data items cannot appear in a local threat information library of the corresponding application platform.
As shown in fig. 5, as a preferred embodiment of the present invention, the first association application platform according to the identification of the theoretical business threat data item specifically includes:
step S131: tracing a first suspicious threat data item corresponding to the theoretical business threat data item;
step S132: identifying an application platform identifier corresponding to the first suspected threat data item;
step S133: and taking the application platform corresponding to the corresponding application platform identifier as a first corresponding associated application platform.
It should be understood that, in combination with the foregoing description, the present embodiment uses a reverse tracing method to trace from the theoretical business threat data item to the first suspicious threat data item, and then to the application platform identifier corresponding to the first suspicious threat data item, where the application platform identifier corresponds to the application platform one by one, so that the first associated application platform corresponding to the feature threat data is finally identified, and it needs to be described that at least 2 first associated application platforms corresponding to each theoretical business threat data item, and generally does not include application platforms of the original feature access data item, so that it is convenient to timely synchronize the feature threat data from the cloud to the local threat information library corresponding to the first associated application platform in time.
As another preferred embodiment of the present invention, as shown in fig. 6, in another aspect, a threat intelligence processing system includes:
the feature access data item identification module 100 is configured to identify a feature access data item of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, where the at least one application platform is included in a plurality of associated application platforms;
a suspicious threat data item determining module 200, configured to determine a first suspicious threat data item that accords with a service feature data set of a plurality of associated application platforms in the feature access data items;
the cloud synchronization and judgment module 300 is configured to correspondingly synchronize the first suspicious threat data item to the public cloud threat information library, so as to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library;
the application platform identification module 400 is configured to identify, according to the theoretical business threat data item, a first associated application platform that is consistent with the theoretical business threat data item when the judgment result indicates that the first suspicious threat data item is the theoretical business threat data item, where the first associated application platform is at least two of a plurality of associated application platforms;
the local synchronization module 500 is configured to correspondingly synchronize the theoretical business threat data item to a local threat information library of the first associated application platform.
As shown in fig. 7, the feature access data item identification module 100 specifically includes:
a first identifying unit 1001, configured to identify first type data that accords with the local threat information library in application data of at least one application platform;
a relevance determining unit 1002, configured to determine a relevance between the first type data and first standard data in the local threat information library;
and a condition determining unit 1003, configured to determine that the first type of data corresponding to the degree of association reaching the first threshold value but being smaller than the second threshold value is feature access data when the degree of association reaches the first threshold value but is smaller than the second threshold value.
It should be noted that, in the embodiment of the present system and the embodiments corresponding to each module and unit in the system, each process in the embodiment of the threat information processing method described above is implemented, and the same technical effect can be achieved, so that repetition is avoided, and no further description is provided here.
The embodiment of the invention provides a threat information processing method, and provides a threat information processing system based on the threat information processing method, wherein the first suspicious threat data items which accord with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data items are determined by identifying the characteristic access data items of at least one application platform; correspondingly synchronizing the first suspicious threat data item to a public cloud threat information library to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library; when the judging result represents that the first suspicious threat data item is a theoretical business threat data item, according to the first association application platform consistent with the theoretical business threat data item identification, the first association application platform is at least two of a plurality of association application platforms, and finally the theoretical business threat data item is correspondingly synchronized to a local threat information base of the first association application platform, so that the threat data attack of at least two application platforms can be prevented in advance based on the association application platform, the local threat database and the public cloud threat information base are combined, the theoretical business threat data item which accords with the possible threat data item combination of at least two application platforms is identified based on the characteristic access data item of one application platform, threat data among a plurality of association platforms is identified in a combined mode, the local threat information base of the public cloud threat information base and the association platform is enriched, and the threat data item can be accessed based on the characteristic of one application platform, so that the communication traffic of the risk data cannot be overflowed.
In order to be able to load the method and system described above to function properly, the system may include more or less components than those described above, or may combine some components, or different components, in addition to the various modules described above, for example, may include input and output devices, network access devices, buses, processors, memories, and the like.
The processor may be a central processing unit (CentralProcessingUnit, CPU), other general purpose processors, digital signal processors (DigitalSignalProcessor, DSP), application specific integrated circuits (ApplicationSpecificIntegratedCircuit, ASIC), off-the-shelf programmable gate arrays (Field-ProgrammableGateArray, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the above system, and various interfaces and lines are used to connect the various parts.
The memory may be used to store a computer and a system program and/or module, and the processor may perform the various functions described above by running or executing the computer program and/or module stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function (such as an information acquisition template presentation function, a product information distribution function, etc.), and the like. The storage data area may store data created according to the use of the berth status display system (e.g., product information acquisition templates corresponding to different product types, product information required to be released by different product providers, etc.), and so on. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SmartMediaCard, SMC), secure digital (SecureDigital, SD) card, flash card (FlashCard), at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (8)

1. A threat intelligence processing method, the method comprising:
identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms; the feature access data item is used for representing possible threat data which does not accord with at least one application platform but accords with other application platforms, and the possible threat data is not monitored by the other application platforms and marked in a threat information list;
determining a first suspicious threat data item which accords with service characteristic data sets of a plurality of associated application platforms in the characteristic access data items;
correspondingly synchronizing the first suspicious threat data item to a public cloud threat information library to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library;
when the judging result represents that the first suspicious threat data item is a theoretical business threat data item, identifying a first association application platform consistent with the theoretical business threat data item, wherein the first association application platform is at least two of a plurality of association application platforms; the theoretical business threat data is used for representing combinations among possible threat data items of at least two application platforms;
correspondingly synchronizing the theoretical business threat data item to a local threat information library of the first associated application platform;
the determining the first suspicious threat data item which accords with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data item specifically comprises:
dividing the feature access data items according to classification standards of service feature data subsets of a plurality of associated application platforms, and determining suspicious threat data items conforming to the service feature data subsets;
traversing each suspicious threat data item, and identifying data conforming to the aggregate characteristics between at least two service characteristic data subsets to obtain a second suspicious threat data item;
associating the second suspicious threat data item with an application platform corresponding to the service feature data subset to generate a first suspicious threat data item, wherein the first suspicious threat data item is associated with a corresponding application platform identifier;
the first associated application platform according to the theoretical business threat data item identification comprises the following specific steps:
tracing a first suspicious threat data item corresponding to the theoretical business threat data item;
identifying an application platform identifier corresponding to the first suspected threat data item;
and taking the application platform corresponding to the corresponding application platform identifier as a first corresponding associated application platform.
2. The threat intelligence processing method of claim 1, wherein the identifying the characteristic access data item of the at least one application platform based on the application data of the at least one application platform and the local threat intelligence library corresponding to the plurality of associated application platforms specifically comprises:
identifying first type data conforming to the local threat information library in application data of at least one application platform;
judging the association degree between the first type data and the first standard data in the local threat information library;
and when the association degree reaches a first threshold value but is smaller than a second threshold value, judging that the first type of data corresponding to the first threshold value but smaller than the second threshold value is the characteristic access data.
3. The threat intelligence processing method of claim 2, wherein the association degree comprises a similarity degree.
4. A threat intelligence processing method according to claim 2 or 3, wherein the method further comprises:
when the association degree is not smaller than a second threshold value, identifying second type data corresponding to the association degree not smaller than the second threshold value;
the second type data is used as the sub data of the first standard data or the second type data is used as the composition data of the sub data parallel data set of the first standard data.
5. A threat intelligence processing method according to claim 2 or 3, wherein the method further comprises:
when the association degree is smaller than a first threshold value, monitoring whether the corresponding third type of data accords with the data characteristics of the threat flow or not;
if yes, extracting the use characteristics of the third type of data, and limiting the use of the application data containing the use characteristics.
6. The threat intelligence processing method of claim 1, wherein the method further comprises:
and when the first suspicious threat data item accords with any one of the theoretical business threat data items, judging the first suspicious threat data item as the theoretical business threat data item, wherein the theoretical business threat data item is generated according to the possible threat data items of the two application platforms.
7. A threat intelligence processing system, the system comprising:
the characteristic access data item identification module is used for identifying characteristic access data items of at least one application platform according to application data of the at least one application platform and a local threat information library corresponding to the at least one application platform, wherein the at least one application platform is contained in a plurality of associated application platforms;
the suspicious threat data item determining module is used for determining a first suspicious threat data item which accords with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data items;
the cloud synchronization and judgment module is used for correspondingly synchronizing the first suspicious threat data item to the public cloud threat information library so as to generate a judgment result of the first suspicious threat data item based on the public cloud threat information library;
the application platform identification module is used for identifying a first associated application platform consistent with the theoretical business threat data item when the judgment result represents that the first suspicious threat data item is the theoretical business threat data item, wherein the first associated application platform is at least two of a plurality of associated application platforms;
the local synchronization module is used for correspondingly synchronizing the theoretical business threat data item to a local threat information library of the first associated application platform;
the determining the first suspicious threat data item which accords with the service characteristic data sets of a plurality of associated application platforms in the characteristic access data item specifically comprises:
dividing the feature access data items according to classification standards of service feature data subsets of a plurality of associated application platforms, and determining suspicious threat data items conforming to the service feature data subsets;
traversing each suspicious threat data item, and identifying data conforming to the aggregate characteristics between at least two service characteristic data subsets to obtain a second suspicious threat data item;
associating the second suspicious threat data item with an application platform corresponding to the service feature data subset to generate a first suspicious threat data item, wherein the first suspicious threat data item is associated with a corresponding application platform identifier;
the first associated application platform according to the theoretical business threat data item identification comprises the following specific steps:
tracing a first suspicious threat data item corresponding to the theoretical business threat data item;
identifying an application platform identifier corresponding to the first suspected threat data item;
and taking the application platform corresponding to the corresponding application platform identifier as a first corresponding associated application platform.
8. The threat intelligence processing system of claim 7, wherein the feature access data item identification module specifically comprises:
the first identification unit is used for identifying first type data which accords with the local threat information library in the application data of at least one application platform;
the association degree judging unit is used for judging the association degree between the first type data and the first standard data in the local threat information library;
and the condition judging unit is used for judging that the first type data corresponding to the first threshold value but less than the second threshold value is the characteristic access data when the association degree reaches the first threshold value but less than the second threshold value.
CN202310577636.1A 2023-05-22 2023-05-22 Threat information processing system and method Active CN116668106B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310577636.1A CN116668106B (en) 2023-05-22 2023-05-22 Threat information processing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310577636.1A CN116668106B (en) 2023-05-22 2023-05-22 Threat information processing system and method

Publications (2)

Publication Number Publication Date
CN116668106A CN116668106A (en) 2023-08-29
CN116668106B true CN116668106B (en) 2024-01-09

Family

ID=87711019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310577636.1A Active CN116668106B (en) 2023-05-22 2023-05-22 Threat information processing system and method

Country Status (1)

Country Link
CN (1) CN116668106B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN111698260A (en) * 2020-06-23 2020-09-22 上海观安信息技术股份有限公司 DNS hijacking detection method and system based on message analysis
CN112528007A (en) * 2019-09-19 2021-03-19 中冶赛迪重庆信息技术有限公司 Confirmation method and confirmation device for target enterprise of business inviting project
CN113162953A (en) * 2021-06-09 2021-07-23 南京聚铭网络科技有限公司 Network threat message detection and source tracing evidence obtaining method and device
CN113904912A (en) * 2021-12-08 2022-01-07 广州鲁邦通智能科技有限公司 Method and device for realizing high availability of service of cloud management platform
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium
CN114666137A (en) * 2022-03-25 2022-06-24 山东鼎夏智能科技有限公司 Threat information processing method and device
CN115333791A (en) * 2022-07-20 2022-11-11 岚图汽车科技有限公司 Cloud-based vehicle safety protection method and related equipment
CN116032629A (en) * 2023-01-03 2023-04-28 上海安博通信息科技有限公司 Classification treatment method, system electronic equipment and storage medium for alarm traffic

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10997306B2 (en) * 2018-11-27 2021-05-04 Accenture Global Solutions Limited Data protection and threat detection
US11824870B2 (en) * 2018-12-19 2023-11-21 Abnormal Security Corporation Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time
US20210264033A1 (en) * 2020-02-20 2021-08-26 Bank Of America Corporation Dynamic Threat Actionability Determination and Control System
US20220351156A1 (en) * 2021-04-29 2022-11-03 Shopify Inc. Systems and methods for authentication using existing credential
US20230153424A1 (en) * 2021-11-17 2023-05-18 Ajai Robotics, Inc. Systems and methods for an automous security system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank
CN112528007A (en) * 2019-09-19 2021-03-19 中冶赛迪重庆信息技术有限公司 Confirmation method and confirmation device for target enterprise of business inviting project
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN111698260A (en) * 2020-06-23 2020-09-22 上海观安信息技术股份有限公司 DNS hijacking detection method and system based on message analysis
CN114531253A (en) * 2020-10-30 2022-05-24 深信服科技股份有限公司 Threat information generation method, equipment, system and storage medium
CN113162953A (en) * 2021-06-09 2021-07-23 南京聚铭网络科技有限公司 Network threat message detection and source tracing evidence obtaining method and device
CN113904912A (en) * 2021-12-08 2022-01-07 广州鲁邦通智能科技有限公司 Method and device for realizing high availability of service of cloud management platform
CN114666137A (en) * 2022-03-25 2022-06-24 山东鼎夏智能科技有限公司 Threat information processing method and device
CN115333791A (en) * 2022-07-20 2022-11-11 岚图汽车科技有限公司 Cloud-based vehicle safety protection method and related equipment
CN116032629A (en) * 2023-01-03 2023-04-28 上海安博通信息科技有限公司 Classification treatment method, system electronic equipment and storage medium for alarm traffic

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于异构数据融合的政务网络安全监测平台设计与实现;刘蓓;禄凯;程浩;闫桂勋;;《信息安全研究》(第06期);全文 *

Also Published As

Publication number Publication date
CN116668106A (en) 2023-08-29

Similar Documents

Publication Publication Date Title
US11636380B2 (en) Method for protecting a machine learning model against extraction using an ensemble of a plurality of machine learning models
US11100222B2 (en) Method for hardening a machine learning model against extraction
Chen et al. An anti-phishing system employing diffused information
US11483319B2 (en) Security model
US10956522B1 (en) Regular expression generation and screening of textual items
CN102739774B (en) Method and system for obtaining evidence under cloud computing environment
WO2021098270A1 (en) Adversarial example-based method and apparatus for protecting private information and electronic device
CN108881230B (en) Secure transmission method and device for government affair big data
Lago et al. Visual and textual analysis for image trustworthiness assessment within online news
CN102037472A (en) Software reputation establishment and monitoring system and method
Liu et al. Stolenencoder: stealing pre-trained encoders in self-supervised learning
CN111160624A (en) User intention prediction method, user intention prediction device and terminal equipment
Sommer et al. Athena: Probabilistic verification of machine unlearning
Pasha et al. Artificial intelligence implementation to counteract cybercrimes against children in Pakistan
US20220383142A1 (en) System and method for machine learning based prediction of social media influence operations
CN116668106B (en) Threat information processing system and method
WO2023072002A1 (en) Security detection method and apparatus for open source component package
Panagiotakis et al. Detection of hurriedly created abnormal profiles in recommender systems
Hendrix et al. Media Forensics in the Age of Disinformation
CN116340989A (en) Data desensitization method and device, electronic equipment and storage medium
CN112989182B (en) Information processing method, information processing device, information processing apparatus, and storage medium
Pruksachatkun et al. Practicing trustworthy machine learning
KR102471731B1 (en) A method of managing network security for users
US20240096056A1 (en) Systems and methods for determining video similarity, risk scores, and textual descriptions
US20230138458A1 (en) Machine learning system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant